Cyber Essentials Certification: DIY or Outsource?

Filed Under: Resources
Cyber Essentials Certification

Image Source: Pexels

Without having the right technical controls against the most common cyber threats, you could be putting your sensitive data, customers, and entire business at risk.

Not only can cyber-attacks like data breaches ruin your reputation, but they can also cause serious damages to your systems and disrupt your operations.

Plus, you can lose massive amounts of critical information and money in the aftermath of a cyber-attack.

Having a cyber essentials checklist, however, will help protect your business from some of the most common, but still considered highly damaging, cyber threats known to man.

The question is, is it practical for you to go the DIY route to achieve your cyber essentials accreditation, or should you outsource to an external certifying body?

That’s what we’re here to find out.

The state of cybersecurity in general

As a business owner, you need to learn more about how the whole cybersecurity thing works — otherwise, you could run the risk of losing thousands of dollars in the event of a cyber attack.

After all, when you have a good understanding of cybersecurity, you’ll be better equipped to establish the right security measures to deal with potential security risks to your business.

Here are a few resources you can check out to help you learn more about cybersecurity in general.

Understanding cybersecurity will help you assess the risks, set the right security measures in place, and strengthen your existing technical controls to protect your business-critical data.

One way of achieving this is by getting the cyber essentials accreditation to help your business establish preventive measures against attacks and strengthen your cybersecurity.

The dangers of common cyber threats

Even some of the most common cyber attacks can lead to severe consequences for your business.

For instance, a piece of malware delivered to your system can lead to loss of your company and customer data, including disruptions to your service delivery and operations.

Baseline Cybersecurity

The aftermath of a cyber attack can also damage your hard-earned reputation and customer relationships — and you’d have to face the potential legal implications of data breaches.

This is why establishing baseline security controls against common cyber threats is crucial to help ensure that your data and assets are not vulnerable to attacks.

With the cyber essentials scheme, you can protect against the vast majority of cyber threats by highlighting five key security controls that you need to assess and maintain to a good standard.

The cyber essentials technical controls include using firewalls, security configurations, malware protection, patch management, and setting user access controls.

Having these security controls in place can help you address some of the most common internet-based cyber threats, especially those that use widely available tools but require little skill to execute.

The Do-It-Yourself way

The cyber essentials scheme has two compliance standard levels you can apply for to get certification: Cyber Essentials, which is the basic level, and the Cyber Essentials Plus.

The two levels are based on the same set of requirements outlined in the five technical controls that you need to comply with to achieve certification.

First, you’ll need to answer a self-assessment questionnaire regarding the five security controls mentioned earlier.

Questions can include things like, “Are your system admin access privileges restricted to a limited number of authorized individuals?” and more.

Next will be an external vulnerability scan of your internet-facing devices and networks, including your servers, website, and firewalls.

This part of the certification process will determine any critical or high-risk areas in your cybersecurity that will affect whether your business passes or fails – along with a report of the findings.

The third step is a cloud service assessment to help ensure that you conduct due diligence checks on providers that your business uses — including web tools and services used by top companies and professionals.

You’ll need to provide proof of the type of security standards that your providers adhere to, including the kind of relationship you have with them.

Once you pass these three main stages, you can earn your cyber essentials certificate and show your customers, investors, and suppliers your commitment to upholding cybersecurity best practices.

Outsourcing the certification process

Cyber essentials plus is everything the standard level is, except it requires that any certification body independently assess the five technical controls.

You’ll still need to go through the three main stages to achieve cyber essentials certification PLUS two extra items: a device or workstation assessment and an internal vulnerability scan.

The device/workstation assessment is a series of tests conducted on your devices like laptops and desktops to check for things like whether or not your antivirus software is working and if your OS is up-to-date.

Cyber Essential Plus

The purpose of an internal vulnerability scan is to check your internal system.

Critical and highly vulnerable areas will then be flagged — letting you know you’ll need to fix the uncovered vulnerabilities first before becoming cyber essentials plus compliant.

Although the cyber essentials plus certification requires a bit more work to achieve, the extra level of checking will give your accreditation more weight since it means that security experts verified your security controls.

The extra steps will also help make your business more secure.

Assessing the certification level that works best for your business.

There are some things you need to consider when choosing whether to self-assess to achieve the standard cyber essentials or outsource to get the cyber essentials plus accreditation.

Getting cyber essentials plus, for instance, can be more expensive since your certifying body does most of the work.

You can also check on the needs and motivations of your business for seeking certification.

Is getting certified your way of showing your customers you take data privacy and protection seriously?

Are you considering the self-assessment part of the process as a way to build a learning mindset in your company about cybersecurity?

Or is getting cyber essentials certified a means to meet your supply chain and contract criteria?

Getting accredited can also be your way of complying with cybersecurity regulations and standards.

By identifying the reasons you have for getting cyber essentials, you can assess which of the two levels will work best to help protect your business from common cyber attacks.

You can also try engaging with certifying bodies and providers first before engaging in a full-blown project to try and check which cyber essentials certification level will work for you.


In a nutshell, both the cyber essentials and cyber essentials plus are the same standard since they are based on the same set of requirements.

The only basic difference is how certifying bodies verify that your business meets the requirements — whether you choose to do a self-assessment or outsource to cybersecurity experts.

Whichever you choose, getting cyber essentials is an excellent way to ensure you have the right security controls in place, protect your business from common cyber threats, and show customers that you take cybersecurity seriously.

Did you find this post useful? Please take three seconds to share if you agree. Cheers!

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors