You know how important it is to have Cyber Essentials certification - as a government-backed scheme, Cyber Essentials helps give peace of mind that you’ve put essential security protections in place – and is critical for both reputation and compliance.
When getting certification, you want to work with a trusted certification body who understands the needs of your sector. In response to demand, we offer Cyber Essentials and Cyber Essentials Plus as a service. Use this to obtain a Cyber Essentials certificate and to get the essential advice and guidance you need.
How does this service help my organisation?
Members and customers will have reassurance that their defences are protected against many of the most common cyber-attacks.
The core of the service is an online questionnaire to check whether you meet the requirements for Cyber Essentials certification. This means you can quickly and easily understand where you stand on Cyber Essentials – and the areas where you may need to improve.
Get trusted advice to improve security
If you are working toward Cyber Essentials, we can offer advice and guidance to help you improve security and pass the test. The advice we offer includes online responses, as part of our portal – but we can also offer follow-up advice from our IASME-approved Cyber Essentials assessors.
Demonstrate that you have protections in place
Once you’ve passed Cyber Essentials, your certificate can be used to show that you have essential cyber security protections in place. This helps you to improve your reputation as a business. You will receive a Cyber Essentials logo for your website, which helps to give stakeholders peace of mind when dealing with you. A Cyber Essentials certificate also means you are free to bid for government contracts involving sensitive or personal information – a potentially vital aspect of compliance for a research organisation.
Stay up to date with cyber security
Cyber Essentials is an annual process. We can help you to renew your certification – so you stay on top of it, year after year.
Trust in our experience
We are a trusted partner who is uniquely placed to understand the needs of our members and customers in research, education, the public sector and not-for-profit organisations.
An introduction to Cyber Essentials
Why do FE organisations need Cyber Essentials?
In January 2020, the Education and Skills Funding Agency (ESFA) announced that they had reviewed the requirements for data security in their FE funding agreements and organisations must make ‘best endeavours’ to achieve Cyber Essentials certification for the funding year 2020/21, with progression to Cyber Essentials Plus for 2021/22. This has now been updated for the 22/23 funding year to ‘work towards’ meeting the requirements.
Cyber Essentials Plus
Having successfully completed your Cyber Essentials assessment, the next step is Cyber Essentials Plus - an Education and Skills Funding Agency (ESFA) requirement for 2021/2022. Cyber Essentials Plus consists of internal and external tests of your computers and network that verify the information you have provided in your Cyber Essentials assessment.
More details about Cyber Essentials Plus
To be able to pass Cyber Essentials Plus, you must have first completed and passed Cyber Essentials (CE). You must also pass Cyber Essentials Plus within three months of your CE certification date, or you will need to resit CE.
The cost is determined by the size of your network and number of devices that need to be audited. All tests will be monitored by our IASME-approved Cyber Essentials Plus assessors.
Test 1: Remote vulnerability scan
This is an internet-based vulnerability assessment of all IP addresses in use. This includes any IaaS systems you use. Any vulnerability with a CVSSv3 rating of 7 or higher will cause a failure. If an application allows a user to store private information, this must be protected by authentication. The authentication must be based on MFA, or have login throttling, or lockout after 10 failed login attempts.
Tests 2-7 sampling
A sample of end user devices (EUDs) are chosen for testing. Devices that are in scope are defined as desktops and laptops (both organisation - and staff's personally owned devices if they access corporate data), servers, and cloud services that provide a user with a graphical desktop interface. All the different OS build versions (e.g., Windows 10 22H1, 22H2, Windows 11 22H2) need to be tested, and so may result in a large number of devices being part of the sample set.
Test 2: Authenticated patch check of sample devices
An authenticated software patch check is carried out against each of the devices in the sample to check all software on the device is patched and up to date. Any vulnerability found that has a CVSSv3 rating of 7 or higher, or is described as critical or high, or is without a rating, will cause a failure, but only if a patch has been released more than 14 days ago.
Tests 3-7: observation-based tests
These are tests that the user must perform using their normal day-to-day accounts (i.e., non-administrator accounts) under the guidance of the assessor. As such, it may be necessary to schedule 15-minute sessions so that the auditor can view the device user performing the checks. Note that in an educational environment with shared devices, this could sometimes be carried out by a single user on multiple systems.
Test 3: Check malware protection
This checks that anti-malware software is installed, operational and updated in accordance with vendor instructions.
Test 4: Malware via email
Emails with benign attachments will be sent to the user and should be blocked by either local or network based anti-virus.
Test 5: Malware via browser
The user will attempt to download the same set of benign test files using all installed browsers. If the user is prevented from accessing the file, this is recorded as a pass. Where a browser downloads an executable file, the user will attempt to execute it. If there is a prompt or warning before running the file, this is deemed a test pass.
Test 6: Cloud service multi-factor
For all cloud services declared in scope, they must be tested for MFA. This test is performed against both normal and administrator users of the cloud service. For non-administrator users, whether this is enabled should match what was submitted in the Cyber Essentials self-assessment. Note that this test should cover the authentication process for every cloud service in scope but does not necessarily need to check every service. For example, if multiple services share a single authentication service (e.g. Single Sign-On), then only one set of admin and non-admin user accounts needs to be checked for that authentication service, per device.
Test 7: account separation
On each device and cloud service in the sample, there should be a distinction between administrative and non-administrative processes. The non-administrator user will attempt to execute an admin-only process. If the user is prevented from doing this, this is deemed a pass. If an administrator authentication prompt is presented that cannot be completed with normal user credentials, this is also deemed a pass.
Prior to your Cyber Essentials Plus audit we can also carry out a Cyber Essentials Plus Readiness Check to identify any weaknesses in your current setup.
To find out more about Cyber Essentials and Cyber Essentials Plus, contact your relationship manager.
Cyber Essentials advice and guidance
Our additional advice and guidance service offers one-to-one advice to support your journey towards Cyber Essentials certification. We have experts on hand to help you fill in the gaps or with any areas where you need support.
You can book this service with one of our IASME Cyber Essentials approved assessors, from one hour up to a full day. Contact your relationship manager to find out more.
How to buy
Jisc have been appointed as an approved supplier on the Crown Commercial Services dynamic purchasing system (DPS). The benefit for our members in purchasing through the DPS is that it allows public sector buyers to procure an extensive variety of cyber security services from a range of pre-qualified suppliers.
Visit the Crown Commercial Service (CCS) website for more information. The ‘how to buy’ section gives full details for registering as a buyer and navigating through the process. The CCS run regular webinars for customers explaining what and how to buy from the new cyber security DPS. See upcoming webinar sessions.
This service is included within the scope of our ISO9001 and ISO27001 certificates.