How to Start Selling Cyber Essentials and CE Plus Certifications for MSP’s
What is Cyber Essentials?
It’s part of a drive to get the UK protected from cyber threats by the Government. They have developed the scheme called Cyber Essentials. It’s a set of controls which determine if a business is adequately protecting themselves from cyber threats.
The controls include some of the following:
- Is Auto run disabled on all computers.
- Are all employees using standard user accounts and not ‘Administrator’ level accounts for their daily work.
- Is Antivirus installed on all computers.
- Are all operating systems patched within 14 days of a critical update or security fix being released.
Cyber Essentials comes in two flavors, the self-assessment which is a set of questions a business needs to answer. The questions are then submitted to a certification body for marking.
The second version is the Cyber Essentials Plus. To obtain a plus you must go through the self-assessment first or have passed it within the last three months. The Plus version includes an onsite audit by a certified assessor to check that all of the elements from the self-assessment are being put into practice.
Who runs it?
Cyber Essentials is run by the National Cyber Security Center (NCSC) which is part of the Government Communication Headquarters (GCHQ).. (This all sounds very James Bond!)
NCSE decided that this scheme is to be managed by a select number of Accreditation bodies. These bodies would take the CE questions and controls and offer training to individuals and businesses on how to go out and start securing businesses across the UK.
Each of these Accreditation bodies work slightly differently but with them you can either train to help businesses answer the questions and offer advisory services. The alternative is for your business to become a certification body.
Certification bodies are there to accept Cyber Essentials questionnaire submissions, mark them and provide feedback. Once a submission passes they are able to issue an official certificate.
Certification bodies are also able to perform Cyber Essentials Plus Audits.
How much can you charge for Cyber Essentials?
The standard self-assessment submission costs around £300 + vat. Since you manage your clients IT requirements you will be answering the questions for them so you can charge for this service. My advice is to charge for the Cyber Essentials certification at a cost of £795 which will include your time and a report which you can present back to your client. This report can then contain all of the items which need rectifying before you submit their application. This will lead to some up-selling opportunities for you such as requiring antivirus to be installed on all mobile phones which have company data and emails saved on them. Guest WiFi access for employees who bring their personal devices into work and want internet access but don’t have company data on them. In this situation they are not allowed to use the normal company WiFi system, they must use a segregated guest one instead. Lots of opportunities to provide your clients with new solutions.
For Cyber Essentials plus you will be able to charge upwards of £1695 for a single site with with less than 25 employees. Unless you go through the process of becoming a certification body yourself you will have to sub this work out to an existing certification body but guide your client through the process.
Should I become an Advisor or Certification body?
This all depends on how quickly you want to start offering these services to your clients. You can take a course from an accredition body to become an assessor.
This gives you the knowledge required to advise your clients on the Cyber Essentials requirements. Once you have got them up to standard you can then submit their application to a certification body for assessment or request a plus audit to gain certification.
QC Management Standards offer Practitioner causes which will give you all of the knowledge you need to assist your clients with implementing all of the required controls. This wont allow you to certify your clients but will give you all the knowledge you need to advise them.
If you have more of a budget and want to also get into marking self-assessments and want to perform Cyber Essentails Plus audits then you can become a Certification Body.
To do this you will typically have to pass a number of training courses and register with an Accreditation body. We have used IASME to obtain our Certification Body status and there are two courses which must be completed by all engineers who with to perform CE audits.
To become a certification body with IASME you must complete a two day training course to gather the knowledge needed to access against the CE standard.
Once you have completed the first course you will be required to pass the Technical cyber auditing course which will allow you to perform CE Plus audits.
Once each of your engineers have completed the two training courses your business will then be required to pass Cyber Essentials Plus. Once you have all that you can then start performing CE audits for your clients.
Cyber Essentials Assessor Course £1,500 + VAT (Per engineer)
Technical Cyber Auditing Course £1000 + VAT (Per engineer)
Cyber Essentials Plus Certification £1695 + VAT (Some Authorities will offer this for free as part of the process to becoming a Certification body).
Partner up with an existing Certification Body
A great way to get started with Cyber Essentials is to partner up with an existing certification body. Make arrangements with them to receive a discount on their advertised rates for bringing them referrals. You will make good margin on performing the self assessment for your clients as well as receive a nice commission for any Plus certifications you end up managing with the bonus of any remediation work required to get your client through the assessment and certified.
Many Certification bodies will even offer you free training for your engineers to build up a relationship with you and secure future work.
This is the easiest and fastest way to start offering Cyber Essentials to your clients now and a route I highly recommend to get started now before it hits the mainstream.
I highly recommend teaming up with a Certification Body such as Southern IT Networks Ltd. They can offer you training and advice on how to get all of your clients certified. They already partner with a number of MSP’s throughout the UK and can offer some great commissions.
Take a look at their services here and give them a call to discuss becoming a partner.
All MSP’s who are serious about Cyber Security should be offering these types of services to their clients. It’s so easy to get started especially if you team up with an existing certification body.
Running through the certification process will always show your clients where they can increase their protection from online threats. Its a great way for you to add a new stream of revenue to your business which can be collected every year when certification require renewing.