The cyber essentials certification process assesses a set of controls that provide basic cyber security for all types of organisations. Cyber essentials involve a self-assessment questionnaire of these controls, ensuring that each of them are present and are functional to verify that they protect the organisation and their cyber security system.
Data is a business’s most precious and greatest asset. Without data, a business simply cannot function and continue its operation as normal, therefore causing disruption that can lead to potential loss of profit. While the majority of businesses do worry about cyber attacks and the potential impact it could have on them, 60% of small businesses do not have a cyber security policy in place (CISO Mag).
Cyber essentials checks for any potential vulnerabilities that may be present in a business’s IT infrastructure. It also provides clear and insightful guidance on the basic network security checklist that your business should be meeting in order to minimise cyber security threat risks.
Cyber essentials self assessment questionnaire
The cyber essentials self-assessment questionnaire requires organisations to pass on 5 different areas of their IT setup: firewalls, secure configuration, malware management, patch management and user access controls. You must ensure that your business covers each of these areas successfully without any gaps to gain your cyber essentials certification.
If it is your first time applying for the cyber essentials certification, you are likely wondering what types of questions you may need to prepare for.
We have listed 5 examples of the IASME Cyber Essentials Questionnaire Examples:
How many staff are home workers?
What is your main reason for applying for certification?
Please list the quantities of servers, virtual servers, and virtual server hosts.
Please provide a list of the networks that will be in the scope for this assessment.
Please list all cloud services that are provided by a third party and used by your organisation.
To view more question examples, view the self-assessment pdf here.
We find that many businesses are unsure of how in-depth they need to answer the self-assessment questions.
To give you some guidance, we have listed a few IASME Answers Examples below:
Have you installed Firewalls or similar devices at the boundaries of the networks in the Scope?
Our organisation is protected by XX. An outsourced company, XX, installed and maintains this for us.
Have the default usernames/passwords on all boundary firewalls (or similar devices) been changed to a strong password?
Our organisation uses an outsourced IT company who regularly changes our passwords to one with at least 15 characters and is made up of upper and lower case letters, special characters and numbers.
To view more answer examples, you can view the cyber essentials guidance booklet here.
What is network security?
Network security consists of a set of processes and configurations adopted to protect the integrity and anonymity of your network and data. This also relates to hardware and software. The overall aim of network security is to reduce the risk of data loss, theft or exploitation by cyber hackers and other unauthorised parties.
Network security has become even more important and crucial for businesses to implement, manage and oversee, with the rise of remote and hybrid working employees. Most homes do not have adequate secure internet connections and it is something that many cyber attackers use to their advantage.
To help safeguard your businesses and protect employees that are working outside of the office, we have put together a simple network security checklist for you to follow:
- Firewalls
- Regular updates
- Strong passwords
- Secure network (e.g. VPN)
- Patch management
- Data loss prevention
- Antivirus/ malware management
- User access controls
You will notice that most of the above network security checklist items directly overlap with the cyber security essentials requirements. Cyber attackers will attempt to breach your IT infrastructure from many different angles, including through your network. Therefore, it is crucial to ensure that your data is well protected, backed up and stored in various locations to ensure that if the worst-case scenario were to occur, your business can efficiently resume with minimal disruption.
What is information security?
Information security, occasionally referred to as InfoSec, refers to clear methodologies and practices that aim to protect confidential business information from unauthorised access. The goal is to ensure that critical data such as a customer’s financial details are not to be accessed, modified or destroyed by an unauthorised individual.
As with network security, you will notice that the information security requirements checklist covers similar areas/ processes:
- Firewalls
- Antivirus
- Patch management
- Encryption
- Vulnerability scans
- Cyber security risk assessments
- User permission restrictions
- Data loss prevention
Cyber Essentials Plus
Once you pass and gain your cyber essentials certification, your organisation can now apply for cyber essentials plus accreditation.
Cyber essentials plus is also a UK government-backed scheme that is designed to further assess how protected businesses are from basic cyber security risks. The main difference is that cyber essentials plus acts as a way of enhancing and maintaining your cyber hygiene across your IT infrastructure.
The National Cyber Security Centre (NCSC) highly recommends for all businesses to consider undergoing a cyber essentials accreditation process. It is also a great way of understanding how secure your business really is.
To gain your certification you will need to pass all of the Cyber Essentials Plus requirements.
We have listed a few processes that you may be tested on as part of your cyber essentials plus certification:
Vulnerability scans
User endpoint authentication (this also includes internet-facing servers)
Browser download checks
Mobile and tablet assessments
Email attachment checks
Although cyber essentials / plus are both independently verified, your business should consider undergoing a pre-assessment through a verified certification body. Solutions4IT can help your business assess its current cyber security, identify any vulnerabilities and help with passing your cyber essentials assessments, learn more here.