Frequently Asked Questions

That’s a ‘how long is a piece of string question’! It depends on how quickly your organisation can gather the information needed and how close you are now to complying with the basic requirements of the standard. In Principal, it could be completed within 2 working days, but some organisations take months to gather the information and become compliant.
I would expect to mark the certification within 2 working days of submission.

Both Cyber Essentials and IASME Governance – industry-respected certifications – rely on the marking of a self-assessment questionnaire to be filled in by the organisation.
The questionnaire is a set of questions aimed at finding out how your organisations manages security. It will ask questions eg: about how you manage firewalls you have in place, your patching regime.
Some questions begin with a Yes/No element, but you are encouraged to add optional comments, and others require 2-3 sentences describing HOW you implement the security measure. This is required to ensure that the organisation has understood the question and is implementing an appropriate set of measures.
The Cyber Essentials questionnaire is a subset of the IASME Governance questions. There are about 60 questions in the Cyber Essentials Assessment and 150 for IASME Governance.
See Certifications Page for a copy of the questions. link

The organisation answers questions about how security is managed within their organisation. The answers are submitted via a cloud-based portal.
A board member asserts that the questions have been answered honestly.
The questions are marked by an accredited assessor. Where there are issues with answers you will be provided with comments on how to improve security to become compliant with standard.
If you pass you will be sent the certificate and report via email.

There are a number of reasons why organisations may fail – maybe there is simply insufficient information in the responses, or it may be that the organisation’s security is not up to standard.
Where an organisation has failed they will be provided with comments on the issues with some advice on what needs to be done to improve security.
Organisation have an opportunity to resubmit ONCE if they have failed. Resubmission must be within 2 weeks or a new certification fee must be paid.

See previous answer.
If you have passed the Cyber Essentials certification questions you will get that certificate – even if you have failed the additional questions associated with IASME Governance.

The Cyber Essentials certificate has no formal expiry date, however you are recommended to update certification yearly. IASME Governance certificates are valid for 1 year.
Note that free Cyber Insurance is for 1 year from the date you passed the Cyber Essentials certificate.

These certificates are verified by an independent auditor, providing further proof that you are following the requirements of your chosen standard. Some organisations may require their supply chain to have an audited certificate to comply with their risk assessments.

Yes. You need to complete Cyber Essentials Plus or IASME Governance Audited within 3 months of having achieved Cyber Essentials/IASME Governance self-assessment.

No you must pass Cyber Essentials or IASME Governance self-assessment before you start on the audited level.

A vulnerability scan is a technical audit of the systems that are in scope for Cyber Essentials.

For Cyber Essentials a vulnerability scan is not required although other ‘Accreditation Bodies’ may require and charge for such a scan. However, this is not required by the Government and certification through IASME, without a vulnerability scan, is just as valid a Cyber Essentials assessment as any other.
For Cyber Essentials Plus a vulnerability is required.

You can use your certificate on websites and on publicity material. There are guidelines you have to follow when using the branding.

The National Cyber Security Centre Cyber Essentials Website has a list of all organisations who have a Cyber Security Certificate issued in the last 12 months.
The IASME Website has a list of all organisations who have an IASME Governance Certificate.

General Data Protection Regulation (GDPR) is a new law that protects EU citizens’ personal data.
The UK’s The Data Protection Act 2018 – is the UK’s implementation of GDPR for use after Brexit.
The new regulations have tightened IT data security legal requirements and increased the potential for high fines. For a very high-level summary see link

Probably. Businesses, charities, sole traders, start ups – any operation holding personal data or offering services or goods to people or businesses in the EU is required to comply.
Remember – the contact data for your clients, employees and suppliers all counts as personal data.

Yes, contact us, and we can discuss your requirements and send you an example.

Contact us for a discussion about your requirements.

Documentation packs and toolbox could be used in preparation for compliance with privacy legislation with similar underlying principles to GDPR.

There are currently no public workshops planned. If you are interested in a public session contact us to express interest.

All workshops are customisable to meet an organisation’s specific needs.

I would recommend that the optimal size for a workshop is 10-12 people, or for training session 15-20. This gives an opportunity for all to be involved in discussions with the ability to cover questions of interest to the participants.

The Workshops are intended for leadership and management teams, so that they understand issues and the things they need to think about for their organisation’s security.
Cyber Security is a balance of risk, threat and resources, with many ways issues can be addressed and solved at many different cost points.
Security Awareness Training sessions are intended for anyone in the organisation (or people in their supply chain) who ever access or uses the organisation’s network (including personal/out-of-office devices)

No. We can be very flexible in supporting your needs. Call us for a conversation about how we can help.

Probably. It depends on location, and the level of consultancy that you need. Call.

Yes, we would be happy to do that.

Please see our Privacy Statement and Terms and Conditions, and/or contact us. Link to Privacy Notice and T&C