IASME Cyber Essentials was introduced by the UK Government to help small businesses tackle cyber threats and prove to their customers and clients that they have sufficient security measures to mitigate most common security risks.
Security has taken a higher priority and IASME Cyber Essentials is an ideal starting place for any sized business. For other businesses, supply chain requirements or industry regulation has forced their hand, requiring their business to gain IASME Cyber Essentials in order to do business. In this article I cover some of the questions I am most frequently asked about the certification.
Why was Cyber Essentials launched?
IASME Cyber Essentials was launched back in 2014 by the Government in recognition that there wasn't a compliance out there fitted for small businesses. ISO 27,001 was the only industrial, security industry standard available and it was very complicated and not really suited to small businesses. So in that space, Cyber Essentials was launched.
Cyber Essentials requirements
IASME Cyber Essentials has five controls which is designed for the small businesses:
Amazingly, they can mitigate against 80% of the cyber attacks at the moment. I am a big believer in MED, minimal effective dose, and these very five basic controls can really protect small businesses against cyber attacks.
The National Cyber Security Centre have created a really good leaflet that summarises Cyber Essentials controls, download it here.
Why do small Businesses choose Cyber Essentials?
There's really two reasons why business choose to become certified through IASME Cyber Essentials:
To show their willingness to protect their business and ultimately their customers and their supplier's data against cyber attacks.
We are also seeing businesses being forced by the supply chain to have these compliance measures in place. It is regulatory. Clients approach us because their contract stipulates that they must have Cyber Essentials. The reason for this is because there is an ongoing, big issue with supply chain threats where cyber criminals and cyber hackers will try and infiltrate the supply chain. The bigger companies are being targeted through the smaller businesses. They are using the small businesses as a weak chain in the link to attack the larger organisations.
Cyber Essentials self-Assessment
IASME Cyber Essentials is, at its very basic form, a self-assessment. The assessment is done online through the IASME website. IASME are a Government partner, chosen by the National Cyber Security Centre to lead the certification.
The cost of the Cyber Essentials assessment is from £300 +VAT. The cost of the assessment has increased since January 2022, with a new tiered pricing structure based upon the number of employees:
Micro organisations (0-9 employees)
Small organisations (10-49 employees)
Medium organisations (50-249 employees)
Large organisations (250+ employees)
This does not include the cost of the security defences that you need to pass the certification, such as firewall controls and malware protection. You may also need to take into consideration the time you need to create new documentation, implement policies or undergo ongoing audits.
Many businesses work alongside a security partner to ensure they are compliant and pass first time. There are a variety of service levels you can choose from. Some services simply complete the self-assessment on your behalf, which can cost in the region of £300-500 (not including the cost of the assessment). Other providers offer a more in-depth service. IT and security companies, such as Superfast IT, help small businesses through Cyber Essentials consultancy. We, for example, offer a fully managed service for a fixed fee of £100 per month, which would include the cost of the assessment.
As a part of the cost, we perform an initial gap analysis and ensure that all required security controls are properly configured before submitting the self-assessment. That way you can be safe in the knowledge that your security is installed, maintained and regularly updated with the all important security patches. We also complete ongoing security audits, as the certification stipulates.