Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification

 

To maintain a valid Cyber Essentials certificate, organisations must complete the recertification process every 12 months. However, failure to continue regular patching or effective management of configurations will accelerate the speed in which you become non-compliant. In recent updates from the UK government they agreed with this statement. Unfortunately, this is a common misconception where organisations assume that once the certification is gained, nothing more needs to be done until it is time to recertify.  

The NCSC stated the objective of the scheme as “Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security”. With this in mind, by waiting until recertification to check if you still meet the Cyber Essentials criteria, you’re leaving your organisation open to evolving threats and heightening your risk exposure. For any organisation, a lot can change within a year.  

 

What business factors affect Cyber Essentials Recertification? 

From a compliance standpoint, becoming non-compliant will not affect the validity of your Cyber Essentials certificate. However from a security standpoint, there’s a higher risk of attack if you don’t have the necessary visibility or control over your procedures and IT environment.  

Here are a few examples to consider: 

• Company acquisitions – Whether your organisation is acquired or vice versa, changes to your IT infrastructure and Cyber Essentials scope will be inevitable. A company should carry out comprehensive security audits and health checks to ensure systems are secure, allowing for full visibility and effective management of the transition. 

• Growth leading to more staff or offices – similarly, any major growth will bring a degree of change that could have an impact on the security of existing infrastructure. For any new devices or software purchased, effective configuration, access controls and multi-factor authentication are just a handful of areas that must be taken into account. If you are looking to achieve Cyber Essentials Plus, new devices will likely also impact sampling within the technical audit.  

• Revisions to the Cyber Essentials IT specification – as the threat landscape develops, the governing bodies are known for updating the IT requirements for Cyber Essentials, with the largest changes since its launch in 2014 coming into effect at the start of 2023. In order to maintain compliance and to stay secure, paying close attention to the updates from the NCSC and IASME is important.  

• End of life for software or hardware – throughout the year it is also possible that certain hardware or software used by an organisation could reach end of life (EoL). This means it will no longer be susceptible to software / security updates, provided by the manufacturer, making them more vulnerable to exploit. 

 

The Cyber Essentials recertification process  

Organisations must be recertified 12 months from the date you passed. Many organisations will have two recertification dates with one being for Cyber Essentials and the second being Cyber Essentials Plus which can cause further confusion. Like with the first certification process, organisations have a range of approaches to choose from at recertification depending on their budget, needs and drivers.  

By recertifying your Cyber Essentials certifications, you are continuing to benefit from the vast amount of advantages linked to the certifications. You are verifying with an external body that you are taking the appropriate steps to be secure, showing your supply chain and customers you take cyber security seriously, lowering insurance premiums and gaining the ability to bid for government tender with your recertification.  

 

Tips for recertification:

Here are some tips for making the Cyber Essentials recertification process as smooth as possible: 

• Stay ahead. Don’t wait until your certificate is about to expire before starting the recertification process. Whether you opt for self-assessment or assisted, it’s important to have a plan in place ahead of time.  This will give you plenty of time to reevaluate your Cyber Essentials scope to the current scheme requirements, implement the necessary changes and count for any clarifications needed by the assessors / auditors.  

• Be thorough. When answering questions, be sure to answer all of the questions honestly and thoroughly. The certification and recertification process are opportunities to bolster your security defences and to keep up to date with modern threats. By not being transparent or raising queries you may have, you’re reducing the value of the whole process. 

• Seek expert support, if needed. Cyber advisors and certification bodies are there to help you. For example, at Data Connect, we are a certification body for Cyber Essentials and Cyber Essentials Plus, whilst being Cyber Advisors and an Assured Service Provider by the NCSC. This means we have completed the necessary training and testing to be able to help organisations throughout the whole certification process. 

 

vSOC CERT (Cyber Essentials Review Toolkit) service 

Our approach removes the headache of Cyber Essentials recertification by simplifying the process and ensuring you’re secure throughout the year with the vSOC CERT service. Providing your organisation with ongoing support from cyber security experts, a comprehensive set of tools and a dynamic dashboard, our Cyber Essentials Review Toolkit (CERT) offers multiple benefits: 

• Simplified recertification year after year 
• Team of Cyber Essentials advisors and assessors 
• Full visibility with the vSOC Connect Console 
• A roadmap highlighting your risk and improvements 
• Updates and assistance with scheme revisions 
• Come on board any time – first-time or at recertification 
• Easily identify and prioritise vulnerabilities 

For more about our vSOC CERT service, to access a demo of our innovative vSOC Connect Console, and to get Cyber Essentials certified, get in touch with our team of cyber security experts today.