We use cookies to give you the best experience and to help improve our website

Find out more about how we use cookies

Choose whether to use cookies:

No thanks That's fine

Skip to main content

Jisc

You are in:

  • Cyber security
  • Cyber Essentials

Utilities:

  • Search the Jisc website
    Clear search results

Search the Jisc website
Clear search results

Navigation:

  • Allow and deny lists
  • Foundation DDoS mitigation
  • Critical services protection
  • Cyber Essentials
  • Cyber security assessment
  • Cyber security financial X-ray
  • CSIRT
  • Cyber threat intelligence
  • Security operations centre
  • Email advice and testing
  • Janet Network resolver
  • Network time service (NTP)
  • Managed firewall
  • Cyber security threat monitoring
  • Penetration testing
  • Primary nameserver service
  • Simulated phishing and associated training
  • Web filtering and monitoring framework
  • Vulnerability assessment service
Service

Cyber Essentials

A trusted way to gain and renew Cyber Essentials certification, helping to make sure vital security precautions are in place.

Contact your relationship manager

For enquiries contact:

  • 0300 300 2212
  • professional.cyberservices@jisc.ac.uk

About Cyber Essentials

Cyber Essentials logo

You know how important it is to have Cyber Essentials certification - as a government-backed scheme, Cyber Essentials helps give peace of mind that you’ve put essential security protections in place – and is critical for both reputation and compliance.

When getting certification, you want to work with a trusted certification body who understands the needs of your sector. In response to demand, we offer Cyber Essentials and Cyber Essentials Plus as a service. Use this to obtain a Cyber Essentials certificate and to get the essential advice and guidance you need.

“We particularly wanted to work with an independent organisation that had detailed knowledge of the higher and further education sector. The project has been well-signposted, with a personal touch at all stages."

Sue Rogers, IT Director, St John's College

How does this service help my organisation?

Members and customers will have reassurance that their defences are protected against many of the most common cyber-attacks.

Training

Cyber Essentials training

Bring your queries to our free, online drop-in clinic or book your place on our preparing for certification course.

The core of the service is an online questionnaire to check whether you meet the requirements for Cyber Essentials certification. This means you can quickly and easily understand where you stand on Cyber Essentials – and the areas where you may need to improve.

Get trusted advice to improve security

If you are working toward Cyber Essentials, we can offer advice and guidance to help you improve security and pass the test. The advice we offer includes online responses, as part of our portal – but we can also offer follow-up advice from our IASME-approved Cyber Essentials assessors.

Demonstrate that you have protections in place

Once you’ve passed Cyber Essentials, your certificate can be used to show that you have essential cyber security protections in place. This helps you to improve your reputation as a business. You will receive a Cyber Essentials logo for your website, which helps to give stakeholders peace of mind when dealing with you. A Cyber Essentials certificate also means you are free to bid for government contracts involving sensitive or personal information – a potentially vital aspect of compliance for a research organisation.

Stay up to date with cyber security

Cyber Essentials is an annual process. We can help you to renew your certification – so you stay on top of it, year after year.

Trust in our experience

We are a trusted partner who is uniquely placed to understand the needs of our members and customers in research, education, the public sector and not-for-profit organisations.

An introduction to Cyber Essentials

Why do FE organisations need Cyber Essentials?

In January 2020, the Education and Skills Funding Agency (ESFA) announced that they had reviewed the requirements for data security in their FE funding agreements and organisations must make ‘best endeavours’ to achieve Cyber Essentials certification for the funding year 2020/21, with progression to Cyber Essentials Plus for 2021/22.

Cyber Essentials Plus

Having successfully completed your Cyber Essentials assessment, the next step is Cyber Essentials Plus - an Education and Skills Funding Agency (ESFA) requirement for 2021/2022. Cyber Essentials Plus consists of internal and external tests of your computers and network that verify the information you have provided in your Cyber Essentials assessment.

More details about Cyber Essentials Plus

If you wish to apply for Cyber Essentials Plus without gaining Cyber Essentials certification first, you will need to complete and pass the assessment questions. 

If you progress on to Cyber Essentials Plus within three months of your certification date, you will not need to recomplete the assessment.

The cost is determined by the size of your network and tests are carried out by our IASME-approved Cyber Essentials Plus assessors.

If you start the CE process from today, you will be on the new question set, and if you progress an Evendine CE basic to CE Plus, it will also be on the Evendine rules. If you've already started CE basic with the previous (Beacon) question set, you'll still be on those rules when you do Cyber Essentials Plus. The scope is almost the same as before, but cloud services are now in scope, and with it a new test has been added. The changes to the process are covered below, including the new tests 6 and 7.

Test 1: remote vulnerability scan

This is the internet-based scan. It is mostly unchanged, but IaaS systems in-scope should now be included.

Tests 2-7 sampling

The sample of end user devices (EUDs) chosen is still based on the same rules. Devices that are in scope (both organisation- and staff's personally owned devices), servers, and cloud services that provide a user with a graphical desktop interface should be sampled. The more significant change is that the "90% rule" has been removed - every build should now be represented in the sample. Due to this, a larger number of devices may need to be tested.

Test 2: authenticated scan of sample devices

This test is largely unchanged. An authenticated scan is carried out against each of the devices in the sample. The caveats required for a fail have been removed - now any vulnerability with a CVSS v3 rating of 7 or higher will fail and need to be patched, if a patch has been released more than 14 days ago. There are no longer exceptions based on the specifics of how the vulnerability is exploited.

Tests 3-7: observation-based tests

Rather than granting an assessor a test account and access to the devices, the device tests must instead be carried out by users with their non-administrator accounts, which will be observed by the assessor. As such, it may be necessary to schedule 15 minute sessions with device users to carry out testing. Note that in an educational environment with shared devices, this could sometimes be carried out by a single user on multiple systems. Test 4: Malware via Email This test is unchanged.

Test 5: malware via browser

This test is largely unchanged, except for one specific scenario. Where a browser downloads an executable file, it will then be accessed by the user. If there is a prompt or warning before running the file, this test passes, but if it runs without any further prompt or warning, this test fails.

Test 6: cloud service multi-factor

Authentication for each cloud service in scope, the assessor will observe the user access it and verify that MFA is set up appropriately. This test should be carried out with both normal and administrator users of the cloud service. For non-administrator users, whether this is enabled should match what was submitted in the Cyber Essentials self-assessment. MFA for non-admin users will be required from January 2023. Note that this test should cover the authentication process for every cloud service in scope but does not necessarily need to check every service. If multiple services share an authentication service (e.g. Single Sign-On), then only one set of admin and non-admin users’ needs to be performed for that authentication services.

Test 7: account separation

On each device and cloud service in the sample, where there is a distinction between administrative and non-administrative processes, this test should be carried out. The non-administrator user will attempt to execute some admin-only process, and this test will pass if that is blocked, or if an administrator prompt comes up that cannot be completed with normal user credentials.

Case studies

  • Find out how the cyber security journey for the University of Bath helped to safeguard their research interests (pdf).
  • Read how Chichester College Group made their certification process simple with Jisc's sector knowledge (pdf)

Further information

To find out more about Cyber Essentials and Cyber Essentials Plus, contact your relationship manager.

This is part of a suite of security services designed to defend the Janet Network, to protect your organisation and to help you protect your organisation yourself.

Cyber Essentials advice and guidance

Our additional advice and guidance service offers one-to-one advice to support your journey towards Cyber Essentials certification. We have experts on hand to help you fill in the gaps or with any areas where you need support.

You can book this service with one of our IASME Cyber Essentials approved assessors, from one hour up to a full day. Contact your relationship manager to find out more.

How to buy

Crown Commercial Service supplier logo

Jisc have been appointed as an approved supplier on the Crown Commercial Services dynamic purchasing system (DPS). The benefit for our members in purchasing through the DPS is that it allows public sector buyers to procure an extensive variety of cyber security services from a range of pre-qualified suppliers.

Visit the Crown Commercial Service (CCS) website for more information. The ‘how to buy’ section gives full details for registering as a buyer and navigating through the process. The CCS run regular webinars for customers explaining what and how to buy from the new cyber security DPS. See upcoming webinar sessions.
 

ISO certification

This service is included within the scope of our ISO9001 and ISO27001 certificates.

Read more about International Organisation for Standardisation (ISO) standards and view Jisc certificates.

ISO9001 with UK National Accreditation
ISO27001 with UKAS

 

You are in:

  • Cyber security
  • Cyber Essentials

Areas

  • Connectivity
  • Cyber security
  • Cloud
  • Data analytics
  • Libraries, learning resources and research
  • Student experience
  • Trust and identity
  • Advice and guidance

Explore

  • Guides
  • Training
  • Consultancy
  • Events
  • R&D

Useful

  • About
  • Membership
  • Get involved
  • News
  • Jobs

Get in touch

  • Contact us
  • Sign up to our newsletter
  • Twitter
  • Facebook
  • LinkedIn
  • YouTube
  • Cookies
  • Privacy
  • Modern slavery
  • Carbon reduction plan
  • Accessibility