Search
Close this search box.

Thinc insights

Cyber Essentials Plus certification: everything an SME needs to know

What is Cyber Essentials Plus certification, why would you need it and how can you get it? We explain all in this guide.

Attaining Cyber Essentials Plus certification assures your stakeholders, partners and customers that your organisation takes cyber security seriously.

At Thinc we not only hold the Cyber Essentials Plus certification ourselves, but we’re also here to help SMEs do the same by preparing for and undertaking the assessment.

Want to know more about Cyber Essentials Plus for your organisation? Read on for everything you need to know.

Cyber Essentials: what is it and why it’s important?

Before we dive into Cyber Essentials Plus, it’s worth taking a step back and explaining what Cyber Essentials is (if you already know, jump ahead!).

The UK government introduced the Cyber Essentials scheme in 2014 after a series of malware attacks affected SMEs worldwide. It was introduced to give small businesses a path to cyber protection, by assessing their existing cyber security against five technical security controls which cover the most common vulnerabilities.

Today, the UK government has found that 50% of businesses have experienced a cyber security breach or attack in the last 12 months – there were over seven million cybercrimes in that period. The average cost of a cyber attack is £1,120 per victim – but the actual risks of larger or repeated attacks can cost much more.

Cybersecurity threats are also changing rapidly. CrowdStrike’s Global Threat Report found that adversaries are quickly making use of cloud vulnerabilities and generative AI tools to make their attacks more successful and scalable. More than two in five UK businesses have significant technical skills gaps, and the number of cybersecurity professionals entering the workforce each year doesn’t meet demand caused by the increasing risk of cyber threats. For SMEs, it’s becoming increasingly difficult to stay ahead of cybersecurity risks.

Cyber Essentials therefore gives SMEs a practical way to holistically assess and improve their cybersecurity measures.

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment questionnaire, in which you’ll answer a series of questions about your company’s structure and how you stack up against five core controls. The questionnaire is then validated remotely by an independent, certified assessor. If you pass, you’ll receive a Cyber Essentials certificate.

Cyber Essentials Plus builds on the Cyber Essentials self-assessment by including an on-site technical verification of the same criteria.

Both the Cyber Essentials schemes are operated by IASME, a partner organisation to the UK government.

Thinc supports companies in preparing for Cyber Essentials Plus, ensuring you’re ready to gain the certificate, and works with an accredited third party to deliver the audit. In short, we offer a one-stop shop for your certification.

What are the benefits of Cyber Essentials Plus for my company?

Validate your cybersecurity measures

The Cyber Essentials certificate is an excellent way to assess, improve and validate your cybersecurity measures. However, it’s self-assessed and remotely verified.

Cyber Essentials Plus goes further. It includes an on-site technical verification which ensures that any issues you didn’t find in your self-assessment are identified for improvement. This eliminates vulnerabilities which could go undetected in the Cyber Essentials assessment.

Reduce the cost of cyber insurance

The risk and potential impact of a cyber attack on your organisation will influence the level of premium an insurer will quote you when you’re seeking protection.

Should you be on the receiving end of an attack and need to make a claim, loss assessors will ask you to prove you are following best practices – having the fundamentals in place reduces the chances of a dispute.

Whether you’re buying a policy or making a claim, having Cyber Essentials Plus certification demonstrates to your insurer that you’ve done what’s required to protect your organisation.

Meet contractual and bidding requirements

If your company undertakes work that requires you to go through tender processes, you’ll know that it’s becoming increasingly important for many clients that their contractors meet standards and follow best practices. Cyber security is one such area where you may be asked to demonstrate your preparedness.

We’ve seen this a lot in the public sector, for example. In bids for government contracts which involve handling sensitive information, Cyber Essentials Plus is becoming a common procurement standard. So, getting your Cyber Essentials Plus certificate increases your chances of bidding for and winning these contracts.

Can you prove your commitment to cyber security?

Getting the Cyber Essentials Plus certificate proves that you’re committed to cyber security. In the eyes of your stakeholders, it’s a government-approved way to show that you care about data protection. For growing companies, this is a quality that’s becoming more important for attracting and retaining new customers and employees.

When should I get Cyber Essentials Plus?

You’re concerned about cyber attacks

Any small business handling people’s data should be concerned about cyber attacks. If you aren’t confident that your cyber security setup can protect you against all the common – and uncommon – threats which could harm your company, employees and customers, you should consider the Cyber Essentials Plus certification. Taking this step will give you assurance that your company is following best practice.

You’ve already completed Cyber Essentials

If you’ve already completed Cyber Essentials, Cyber Essentials Plus is an ideal next step in holistically verifying your cyber security setup. By completing Cyber Essentials Plus, you can identify missed areas in your self-assessment. Working with a cyber security partner like Thinc, we can then ensure you’re protected.

You’re bidding for government contracts

As mentioned above, an increasing number of government contracts include Cyber Essentials Plus as a requirement. More SMEs are getting their Cyber Essentials Plus certificate each year to ensure they’re ready for government contracts; make sure that you don’t lose a bid because you’ve not got the certificate.

You’re undergoing or planning for growth

As you grow, so may your revenue, your profile, your amount of customer data, the number of staff to train, and the number of endpoints and systems to protect. All of this increases your attractiveness to bad actors and your number of potential weak spots.

How long does it take to get a Cyber Essentials Plus certificate?

If you’ve not already got a Cyber Essentials certificate from within the last three, you’ll need to complete the self-assessment as part of Cyber Essentials Plus. For more on the self-assessment, read our Cyber Essentials blog.

The Cyber Essentials Plus on-site technical verification is dependent on your company’s structure. Here are the main factors which impact how long the on-site technical verification takes.

How does the Cyber Essentials Plus assessment work?

An IASME-certified body will conduct an on-site technical audit of all the criteria covered in your Cyber Essentials self-assessment. This takes place to validate that all the declarations in your self-assessment are implemented and working. Passing Cyber Essentials Plus proves that your company meets the security standards set out in the Cyber Essentials framework.

During the audit, you can expect to be assessed across areas in line with the Cyber Essentials five controls:

  • Access controls
  • Firewalls and routers
  • Malware protection
  • Secure configuration
  • Software updates

Your assessor will select a sample of your devices to assess and will take various screenshots as validation evidence. If you do not meet all the assessment criteria, you won’t pass Cyber Essentials Plus. If the reasons for failing are easy to fix, you’ll have two working days to rectify and your assessor will take another look, free of charge. If at this point you still don’t pass, then you’ll need to reapply.

With the right preparation, you can confidently pass Cyber Essentials Plus and gain your certificate. Your certificate will be valid for 12 months. Once it expires, you’ll need to undertake another on-site technical audit.

How much does Cyber Essentials Plus cost, and what’s the ROI?

Firstly, you’ll need a Cyber Essentials certificate. This is less than £600 (plus VAT) for a business; for the latest costs, visit the IASME website.

Preparing for Cyber Essentials Plus can require investment into new or updated software, safer devices, and training your employees. Thinc helps companies assess everything which needs to be done to achieve the certification.

Achieving the certification is an investment into your company’s safety against serious cyber threats. The average cost of a cyber attack is £1,120 per victim, and for growing companies, it’s likely that total costs will be much higher due to regulatory fines, loss of valuable data and crippled operations.

Cyber Essentials Plus is also becoming a standard requirement for companies bidding for government contracts, and other less obvious areas, like applying for business insurance. It’s an investment which pays for itself in prevention and advantageous opportunities.

Why Thinc for Cyber Essentials Plus?

Preparing for Cyber Essentials Plus can be a time-consuming process, especially for growing companies with limited resources. The depth and breadth of technical considerations you need to make are vast, and missing just one area could result in a failure.

At Thinc, we’ll prepare you for the Cyber Essentials Plus certification by conducting an end-to-end vulnerability assessment to identify and mitigate any possible issues. As well as our expertise in a broad range of cyber security services, we have our own Cyber Essentials Plus certificate, so by partnering with us you can be confident that you’re ready to secure yours.

When you secure your certificate, you’ve proven that your company has undertaken the baseline steps to protect against cyber attacks. That doesn’t mean you’re safe forever. At Thinc we work with companies for the long term. We’re always scoping the cyber threat landscape and working with partners like SonicWall, CrowdStrike and Microsoft to give our customers ongoing safety. You can rely on us to ensure you’re always ahead of cyber threats.

Learn more about Thinc’s cybersecurity expertise.

Get in touch

Looking to secure the Cyber Essentials Plus certification for your company? Get in touch to arrange a chat.

Cyber insurance risks and mitigations: the experts speak

Why is it important to back up your data?

What is managed cyber security? A comprehensive guide

Speak with us

Enter your details into the contact form below, and one of our experts will be in touch to arrange a time to speak.

Contact Details

Support

If you’re an existing customer looking for support, please e-mail servicedesk@wearethinc.com, or visit our support page where you can download our remote support apps.