Basic certification against the five core control themes. Consists of a self assessment questionnaire and optional pre-assessment check with feedback call.
Cyber Essentials Plus
Advanced certification against the same five core control themes but with the addition of a series of tests conducted remotely or on-site and a vulnerability scan.
serious about cyber security
Prevent cyber incidents by achieving Cyber Essentials with Cyberlab. We offer a range of options depending on your requirements and technical ability. Cyberlab are licensed to certify organisations against both the government backed Cyber Essentials and Cyber Essentials Plus schemes.
What are the
The scheme addresses the following five key controls that, when implemented correctly, can prevent around 80% of cyber attacks.
- Secure configuration
- User access control
- Malware protection
- Patch management
What is the
difference between Cyber Essentials and Plus?
Cyber Essentials is self assessed and independently verified. Cyber Essentials Plus includes an independent technical audit of your systems to verify that the Cyber Essentials controls are in place. Both levels are based upon the same five controls.
In the current climate, Cyber Essentials Plus audits are being carried out remotely by our Assessors.
guidance and support
How do we achieve the
As a Certification Body for IASME, Cyberlab are authorised to assess against the scheme but also to provide consultancy to support organisations to achieve the certification. We offer different support levels to suit your needs.
What are the benefits of achieving
Reassure customers that you are working to secure your IT against cyber attacks and have a clear picture of your organisation's cyber security posture.
Cyber Essentials FAQ
• Protects your organisation from approximately 80% of cyber-attacks, according to the UK government.
• Demonstrates your commitment to security and data protection to customers and stakeholders.
• Boosts your reputation and increases your chance of securing new business by showing you have cyber-security measures in place.
• Cyber Essentials permits you to work with the UK government, Plus gives you the opportunity to work with the MoD.
• Lets you focus on your business objectives, knowing you are secure.
Insurance terms and conditions can be found here:
It is noted that an increasing number of government and commercial organizations are requiring this certification of their suppliers, even though they are not mandated to do this through the Procurement Policy Notice. In his speech on the 23rd June 2015, Ed Vaizey from the Department of Culture, Media & Sport urged all organizations to “adopt Cyber Essentials so they can protect and promote themselves online to all stakeholders”.
Any company using unsupported or out-of-date software in the scope of the assessment, such as Microsoft 7, will probably fail to achieve Cyber Essentials certification.
The questionnaire requires answers to all questions – most of these questions will require brief notes to enable us to understand your company and the information security controls that you have in place. By providing full details in the questionnaire you will reduce the time required for certification as we will have all the information we need up front.
For Cyber Essentials, once you have completed the self-assessment questions on the online portal we aim to turnaround all assessments within 24 hours.
For Cyber Essentials Plus, this must be carried out within 3 months of achieving the CE accreditation. The CE+ requires an on-site audit which can be scheduled as soon as a signed order is request and a CE pass is in place.
We will email you with a reminder in advance of your expiry date outlining the steps involved in order to work through your renewal.
You need to get nearly all the questions right (compliant) to pass the Cyber Essentials assessment. You do need to be controlling all these aspects of your system to be certified. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.