Policy Monitor

Get serious about cyber security or risk missing out on lucrative tenders

Failing to take cyber security seriously could cost SMEs more than they realise. At a time of increased cyber threats, organisations expect suppliers to step up and evidence their cyber security credentials. Guy Lloyd at Policy Monitor explains 3 simple steps to certification that could ensure your tender bid is not rejected

Demonstrating cyber security certification is needed in order to win business and is a necessity for companies seeking to bid for certain Government business.  In such situations, any organisation, regardless of size, must have at least Cyber Essentials certification if they wish to tender for UK Government contracts. However, the Government is not alone in wanting suppliers to show they take cyber security seriously. Many organisations in the private sector check cyber security credentials as part of their tender processes. Organisations that cannot evidence their credentials and fitness to bid risk falling at the first hurdle.

The path to certification

In the UK, certification can be achieved through Cyber Essentials (CE), a government and industry backed scheme designed by the National Cyber Security Centre (NCSC), the leading technical authority in cyber security in the UK. In collaboration with IAMSE the scheme helps organisations protect themselves against common cyber-attacks. Here are three steps businesses can take to become Cyber Essentials certified.

  1. Complete the self-assessment questionnaire (SAQ)

The SAQ includes approximately 50 questions related to each of the 5 security controls required for Cyber Essentials certification:

  • Secure configuration
  • Boundary firewalls
  • Access controls
  • Patch management
  • Malware protection

The completed self-assessment questionnaire serves as a statement of compliance and demonstrates that your organisation has met the scheme’s requirements. A board member will have to sign a declaration that all the answers provided are true.

  1. Schedule a technical audit

After completing the SAQ to achieve the next level of certification, Cyber Essentials Plus, an assessor will carry out a technical audit of your systems to verify the Cyber Essentials controls are in place. This includes a representative set of user devices, all internet gateways and any servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these and then make a decision whether further testing is required.

  1. Obtain your certification

To achieve Cyber Essentials Plus an organisation must fully answer all questions and successfully pass the technical audit. Once these steps are successfully completed certification is awarded and it is recommended that organisations seek to renew and recertify annually.

Sounds daunting?

The process of becoming and remaining certified can seem daunting but achieving certification doesn’t have to be costly or complex. Using an online information security management system (ISMS) that incorporates GDPR and Cyber Essentials Plus is a simple and cost-effective way to carry out a gap analysis and highlight the areas that your business needs to focus on.

Policy Monitor’s cyber security solution is designed to deliver these quick wins. It provides businesses with a staged approach to compliance and certification, guided by a virtual online security officer (CSPM). Effective cyber security is a journey rather than a destination and for most SMEs Cyber Essentials Plus is the ideal certification. It evidences the security credentials required by most organisations for tender bids and is a lower cost certification scheme than ISO 27001. Cyber Essentials meets the requirements to working with the UK public sector and many private sector organisations.

Cyber security in the spotlight

Data breaches make big headlines and all organisations are under scrutiny to ensure they take the protection of personal data and cyber security seriously. Arguably, Government is under the greatest scrutiny of all. The Information Commissioner’s Office (ICO) has shown no hesitation in fining organisations that fail to protect personal data – regardless of whether they are central Government, public sector or private sector. Data breaches caused by poor cyber security in suppliers has become a recurring problem that all companies are seeking to stamp out especially those with supply chains. For example, prime suppliers are increasingly looking at their lower tier suppliers to check cyber certifications.  Criminals are using weaknesses down the chain to target prime contractors.

Don’t miss out on valuable tenders – get certified!

Cyber Essentials certification provides businesses with a strong base from which to reduce the risk from these prevalent cyber-threats. So, by becoming certified an SME is not only taking steps to make its business a tougher target but increasing its chances of success when it comes to the tender process for new contracts. Attracting new business and contract renewal become easier with the assurance that your organisation has externally audited cyber security measures in place.

Cyber Essentials or equivalent, is mandated by GDPR, therefore companies who do not possess such a security credential are not complying with the requirements of the regulation. Organisations can easily check if their supplier has Cyber Essentials certification by looking at the National Cyber Security Centre site https://www.ncsc.gov.uk/cyberessentials/search. If not found, the supplier company may not actually be GDPR compliant.

At less than the cost of a daily coffee you can proactively protect your organisation against a whole range of the most common cyber-attacks with Policy Monitor. To read more, download our latest white paper entitled “Small business and cyber security: The importance of being cyber ready in an online world” by visiting www.policymonitor.co.uk

Information Assurance for Small and Medium Enterprises


About Policy Monitor Ltd.

Policy Monitor is a cybersecurity company founded by experts with extensive experience in operational and risk management.  The company has offices in London (UK) and Policy Monitor’s flagship solution – Cyber Security Policy Manager (CSPM) is a policy management system that incorporates GDPR, US NIST and UK CE cybersecurity standards to guide organisations through complex, emerging safety procedures and protocols, improve their online security and reduce the risk of cyber threats.

For more information, please visit www.policymonitor.co.uk

Press contact: Mary Phillips/Andreina West

PR Artistry Limited

T: +44 (0)1491 845553

E: mary@pra-ltd.co.uk