Why You Need
Cyber Essentials

Secure & Certify your organisation to
government approved standards.

Introduced by the UK government as common practice for all
organisations, Cyber Essentials provides cost-effective
prevention against Internet based threats. DigitalXRAID are
an official Cyber Essentials certification body, we will help you
achieve certification quickly and efficiently.

About Cyber Essentials

Cyber Essentials is designed to ensure organisations understand and mitigate their security
gaps. Cyber Essentials provides assurance to your customers and competitors that your
organisation is complying with government approved security standards.
Cyber Essentials will help organisations to understand the importance of Cyber Compliance
and enables them to demonstrate how committed they are to their own Cyber
Security. Each individual organisation is then appraised against the Cyber Essentials
benchmark.

How can DigitalXRAID help
me achieve certification?

DigitalXRAID are Security Specialist with years of experience in helping large and small companies understand their responsibilities for securing data assets, increasing organisations security position and reducing exposure to Cyber Crime. We are an accredited Cyber Essentials certification body. We will help you to conduct your assessment, report the outcome to the Accreditation Body (IASME)
and supply you with your certificate. We also provide consultancy services to help improve your cyber/information security practices should this be required. The Cyber Essentials standard gives DigitalXRAID clear objectives: to follow specific grading criteria and report all passes and fails to the
Accreditation Body.

Cyber Essentials ‘Basic’

The baseline Cyber Essentials package is a self-assessment questionnaire which is completed in conjunction with an external vulnerability scan. The self-assessment questions relate to both the technical and day-to-day controls required to be in place, for example:

– Do all computers and devices which are connected to the Internet have Malware Protection?
– Have all network devices been securely configured with only the minimum services necessary to full requirements and has this been done in such a way to minimise vulnerabilities during installation?
– Are all devices and information on the organisation’s network protected by firewalls to help prevent unauthorised access via the Internet?

– Is Patch Management in place to ensure all software running on both PC’s and Servers is updated with the latest security features?
– Have all User Accounts been assigned to authorised individuals, with minimal access levels granted where appropriate?
– DigitalXRAID tailors their consultancy service to help organisations who don’t have the resource or time to complete the assessment. We will guide you through certification quickly and efficiently.

Once the self assessment is complete, DigitalXRAID will score, review, verify and grade the submission.

Cyber Essentials+

Cyber Essentials+ (CE+) follows same principles as CE but with additional Independent Testing which requires an on-site technical assessment. The self-assessment questionnaire and external vulnerability scan are utilised, as with the Basic level. However, DigitalXRAID use specially tailored vulnerability criteria, targeting your organisations internet facing infrastructure, workstations and servers. These tests will highlight any security issues that were not captured in the self-assessment. This will also provide you with peace of mind that your current software builds and software are meeting minimum security requirements.

The time required to complete CE+ depends on the size of your organisation, however a minimum of 3 days will be required in order to complete the assessment, reporting and certification process.

CE+ is the more extensive Cyber Essential of the two, due to the addition of a technical assessment. By showing you’ve undertaken a more thorough check, you’re providing greater confidence to organisation associates that you’re able to protect your own assets and give great consideration to your cyber security. Being advocates of best security practice we would recommend CE+ for all organisations of any size. It provides a thorough and impartial validation of your organisations present security exposure giving senior stakeholders greater assurance.

With either certification, you will decide the systems and devices to be in the scope of your assessment. It may be that you only wish to include the desktop environment and omit mobile (BYOD) devices. All areas of the CE+ questionnaire are compulsory and guidance on the pass/fail criteria is provided.

What to expect from the on-site Assessment

– Production of a report which provides clear, measurable results
– Award of the certification, if achieved

The DigitalXRAID approach to CE+ also includes:

– In-depth review and verification of self-assessment questionnaire
– External vulnerability assessment, scan of your internet facing infrastructure.
– Vulnerability scan of internal systems
– Email virus delivery check
– Malicious code web download check

The self-assessment questionnaire serves two main purposes to your organisation:

– Provides your organisation with technical scoping information
– Gives your organisation the opportunity to assess your current security measures against industry best practice. The information provided during the certification process can be used to develop your cyber security systems, and should be incorporated into your organisation’s business planning for the future.

Frequently Asked Questions

CE+ includes entirely the same requirements as the basic standard, with an added extra of a more in-depth test on-site. This verifies your answers to the questionnaire and ensures you are protected against a range of malicious attack scenarios. The independent testing is designed to give you extra peace of mind that your cyber security measures are both suitable and sufficient. Cyber Essentials is not a pre-requisite for Cyber Essentials+ you should think of it as an either/or and we would generally recommend CE+ to larger organisations or those with higher-risk security needs.

Whilst both standards are suitable for any type of organisation, for particularly large or high-risk organisations we would always recommend CE+ due to the extra independent testing involved. Having said that, no matter the size of your organisation CE basic will always cover the necessary compliance for companies in Central Government whose services include the handling of personal information and IT services. If you’re still unsure whether you should go for basic or plus, you can always contact us directly and we’ll be more than happy to give our advice based on your organisation.

Firstly, it’s important to say that it remains your choice to determine which of your systems are in-scope. However, as a general rule, you should include all Internet end user devices which are connected to the Internet. We would also highly recommend other Internet facing systems, such as email or application servers.

If you need advice regarding the scope, DigitalXRAID can provide guidance by visiting your organisation for an on-site pre-assessment.

Yes, certification to other standards, for example ISO, does not reduce the need for CE/CE+ assessment, nor does it reduce the requirements of CE standards should you choose to go ahead.

If you fail, IASME allow you two working days to examine the feedback from the assessor and change any simple issues with your network and policies. You can then update your answers and the assessor will have another look without any extra charges. However, if you still fail after these two days you will have to re-apply and pay the assessment fee again. However, DigitalXRAID will provide pre-screening to give you the best chance of success and will ensure you are ready before you make the application.

We highly recommend that each organisation maintains the CE or CE+ scheme on a rolling basis, due to the ever-growing number of cyber security threats. This can be done effectively by scheduling annual re-assessment to ensure your protection remains up-to-date and benchmark with the requirements of the CE standard.

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a PDF document of all the answers you gave and comments from the assessor against any that were considered non-compliant.