Cyber Essentials
A trusted way to gain and renew Cyber Essentials certification, helping to make sure vital security precautions are in place.
You know how important it is to have Cyber Essentials certification. As a government-backed scheme, Cyber Essentials helps give peace of mind that you’ve put essential security protections in place. It is critical for both reputation and compliance.
When getting certification, you want to work with a trusted certification body who understands the needs of your sector. In response to demand, we offer Cyber Essentials and Cyber Essentials Plus as a service. Use this to obtain a Cyber Essentials certificate and to get the essential advice and guidance you need.
How does this service help my organisation?
Cyber Essentials provides reassurance your defences are protected against many of the most common cyber-attacks.
The core of the service is an online questionnaire to check whether you meet the requirements for Cyber Essentials certification. This means you can quickly and easily understand where you stand on Cyber Essentials – and the areas where you may need to improve.
Get trusted advice to improve security
If you are working toward Cyber Essentials, we can offer advice and guidance to help you improve security and pass the test. The advice we offer includes online responses, as part of our portal, but we can also offer follow-up advice from our IASME-approved Cyber Essentials assessors.
We are a trusted partner who is uniquely placed to understand the needs of our members and customers in research, education, the public sector and not-for-profit organisations.
“We particularly wanted to work with an independent organisation that had detailed knowledge of the higher and further education sector. The project has been well-signposted, with a personal touch at all stages."
Sue Rogers, IT director, St John's College
Demonstrate that you have protections in place
Once you’ve passed Cyber Essentials, your certificate can be used to show that you have essential cyber security protections in place. This helps you to improve your reputation as a business. You will receive a Cyber Essentials logo for your website, which helps to give stakeholders peace of mind when dealing with you. A Cyber Essentials certificate also means you are free to bid for government contracts involving sensitive or personal information – a potentially vital aspect of compliance for a research organisation.
Stay up to date with cyber security
Cyber Essentials is an annual process. We can help you to renew your certification so you stay on top of it, year after year.
An introduction to Cyber Essentials
Our presentation by Paul Gray, Cyber Essentials assessor, provides an overview of the benefits, scope and next steps for implementing Cyber Essentials
Why FE organisations need Cyber Essentials
In January 2020, the Education and Skills Funding Agency (ESFA) announced they had reviewed the requirements for data security in their FE funding agreements and organisations must make ‘best endeavours’ to achieve Cyber Essentials certification for the funding year 2020/21, with progression to Cyber Essentials Plus for 2021/22. This has now been updated for the 2022/23 funding year to ‘work towards’ meeting the requirements.
Cyber Essentials Plus
Having successfully completed your Cyber Essentials assessment, the next step is Cyber Essentials Plus. Cyber Essentials Plus consists of internal and external tests of your computers and network that verify the information you have provided in your Cyber Essentials assessment.
How to achieve Cyber Essentials Plus
To be able to pass Cyber Essentials Plus, you must have first completed and passed Cyber Essentials (CE). You must also pass Cyber Essentials Plus within three months of your CE certification date, or you will need to resit CE.
The cost is determined by the size of your network and number of devices that need to be audited. All tests will be monitored by our IASME-approved Cyber Essentials Plus assessors.
Test 1: Remote vulnerability scan
This is an internet-based vulnerability assessment of all IP addresses in use. This includes any IaaS systems you use. Any vulnerability with a CVSSv3 rating of 7 or higher will cause a failure. If an application allows a user to store private information, this must be protected by authentication. The authentication must be based on MFA, or have login throttling, or lockout after 10 failed login attempts.
Tests 2-7 sampling
A sample of end user devices (EUDs) are chosen for testing. Devices that are in scope are defined as desktops and laptops (both organisation - and staff's personally owned devices if they access corporate data), servers, and cloud services that provide a user with a graphical desktop interface. All the different OS build versions (e.g., Windows 10 22H1, 22H2, Windows 11 22H2) need to be tested, and so may result in a large number of devices being part of the sample set.
Test 2: Authenticated patch check of sample devices
An authenticated software patch check is carried out against each of the devices in the sample to check all software on the device is patched and up to date. Any vulnerability found that has a CVSSv3 rating of 7 or higher, or is described as critical or high, or is without a rating, will cause a failure, but only if a patch has been released more than 14 days ago.
Tests 3-7: observation-based tests
These are tests that the user must perform using their normal day-to-day accounts (i.e., non-administrator accounts) under the guidance of the assessor. As such, it may be necessary to schedule 15-minute sessions so that the auditor can view the device user performing the checks. Note that in an educational environment with shared devices, this could sometimes be carried out by a single user on multiple systems.
Test 3: Check malware protection
This checks that anti-malware software is installed, operational and updated in accordance with vendor instructions.
Test 4: Malware via email
Emails with benign attachments will be sent to the user and should be blocked by either local or network based anti-virus.
Test 5: Malware via browser
The user will attempt to download the same set of benign test files using all installed browsers. If the user is prevented from accessing the file, this is recorded as a pass. Where a browser downloads an executable file, the user will attempt to execute it. If there is a prompt or warning before running the file, this is deemed a test pass.
Test 6: Cloud service multi-factor
For all cloud services declared in scope, they must be tested for MFA. This test is performed against both normal and administrator users of the cloud service. For non-administrator users, whether this is enabled should match what was submitted in the Cyber Essentials self-assessment. Note that this test should cover the authentication process for every cloud service in scope but does not necessarily need to check every service. For example, if multiple services share a single authentication service (e.g. Single Sign-On), then only one set of admin and non-admin user accounts needs to be checked for that authentication service, per device.
Test 7: account separation
On each device and cloud service in the sample, there should be a distinction between administrative and non-administrative processes. The non-administrator user will attempt to execute an admin-only process. If the user is prevented from doing this, this is deemed a pass. If an administrator authentication prompt is presented that cannot be completed with normal user credentials, this is also deemed a pass.
Prior to your Cyber Essentials Plus audit we can also carry out a Cyber Essentials Plus Readiness Check to identify any weaknesses in your current setup.
To be able to pass Cyber Essentials Plus, you must have first completed and passed Cyber Essentials (CE). You must also pass Cyber Essentials Plus within three months of your CE certification date, or you will need to resit CE.
The cost is determined by the size of your network and number of devices that need to be audited. All tests will be monitored by our IASME-approved Cyber Essentials Plus assessors.
Test 1: Remote vulnerability scan
This is an internet-based vulnerability assessment of all IP addresses in use. This includes any IaaS systems you use. Any vulnerability with a CVSSv3 rating of 7 or higher will cause a failure. If an application allows a user to store private information, this must be protected by authentication. The authentication must be based on MFA, or have login throttling, or lockout after 10 failed login attempts.
Tests 2-7 sampling
A sample of end user devices (EUDs) are chosen for testing. Devices that are in scope are defined as desktops and laptops (both organisation - and staff's personally owned devices if they access corporate data), servers, and cloud services that provide a user with a graphical desktop interface. All the different OS build versions (e.g., Windows 10 22H1, 22H2, Windows 11 22H2) need to be tested, and so may result in a large number of devices being part of the sample set.
Test 2: Authenticated patch check of sample devices
An authenticated software patch check is carried out against each of the devices in the sample to check all software on the device is patched and up to date. Any vulnerability found that has a CVSSv3 rating of 7 or higher, or is described as critical or high, or is without a rating, will cause a failure, but only if a patch has been released more than 14 days ago.
Tests 3-7: observation-based tests
These are tests that the user must perform using their normal day-to-day accounts (i.e., non-administrator accounts) under the guidance of the assessor. As such, it may be necessary to schedule 15-minute sessions so that the auditor can view the device user performing the checks. Note that in an educational environment with shared devices, this could sometimes be carried out by a single user on multiple systems.
Test 3: Check malware protection
This checks that anti-malware software is installed, operational and updated in accordance with vendor instructions.
Test 4: Malware via email
Emails with benign attachments will be sent to the user and should be blocked by either local or network based anti-virus.
Test 5: Malware via browser
The user will attempt to download the same set of benign test files using all installed browsers. If the user is prevented from accessing the file, this is recorded as a pass. Where a browser downloads an executable file, the user will attempt to execute it. If there is a prompt or warning before running the file, this is deemed a test pass.
Test 6: Cloud service multi-factor
For all cloud services declared in scope, they must be tested for MFA. This test is performed against both normal and administrator users of the cloud service. For non-administrator users, whether this is enabled should match what was submitted in the Cyber Essentials self-assessment. Note that this test should cover the authentication process for every cloud service in scope but does not necessarily need to check every service. For example, if multiple services share a single authentication service (e.g. Single Sign-On), then only one set of admin and non-admin user accounts needs to be checked for that authentication service, per device.
Test 7: account separation
On each device and cloud service in the sample, there should be a distinction between administrative and non-administrative processes. The non-administrator user will attempt to execute an admin-only process. If the user is prevented from doing this, this is deemed a pass. If an administrator authentication prompt is presented that cannot be completed with normal user credentials, this is also deemed a pass.
Prior to your Cyber Essentials Plus audit we can also carry out a Cyber Essentials Plus Readiness Check to identify any weaknesses in your current setup.
Further information
Our suite of security services is designed to defend the Janet Network and to protect your organisation.
Our additional Cyber Essentials advice and guidance service offers one-to-one advice to support your journey towards Cyber Essentials certification. We have experts on hand to help you fill in the gaps or with any areas where you need support. You can book this service with one of our IASME Cyber Essentials approved assessors, from one hour up to a full day.
We also offer Cyber Essentials training, you can bring your queries to our free, online drop-in clinic or book your place on our preparing for certification course.
Contact your relationship manager to discuss any of our services and find out more.
How to buy
Jisc have been appointed as an approved supplier on the Crown Commercial Services dynamic purchasing system (DPS). The benefit for our members in purchasing through the DPS is that it allows public sector buyers to procure an extensive variety of cyber security services from a range of pre-qualified suppliers.
Visit the Crown Commercial Service (CCS) website for more information. The ‘how to buy’ section gives full details for registering as a buyer and navigating through the process. The CCS run regular webinars for customers explaining what and how to buy from the new cyber security DPS. See upcoming webinar sessions.
ISO certification
This service is included within the scope of our ISO9001 and ISO27001 certificates.