Preparing for Cyber Essentials: The Questionnaire
The Cyber Essentials Questionnaire
Greetings to the second part of our Cyber Essentials (CE) series. Here, our infosec specialist Abdul Ikbal shares some quick advice on the Cyber Essentials Questionnaire.
Cyber Essentials is a UK government endorsed standard. It demands compliance with a range of security measures that afford protection against common threats. Certification demonstrates to the wider world that information security is important to you and reassures those whose data you manage.
The first stage towards certification is a self-assessment questionnaire. Whether you are applying for Cyber Essentials or Cyber Essentials Plus, the questionnaire is the same.
The CE Questionnaire
Your responses will be reviewed by an external certifying body (such as Perspective Risk) so take time to avoid schoolboy errors.
As a certifying body for CE, a common mistake we encounter is the omission of assets that fall under the scope of Cyber Essentials.
If you are going for Cyber Essentials, you are required to list all of your Internet facing IT assets, regardless of whether they are hosted by you or a third party. For Cyber Essentials Plus, you are also required to provide details of end user devices that have Internet access.
As an aide memoir, we have given some examples of applicable assets below:
Company Owned Assets
These include any assets that you host on your corporate network and may include:
- Routers (although these may also be owned by your ISP).
- Internet accessible servers or devices.
Externally Owned Assets
- Most organisations host their company website using third party infrastructure; it’s advisable to include this, together with all other websites associated with your organisation, e.g.:
- Any other third party hosted systems or services that are considered critical to your business should be listed. These may include cloud services, and although it is unlikely that the certifying body will be able to actively assess their security, details of any certifications or vendor assurances should be included.
In addition to the above, for Cyber Essentials Plus, the following IT assets will be assessed and should be listed:
- Laptops or desktops used by employees for Internet and email access.
- If Thin Client such as Citrix or Remote Desktop are used for the above, include these too.
- Mobile devices such as phones and tablets.
Cyber Essentials Common Questionnaire
CREST is the not for profit organisation behind the CE or and CE Plus certification process. Below are some links to resources that you might find helpful:
- Download an example of the Cyber Essentials Common Questionnaire
- Various other downloads and resources for Cyber Essentials
If you would like Perspective Risk’s support to attain Cyber Essentials, check our credentials here and feel free to contact us.