Preparing for Cyber Essentials: The Questionnaire

The Cyber Essentials Questionnaire

Greetings to the second part of our Cyber Essentials (CE) series. Here, our infosec specialist Abdul Ikbal shares some quick advice on the Cyber Essentials Questionnaire.

Cyber Essentials is a UK government endorsed standard. It demands compliance with a range of security measures that afford protection against common threats. Certification demonstrates to the wider world that information security is important to you and reassures those whose data you manage.

The first stage towards certification is a self-assessment questionnaire. Whether you are applying for Cyber Essentials or Cyber Essentials Plus, the questionnaire is the same.

The CE Questionnaire

Your responses will be reviewed by an external certifying body (such as Perspective Risk) so take time to avoid schoolboy errors.

As a certifying body for CE, a common mistake we encounter is the omission of assets that fall under the scope of Cyber Essentials.

If you are going for Cyber Essentials, you are required to list all of your Internet facing IT assets, regardless of whether they are hosted by you or a third party. For Cyber Essentials Plus, you are also required to provide details of end user devices that have Internet access.

As an aide memoir, we have given some examples of applicable assets below:

Company Owned Assets

These include any assets that you host on your corporate network and may include:

Routers (although these may also be owned by your ISP).
Internet accessible servers or devices.

Externally Owned Assets

Most organisations host their company website using third party infrastructure; it’s advisable to include this, together with all other websites associated with your organisation, e.g.:
- web.yourwebsite.com
- remote.yourwebsite.com
- thisisanalternateyourcompanysite.com
Any other third party hosted systems or services that are considered critical to your business should be listed. These may include cloud services, and although it is unlikely that the certifying body will be able to actively assess their security, details of any certifications or vendor assurances should be included.

In addition to the above, for Cyber Essentials Plus, the following IT assets will be assessed and should be listed:

Laptops or desktops used by employees for Internet and email access.
If Thin Client such as Citrix or Remote Desktop are used for the above, include these too.
Mobile devices such as phones and tablets.

Cyber Essentials Common Questionnaire

CREST is the not for profit organisation behind the CE or and CE Plus certification process. Below are some links to resources that you might find helpful: