Falanx Cyber’s, Toby Western, gives you the lowdown on the difference between Cyber Essentials and Cyber Essentials PLUS.
You’re feeling pleased with yourself; the Cyber Essentials questionnaire that you’ve completed on behalf of your organisation has proved successful. The independent assurance went well, too. Your company is well on the way to being listed as having Cyber Essentials certification, getting that badge, and being able to tender for those UK Government contracts.
However, you’ve noticed that most of your competitors hold Cyber Essentials PLUS certification. The nagging voice in your head is asking whether you should have applied for PLUS certification? Would it be worth it and what would be the benefits?
The Differences Between Cyber Essentials and Cyber Essentials PLUS
Be it at Essentials or PLUS level, the Cyber Essentials scheme sets out five security controls to protect organisations against the most common cyber threats. These are defined as:
- Boundary Firewalls and Internet Gateways;
- Secure Configuration;
- Access Control;
- Malware Protection; and
- Patch Management.
So far, so good. However, the differences begin to make themselves apparent when you start to look at the requirements for each (as shown in the table, below):
Therefore, the significant divergence between the two ‘levels’ are that Essentials is very much focussed on the external. Whilst Cyber Essentials entails the completion of a self-assessment questionnaire verified by an external certification body and an external vulnerability scan, Cyber Essentials PLUS requires an additional internal assessment and internal scan, conducted on-site by a CREST-accredited certification body.