We were asked this question a couple of times over the last few days. Firstly, Cyber Essentials Plus process includes going through the Cyber Essentials (Basic) self-assessment. The whole process might take anywhere from a couple of days to a few weeks. Here is the exact process for Cyber Essentials Plus certification.

Customer places the order with the Certification Body.

You will need to Identify a certification body to apply for your Cyber Essentials certification. You may get in touch with the Accreditation Body, IASME but you will be put in touch with one of the certification bodies or you can contact a body you know or heard of. Place the order and follow the instructions. TechForce is an IASME approved certification body. To make this step easier you can just get in touch with us and we will do the rest.

Certification body sends you the portal login details to go through the self-assessment part.

Once the order is placed you will receive the confirmation as well as the portal login details to go through the self-assessment questionnaire. If you purchased extra assistance from the certification body they will be able to do a pre-assessment and also identify any gaps before you do the final submission. This can be very helpful if you are not sure about the technical security controls you have in place. This can be done in a day or less. For all our basic certification we guarantee a day. Check out our ‘Cyber Essentials plus certification checklist & requirements’ to know more about what’s required.

DOWNLOAD CYBER ESSENTIALS QUESTIONNAIRE FOR FREE

Certification Body assesses the questionnaire and you will hear the outcome (pass/fail)

An assessor from the certification body will assess your answers and mark it as a pass or fail. If it’s a fail then you will have two days to fix any issues and resubmit the application.

If it’s a pass then the Certification Body will organise the site-audit (remote)

Once you pass the self-assessment you have achieved the Cyber Essentials basic. The Cyber Essentials certification body will organise the site-audit. All of our site audits are now remote. We do not need to visit your site. In this site audit the assessor will be conducting an internal & external vulnerability assessment, email test, browser download test and user access controls test. Check out our article on ‘what exactly is involved in Cyber Essentials plus audit?’ Depending on the audit you will have an outcome of Pass or Fail. If it's a fail then you have 30 days to fix any issues and resubmit the application. IF you fail again then you will have to make a new fresh application which means you will have to repeat the entire process from step-1. The most failures occur with the patch management. Check out our blog on Cyber Essentials Plus patching requirements.

Your team will spend around 2hours to organise the audit. It can be more depending on your network. WRT fixing the issues, it’s completely up to you how quickly can you fix them. Quicker the better. If you are not sure about the security controls you have in place then extra assistance from the Cyber Essentials Certification Body will be able to help.

For example, we offer a package called ‘Cyber Essentials Plus Extra’. As part of the package we perform a pre-audit and gap analysis exercise so that you know where your gaps are before you go ahead with the final audit. This can be extremely helpful and save you time & money.

Please note, Once you pass the basic certification you will have 90 days to apply for the Cyber Essentials Plus. In other words, you can just do the basic version for now and upgrade to plus later. Also, you will have to finish your plus certification within the 90 days from the beginning of the process.