Achieving certification to the Cyber Essentials scheme
There are two types of certification: Cyber Essentials, which relies on self-assessment and an external verification by a certification body, and Cyber Essentials Plus, which relies on a more rigorous on-site assessment and internal scan by a certification body.
IT Governance is a CREST member and an accredited Cyber Essentials scheme certification body.
What type of verification will be conducted?
Once an organization has successfully passed an assessment against either level of the scheme’s requirements, it will be awarded the relevant Cyber Essentials award, or "badge."
First, the scope (i.e. the Internet-facing systems to be covered) is defined by the organization.
The organization answers the Cyber Essentials self-assessment questionnaire to demonstrate its level of compliance with the requirements for basic cybersecurity. The questionnaire is signed by an authorized signatory from the organization to confirm its accuracy, and it is then sent to the certification body to be reviewed.
All CREST-accredited certification bodies will conduct an external vulnerability scan of the Internet-facing networks and applications to verify that there are no known vulnerabilities present.
Cyber Essentials Plus
All CREST-accredited certification bodies will conduct the necessary verification for Cyber Essentials as stated above, followed by a more thorough internal scan and an on-site assessment of a sample of relevant devices that are connected to the Internet and/or capable of receiving emails.
In both cases, certification reflects the state of an organization’s cybersecurity only at the time of assessment. It is no proof of the ongoing effectiveness of an organization’s cybersecurity.
Solutions for CE certification
IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the three solutions to certification >>