Cyber Essentials FAQ
Over the past year we have seen a huge rise in the number of enquiries relating to the Cyber Essentials Certification scheme. Our previous blogs give a good introduction to the scheme and the 5 controls covered by the certification process:
It’s predicted that CE certification should help avoid around 80% of cyber attacks and certification is increasing being required by suppliers as part of their due diligence around supply chain cyber security.
- You can perform a search on companies to check they have certification in place here.
- UK Government Procurement Policy Note which covers Cyber Essentials is here.
- We are Approved Practitioners of Cyber Essentials so we have been externally assessed and accredited to provide advice, guidance and consultancy in Cyber Essentials. You can find more information on how we can help here.
We have gathered some information on the most FAQs we have come across over the past year:
How long will it take to prepare for CE?
The answers do require detail and evidence and you may need some time to ensure you have all the correct policies and procedures in place. In most cases you will need a couple of weeks but sometimes longer.
What if we fail?
If you are using any unsupported software you will fail the certification. If you are non- compliant in other areas, you will get feedback and normally the opportunity to re-submit within a short time period. If you don’t manage this, then you will need to reapply but you need to wait 30 days. We are proud to say that all of the customers we have supported through the process have passed first time.
How often do we need to renew certification?
A certificate is awarded for 12 months. Organisations can easily lapse from compliance if they don’t keep on top of patch management, device configuration, access controls etc. Our IT support customers have peace of mind that these cyber security requirements are being managed continually. They should have no surprises when they recertify at the end of the year and can satisfy suppliers that cyber security risks are well managed. It is possible that a supplier may request an organisation to recertify before the 12-month period is up if they believe there is a risk that they have lapsed.
We have ISO 27001, do we need Cyber Essentials as well?
While the scope of ISO 27001 is much wider than CE it does not explicitly cover all of the CE controls. They are different but complementary certifications. In an ideal world you would have both, but Cyber Essentials is a good place to start.
If you have other questions, why don’t you call us for a no obligation chat about the scheme.
RedMosquito Ltd provide IT Support across Glasgow, Edinburgh and throughout Scotland.