Cyber Essentials Guide – An in-depth look at passing first time.

This Cyber Essentials guide, along with example answers, has been written by a Cyber Essentials Lead Assessor and is intended to help those companies wishing to certify with Indelible Data Limited. The purpose is to help clients get the submission right at the first attempt and save time. Though this document has not been issued by, or on behalf of, The National Cyber Security Centre (NCSC) or the NCSC’s sole Cyber Essentials Partner, IASME, it has been compiled by a Lead Assessor with extensive knowledge of the scheme. Information in this Cyber Essentials Guide is subject to change without prior notice.

For further details to help you prepare for Cyber Essentials Plus assessment, please familiarise yourself with this guide first, then go to our Cyber Essentials Plus checklist blog.

You may also find helpful information in our Cyber Essentials FAQs

Contents

• Overview
• Section 1. Applying for Cyber Essentials Certification
• Section 2. Scoping the Cyber Essentials submission
  • Things to include and scenarios to watch out for
    • Companies applying for more than one legal entity to be certified
    • Scoping Networks
    • Identify all networks managed by the company
    • Identify those networks not managed by the company
    • Shared office facilities
    • Student or pupil networks within a training or school environment
    • Working from hotels or internet cafes etc
    • Staff working from home
    • Working from home due to the pandemic
    • Micro-companies where the head office is the home
    • Companies that use an outsourced IT company for support
    • Contractors, freelancers or students that use their own equipment
  • Potential ways of reducing the scope
    • Removing Servers from scope
    • Removing End-User Devices from scope
    • Networks containing endpoints that are non-compliant
    • Guest Wifi within the organisation
    • Multi-site companies wanting to scope-down to certain UK operations only
    • Multinational companies wanting to scope-down to UK operations only
    • Web-based Virtual Desktop Services
    • Non web-based Virtual Desktop Services
    • De-scoping a home worker router and firewall
    • De-scoping mobile devices such as smartphones and tablets
  • Scope recap
• Section 3. Addressing the Cyber Essentials questions
  • Scope of assessment
    • A1.1, A1.2, A2.1, A2.4, A2.4.1, A2.6, A2.7, A2.8, A2.9, A2.10
  • Office firewalls and internet gateways
    • A4.1, A4.1.1,A4.2, A4.2.1, A4.3,A4.4, A4.5, A4.6
  • Secure configuration
    • A5.1, A5.3, A5.4, A5.5, A5.6, A5.7, A5.10, A5.11
  • Patches and updates
    • A6.1, A6.2, A6.3,A6.4, A6.4.2, A6.5, A6.6, A6.7,
  • Access control
    • A7.1, A7.2, A7.3, A7.4, A7.5, A7.6, A7.7, A7.10, A7.11, A7.12, A7.14, A7.15, A7.16, A7.17
  • Malware protection
    • A8.1, A8.2-5
• Online declaration

Overview

Completing the Cyber Essentials question set can, at first, appear daunting. This guide helps take away the uncertainty, guide the applicant through the Cyber Essentials Basic Level submission process and is split into 3 sections:

• • 1. Describing the journey from initial enquiry through to final submission and subsequent assessor feedback
    2. Helping to scope the assessment
    3. Addressing the requirements of the Cyber Essentials questions and explaining areas where most applicants either misunderstand or simply do not respond to the questions as comprehensively as expected.

The aim is to ensure submissions are not made until the applicant is confident all the questions have been completed correctly – hence increasing the chances of passing the submission first time!

Note: It is tempting to just jump to section 3 and address the questions, however if you have not defined the scope correctly, then the questions cannot be assessed properly.

The question-sets that require completion on the portal each have an associated version name. Up to April 23rd 2023 this is called "Evendine" and from April 24th 2023 onward is called "Montpellier".

There is a 6 month change-over period for those accounts created on the portal before the 24th April 2023 (i.e. those using the Evendine question-set). Wherever possible we have included the Montpellier requirements alongside the Evendine requirements in this guide - but some sections have been added that related solely to Montpellier. Where this happens, we put the questionnaire name next to the section or question number e.g.

• Cloud systems (Montpellier)

Many of the same questions are present with the same numbers on both questionnaire versions. Where they differ, the question will have the version it relates to in brackets  - for example:

• A7.17 (Montpellier) followed by Montpellier requirements

Further helpful Cyber Essentials resources can be found at the NCSC's Website.

Full access to this guide is part of our Cyber Essentials Basic - SILVER and GOLD PACKAGES or can be purchased separately in our shop

Existing clients who (already had access) and Trusted Partners will have received login instructions by email.