Does the Cyber Essentials Certificate need to be renewed each years

[Onthebrightside]

Dear all,

Can you advise if the Cyber Essentials Certificate needs to be renewed each year or if it is a one of outlay that you then have going forward.

Many thanks
Trish

 

[zigojacko]

You pay yearly or monthly for it.

You may not need it though (just in case someone's gave you the hard sell scare tactics).

 

[Solve My Problem]

Yearly, if you don't renew it they remove you from the certified company list

 

[Solve My Problem]

You pay yearly or monthly for it.

You may not need it though (just in case someone's gave you the hard sell scare tactics).

£25,000 Liability Insurance makes it worth while, has a 1k excess but still for ransomware etc.. plus if a business is certified they are more likely to be on the ball and less likely to succumb to a cyber attack.

 

[samuel.tamkin]

All certificates issued by IASME will have a 12 month expiry.

That aside, as a basic Cyber Security principal, you should have at a minimum of an annual cyber security re-verfication / validation process. I.e. validate privileged accounts, configurations etc.

 

[ScribblingStick]

You fall off the register after 12 months but hopefully the changes you made to improve your security stance will still be in place, boosting your security somewhat and may have helped streamline a few process as you went through the pain of looking at everything.

And of course, if you're looking for public sector tenders then they may well insist on CE/CE PLUS or an equivalent so it may be worth your while as a marketing 'tick-in-the-box'.

It's a pretty basic certification but that's what it's intended to be. Typically SMEs have paid (too) little attention to security and when they get hit, they get hit hard. Prevention is generally easier. It's about beefing up those 5 basic technical controls to knock out script kiddies, bot noise and the usual range of email driven threats. If you're being specifically targeted by a state actor then you've probably got bigger problems...

I'm an ex-cybersec auditor these days but if anyone wants to explore CE, I'd recommend Rory at CyberSecuritiesUK. I know he does a free 15 min cyber security chat so fill yer boots and ask him something difficult! ?

If you are going for CE, watch out for the 2FA requirements for Cloud Services - catches lots of people out. 2FA if available - if not, then min password length and brute force protection must be in place otherwise you’ll be heading for a fail.

My Top Tip: Find A Certification Body that actually works with you to help you move systems/policies towards getting the pass. i.e, advice & explanation rather than just marking your answers, taking your money & laughing at the fail. Seen too many like that in the past although it's improved after the changes to Accreditation Bodies over the last few years. Lovely bunch of people at IASME.

 

[Onthebrightside]

Thank you for the advice.

 

[stugster]

Just to touch on the insurance side of things, as a previous poster mentioned. This is purely my own personal opinion and nothing more: £25,000 is nowhere near enough for most businesses when it comes to cyber insurance. Unless you're a one or two-person company, and all you're doing is having your systems rebuilt/recovered with no investigation of how the breach occurred, £25k barely scratches the surface.