Frequently Asked Questions
Why does Cyber Essentials need to change?
Running the Cyber Essentials certification scheme has identified a lack of consistency and an unnecessarily complicated experience for customers. We want to keep it simple. By improving the Cyber Essentials service, cyber security remains within reach of the vast majority of UK organisations, who can keep pace with the changing nature of the cyber security threat.
What approach have you chosen?
Following a tendering process, we’ve chosen a new Cyber Essentials Partner, The IASME Consortium. IASME will take over the running of the Cyber Essentials scheme on behalf of the NCSC from April 2020.
How will revising the scheme help?
Having a Cyber Essentials partner (rather than 5 Accreditation bodies) will ensure there’s greater consistency in the way the scheme operates. It will ensure that Certification Bodies are all working to the same standard, and provide a more streamlined path to certification so we can ensure Cyber Essentials remains relevant.
When will this happen?
The Cyber Essentials Scheme will continue to operate in its current form until 31 March 2020.
IASME takes over full responsibility for Cyber Essentials delivery from 1 April 2020.
How will current certificates be handled under the revised scheme?
- After April 2020, new applications will be handled under the revised Cyber Essentials scheme, through the IASME Consortium.
- If you are in the process of going through certification (but haven’t completed the process by April 2020), then you will have until 30 June 2020 to complete your application through your existing arrangement; after this date certificates will be handled under the new Cyber Essentials scheme.
Given Cyber Essentials is changing, should I continue with my plans to certify (or re-certify)?
Yes. Organisations should continue applying for certification through the existing 5 Accreditation Bodies up to the end of March 2020.
Are there any cost implications?
HM Government requires that Cyber Essentials remains affordable and accessible. The appointment of IASME to run the scheme will not change this requirement.
Will the revised scheme include the introduction of an expiry date on certificates?
Yes. Although organisations are encouraged to re-certify annually under the existing scheme, there is no automatic expiry date on certificates. From 1 April 2020, certificates will be issued with a 12-month expiry date.
Will I have to re-certify against a different technical standard?
At the moment, there are no plans to change the technical standard. However, NCSC and IASME will continue to review the technical controls and ensure they keep pace with the ever-changing cyber security landscape.
My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?
Yes organisations overseas will still be able to get certificates.
Where can I find more information?
For more information, please refer to the Cyber Essentials website. We’ll let you know about future developments by updating these FAQs, and through other channels. If you have any feedback or questions then please use the General enquiries page.
Changes to Cyber Essentials: FAQs for Certification Bodies and Accreditation Bodies
What will happen to Accreditation Bodies?
Existing Accreditation Bodies will deliver Cyber Essentials until their current contracts have completed. IASME is hosting a meeting for existing Accreditation Bodies on 16 October 2019, this will be an opportunity for questions and answers.
What will happen to Certification Bodies?
The role of Certification Bodies will continue. IASME will contact all Certification Bodies in the coming weeks, and will be providing updates on what they need to do if they wish to continue in this role after April 2020.
What happens for ‘in-progress’ certifications which may extend beyond 1 April 2020?
If you are in the process of going through certification (but haven’t completed the process by April 2020), then you will have until 30 June 2020 to complete your application.
How does my organisation apply to become a Certification Body under the revised scheme?
Any organisation that would like to be appointed as a Certification Body in the Cyber Essential Scheme beyond 31 March 2020 will need to apply to IASME, who will communicate any changes to this process. Note that organisations will have to be registered as a company in the UK, the crown dependencies or the EU.
Why is the NCSC making these changes now?
The NCSC want to ensure that Certification Bodies and assessors are all working to a consistent standard. Although Certification Bodies currently go through a process to ensure that they have the appropriate cyber security skills, knowledge and experience, this varies with the Accreditation Body they are affiliated to. Working with a single partner allows us to define and implement a minimum standard of competence for everyone involved in implementing the scheme.
I have additional questions. How can I find out more?
We’re running an event especially for Certification Bodies, where we’ll explain the next steps, and you’ll get the chance to meet staff from the NCSC and IASME. The event will be held in Malvern on 11 October 2019, so please save the date in your diaries if you are a current Certification Body.
CTO, Edge IT Group