Earlier in the year I reported that Cyber Essentials was changing. Following a review the accreditation was coming under one body (iasme.co.uk) and other changes were being proposed. At the time things were a little vague, but I can clear it up now, since I have re-accredited Zorva Consulting early to experience the process first-hand.
Signing up to gain or renew accreditation
Previously you could choose from a few accreditation bodies, but now there is just one place to go, and pay your money to. Visit https://iasme.co.uk/cyber-essentials/cyber-essentials-apply-now/ to get started
Options and costs
There have always been 2 options, being Cyber Essentials (self-assessment and external penetration test) and Cyber Essentials Plus (adding an internal penetration test). Cyber Essentials used to cost £300 plus VAT.
Now, the cost of Cyber Essentials remains the same but you get a little less for your money, as there is no longer any penetration testing and the self-assessment is slightly simpler. You can add the penetration tests if you sign up for Cyber Essentials Plus but speak to your IT provider before you consider this. Cyber Essentials now includes £25,000 of free cyber insurance, which you can opt out of, but do check the small print to see if this is suitable.
The self-assessment is largely the same and you can download a free self-assessment questionnaire here, so you can see what’s involved. The questions are answered online, and as an example it took my just 90 minutes to renew Zorva Consulting’s accreditation, referring from last year’s assessment answers. The IASME website was very slow when I tried it, and the colour scheme of blue text on a black background was not the clearest. You download, sign and upload a declaration and your self-assessment is reviewed. I got a response the same day, thought they quote up to 3 working days.
When you are successful, your organisations details appear on Cyber Essentials Certificate register and everyone can see your commitment to IT security. You will also receive a branding pack and this includes a logo that you can use.
Should I get accredited?
Yes! It displays your commitment to IT security, and the self-assessment covers the basics that you need to demonstrate compliance with GDPR principle 6, which states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” You need to do more than this, but it’s a great start; contact me if you would like a complete checklist.