You know how important it is to have Cyber Essentials certification - as a government-backed scheme, Cyber Essentials helps give peace of mind that you’ve put essential security protections in place – and is critical for both reputation and compliance.
When getting certification, you want to work with a trusted certification body who understands the needs of your sector. In response to demand, we offer Cyber Essentials and Cyber Essentials Plus as a service. Use this to obtain a Cyber Essentials certificate and to get the essential advice and guidance you need.
How does this service help my organisation?
Members and customers will have reassurance that their defences are protected against many of the most common cyber-attacks.
The core of the service is an online questionnaire to check whether you meet the requirements for Cyber Essentials certification. This means you can quickly and easily understand where you stand on Cyber Essentials – and the areas where you may need to improve.
Get trusted advice to improve security
If you are working toward Cyber Essentials, we can offer advice and guidance to help you improve security and pass the test. The advice we offer includes online responses, as part of our portal – but we can also offer follow-up advice from our IASME-approved Cyber Essentials assessors.
Demonstrate that you have protections in place
Once you’ve passed Cyber Essentials, your certificate can be used to show that you have essential cyber security protections in place. This helps you to improve your reputation as a business. You will receive a Cyber Essentials logo for your website, which helps to give stakeholders peace of mind when dealing with you. A Cyber Essentials certificate also means you are free to bid for government contracts involving sensitive or personal information – a potentially vital aspect of compliance for a research organisation.
Stay up to date with cyber security
Cyber Essentials is an annual process. We can help you to renew your certification – so you stay on top of it, year after year.
Trust in our experience
We are a trusted partner who is uniquely placed to understand the needs of our members and customers in research, education, the public sector and not-for-profit organisations.
An introduction to Cyber Essentials
Why do FE organisations need Cyber Essentials?
In January 2020, the Education and Skills Funding Agency (ESFA) announced that they had reviewed the requirements for data security in their FE funding agreements and organisations must make ‘best endeavours’ to achieve Cyber Essentials certification for the funding year 2020/21, with progression to Cyber Essentials Plus for 2021/22.
Cyber Essentials Plus
Having successfully completed your Cyber Essentials assessment, the next step is Cyber Essentials Plus - an Education and Skills Funding Agency (ESFA) requirement for 2021/2022. Cyber Essentials Plus consists of internal and external tests of your computers and network that verify the information you have provided in your Cyber Essentials assessment.
More details about Cyber Essentials Plus
If you wish to apply for Cyber Essentials Plus without gaining Cyber Essentials certification first, you will need to complete and pass the assessment questions.
If you progress on to Cyber Essentials Plus within three months of your certification date, you will not need to recomplete the assessment.
The cost is determined by the size of your network and tests are carried out by our IASME-approved Cyber Essentials Plus assessors.
If you start the CE process from today, you will be on the new question set, and if you progress an Evendine CE basic to CE Plus, it will also be on the Evendine rules. If you've already started CE basic with the previous (Beacon) question set, you'll still be on those rules when you do Cyber Essentials Plus. The scope is almost the same as before, but cloud services are now in scope, and with it a new test has been added. The changes to the process are covered below, including the new tests 6 and 7.
Test 1: remote vulnerability scan
This is the internet-based scan. It is mostly unchanged, but IaaS systems in-scope should now be included.
Tests 2-7 sampling
The sample of end user devices (EUDs) chosen is still based on the same rules. Devices that are in scope (both organisation- and staff's personally owned devices), servers, and cloud services that provide a user with a graphical desktop interface should be sampled. The more significant change is that the "90% rule" has been removed - every build should now be represented in the sample. Due to this, a larger number of devices may need to be tested.
Test 2: authenticated scan of sample devices
This test is largely unchanged. An authenticated scan is carried out against each of the devices in the sample. The caveats required for a fail have been removed - now any vulnerability with a CVSS v3 rating of 7 or higher will fail and need to be patched, if a patch has been released more than 14 days ago. There are no longer exceptions based on the specifics of how the vulnerability is exploited.
Tests 3-7: observation-based tests
Rather than granting an assessor a test account and access to the devices, the device tests must instead be carried out by users with their non-administrator accounts, which will be observed by the assessor. As such, it may be necessary to schedule 15 minute sessions with device users to carry out testing. Note that in an educational environment with shared devices, this could sometimes be carried out by a single user on multiple systems. Test 4: Malware via Email This test is unchanged.
Test 5: malware via browser
This test is largely unchanged, except for one specific scenario. Where a browser downloads an executable file, it will then be accessed by the user. If there is a prompt or warning before running the file, this test passes, but if it runs without any further prompt or warning, this test fails.
Test 6: cloud service multi-factor
Authentication for each cloud service in scope, the assessor will observe the user access it and verify that MFA is set up appropriately. This test should be carried out with both normal and administrator users of the cloud service. For non-administrator users, whether this is enabled should match what was submitted in the Cyber Essentials self-assessment. MFA for non-admin users will be required from January 2023. Note that this test should cover the authentication process for every cloud service in scope but does not necessarily need to check every service. If multiple services share an authentication service (e.g. Single Sign-On), then only one set of admin and non-admin users’ needs to be performed for that authentication services.
Test 7: account separation
On each device and cloud service in the sample, where there is a distinction between administrative and non-administrative processes, this test should be carried out. The non-administrator user will attempt to execute some admin-only process, and this test will pass if that is blocked, or if an administrator prompt comes up that cannot be completed with normal user credentials.
This is part of a suite of security services designed to defend the Janet Network, to protect your organisation and to help you protect your organisation yourself.
Cyber Essentials advice and guidance
Our additional advice and guidance service offers one-to-one advice to support your journey towards Cyber Essentials certification. We have experts on hand to help you fill in the gaps or with any areas where you need support.
You can book this service with one of our IASME Cyber Essentials approved assessors, from one hour up to a full day. Contact your account manager to find out more.
How to buy
Jisc have been appointed as an approved supplier on the Crown Commercial Services dynamic purchasing system (DPS). The benefit for our members in purchasing through the DPS is that it allows public sector buyers to procure an extensive variety of cyber security services from a range of pre-qualified suppliers.