The UK government has launched the Cyber Essentials scheme to help small to medium-sized organisations define and measure basic levels of security hygiene. The scheme defines a series of technical and procedural controls to mitigate the risks associated with cyber threats. Through certifying against the Cyber Essentials scheme, organisations are able to demonstrate to their clients, their suppliers, their insurers and to industry regulators that they have undertaken essential precautions in minimising their cyber risk.
Nettitude has been delivering security architecture consulting, vulnerability analysis, penetration testing, risk management and technical security auditing for more than a decade. Our highly experienced consultants can assist you in defining the scope for Cyber Essentials and provide you with a roadmap for achieving the overall certification.
As a CREST affiliated company, Nettitude is able to issue both Cyber Essentials and Cyber Essentials Plus certification, with the option of a pre-assessment if required.

Cyber Essentials Basic

Cyber Essentials is the fundamental level of Cyber Essentials certification. Nettitude conducts both technical risk assessments and vulnerability assessments to ensure that all elements of the requirements are addressed.

There are two stages to a Cyber Essentials assessment:

1. Self-assessment Questionnaire

The organisation is required to complete a self-assessment questionnaire that covers some of the basic technical and procedural controls that are needed to be in place. This questionnaire is then attested by a senior director or c-level representative before it is returned to the certifying body.

2. External Vulnerability Scans

The vulnerability scans offer a deeper level of assurance by scanning the network perimeter of all internet-connected locations for infrastructure and web application vulnerabilities, including dedicated hosting platforms.

Nettitude’s qualified security consultants can then provide remediation guidance around technical and procedural controls, where necessary, and provide you with a framework to measure the effectiveness of these controls. Once a vulnerability scan and self-assessment questionnaire have been completed, the organisation will be validated against the first stage of the Cyber Essentials scheme.

Whilst there is no official expiration, Nettitude recommend this exercise is repeated at least annually. An organisation can opt to proceed to the next level of certification, which is Cyber Essentials Plus or stay with this.

Cyber Essentials Plus

For organisations pursuing the higher level of assurance the Cyber Essentials Plus certification, Nettitude conducts both technical risk assessments and vulnerability assessments to ensure that all elements of the requirements are addressed. It covers the requirements of Cyber Essentials, but in addition, a sample of the organisation’s internal infrastructure is also assessed. The Cyber Essentials plus package includes the stages mentioned in the basic assessment, but with the following add-on:

Internal Workstation And Mobile Device Security Audit

This stage assesses a sample of workstations for configuration and patching related vulnerabilities. A qualified consultant will conduct a full build review against your standard workstation builds and mobile devices (if applicable). Common malware will be delivered via emails and web browsing to assess perimeter protections using email (phishing) and web browsing (drive-by) threats to determine effectiveness.

Once an organisation is able to demonstrate that they have implemented controls to mitigate against various common attack scenarios, they will be eligible for Cyber Essentials Plus certification. Where gaps exist, Nettitude is able to offer pragmatic advice and guidance on how these gaps can be addressed.

An organisation can choose two routes to achieve Cyber Essentials Plus certification; gain Cyber Essentials certification first or go for Cyber Essentials Plus outright. Cyber Essentials Plus offers a greater level of assurance as it is a more in-depth assessment, and passing this component covers all the organisational Cyber Essentials compliance requirements.

Cyber Essentials Pre-assessments

When Nettitude initially engages with organisations; the team undertake a gap analysis to measure the organisations existing controls against what is required by Cyber Essentials. Having conducted this assessment, Nettitude then provides the organisation with a clear road map on how to bridge the gaps and reduce their risks associated with a cyber breach. As the organisation moves towards entry-level certification, Nettitude can provide on-going guidance and assistance to ensure all elements of the assessment are being catered for.