Frequently Asked Questions

Frequently Asked Questions

Where can I find the document which describes the full Requirements for the Cyber Essentials Scheme?

You can download the requirements from the UK Government website here. You can see our overview here.

Which UK government contracts will I need Cyber Essentials certification for?

You can see the note to UK Government Procurement Officers which specifies Cyber Essentials mandated in many cases for suppliers to all central government departments here.

From 1st January 2016 the Ministry of Defence mandated Cyber Essentials for all its new suppliers and also their relevant supply chain. See more here.  

In July 2016 the UK Government Department of Health, National Data Guardian (NDG) published  "Review of data security, consent and opt-outs" which recommended "All health and social care organisations should provide evidence that they are taking action to improve cyber security, for example through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should be tested in a wider number of GP practices, Trusts and social care settings."  We are now seeing an increasing number of health care organisations being required to have Cyber Essentials or Cyber Essentials PLUS for NHS contracts. See more here

How much does it cost for a basic level Cyber Essentials Assessment?

It costs £300 + VAT for each assessment. You can choose to assess your whole company in one go, however large it is, and this would be just £300 + VAT.

How much does it cost for a Cyber Essentials PLUS assessment?

The Cyber Essentials PLUS assessments have to be quoted for individually. You can submit some details via the form here and two Certification Bodies will email a quote to you.

Cyber Essentials PLUS involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these systems (typically around 10 %) and then make a decision whether further testing is required.

The assessor will need to visit your head office and a representative sample of your other offices in order to carry out the tests. The quantity of other offices visited depends on the complexity of your organisation - in a multinational organisation the assessor may need to visit a number of countries. Some tests may be carried out remotely provided that the agreed on-site visits have been carried out.

As a rough estimate a Cyber Essentials PLUS assessment for a small, simple company will cost in the region of £1,400. Our certification bodies aim to minimise the cost to your company.

Is there a vulnerability scan required as part of the Cyber Essentials basic level?

The basic level assessment of Cyber Essentials only requires a self-assessment. No additional vulnerability scan, test or third party verification is needed. One of the other Accreditation Bodies, CREST, and its associated Certification Bodies do insist upon a vulnerability scan as part of the basic level. However, this is not required by the Government and certification by us, without a vulnerability scan, is just as valid a Cyber Essentials assessment as any other.

Can I see the self-assessment questions before I pay for an assessment?

You can download all the self assessment questions in pdf format here. If you would like them in an Excel worksheet which is easier to work with then please contact us and we will email it to you. Please note that IASME does not use the 'Cyber Essentials Common Questionnaire' which is referred to on some websites - we have our own approved question set.

What is involved in a Cyber Essentials PLUS assessment ?

Cyber Essentials PLUS involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

The assessor will need to visit your head office and a representative sample of your other offices in order to carry out the tests. The quantity of other offices visited depends on the complexity of your organisation - in a multinational organisation the assessor may need to visit a number of countries. Some tests may be carried out remotely provided that the agreed on-site visits have been carried out.

The full test specification which all the Accreditation Bodies work to can be downloaded (Cyber Essentials PLUS Common Test Specification) from the NCSC website here.

How many of the questions do I need to get right to pass?

You need to get nearly all the questions right (compliant) to pass the Cyber Essentials assessment. You do need to be controlling all these aspects of your system to be certified. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.

Are there any automatic fail questions?

Any company using unsupported software in the scope of the assessment, such as Microsoft XP, will probably fail to achieve Cyber Essentials certification.

If I fail will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a pdf of all the answers you gave and comments from the assessor against any that were considered non-compliant. If you fail the assessment this feedback should help you improve your security so you can pass in the future.

Where can I get more information about the included Cyber Insurance?

We have a separate set of frequently asked questions and answers about the included insurance here.  For further information contact [email protected] or call +44 (0)1905 21681.

If I fail will I have to pay another £300 to take the assessment again?

If you fail we allow you two working days to examine the feedback from the assessor and change any simple issues with your network and policies. You can then update your answers and the assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

I am not sure I understand the questions - where can I get help?

IASME and various approved partners run a basic one day course to teach people with no cyber background how to prepare their company and perform the cyber essentials assessment. More details here.

The companies we have trained to assess against Cyber Essentials PLUS are available to help companies achieve both levels of Cyber Essentials. They have helped a number of companies become certified already and would be please to work with you. Please contact them for help.

How can I become an Assessor?

To become an IASME Certification Body and Assessor someone from your company will need to attend and pass the IASME Assessor Course and also the Technical Cyber Auditing Cyber Essentials Assessor Course. More details about requirements for assessors can be seen here. We work with companies of all sizes.  Micro companies / one man bands are welcome partners.

Where can I find information about securing my company?

You can see links to some excellent websites which will help you here. IASME and "The Friendly Nerd" run a basic one day course to teach people with no cyber background how to prepare their company and perform the cyber essentials assessment. More details here.

How quickly can I get certified to Cyber Essentials?

We always do our best to get the Cyber Essentials assessment results back to you as quickly as possible. It usually takes us 1 - 3 working days from the time you submit your assessment. If you have a tight deadline please let us know and we can try to fast-track your assessment.

Can I just answer yes / no to most questions?

You need to add brief notes to most answers. This allows us to understand your company and controls better, makes the assessment process faster and also makes it more likely we will be able to understand your systems enough to pass you.

How long does the certification last before I have to renew my Cyber Essentials certification?

It is recommended by the UK government that you renew your certification at least annually. We remove companies from our 'certified organisations' list if they have not been certified in the past year.

How long will I have to complete and submit my assessment?

You will have 6 months from date of application to complete and submit your assessment. After this time your account may be closed. You would have to apply and pay again if you wanted to be assessed.

How can I remember to re certify within a year?

We will email you with a reminder roughly a month before you have to be re certified.

When I re certify will I have to re-enter all the information again?

You currently do need to re enter all the information again and the questions have been updated and so have changed a bit (hopefully improved). However, you can copy and paste the majority of your answers from last years submission if you have not changed things in your company over the previous year. Do let us know if you would like us to email you the answers you submitted the last time you were assessed.