Has your AEC firm earned the Cyber Essentials / Cyber Essentials Plus accreditation? If you haven’t, don’t delay…

What are Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are Government-backed certifications, created to provide organisations at all levels, across all sectors with a clear baseline for effective cyber security, designed to continually evolve in response to shifts in the threat landscape.

Organisations typically begin with CE, which requires them to complete a self-assessment questionnaire, covering the key aspects of the cyber security posture. This is then verified by the Information Assurance for Small and Medium Enterprises (IASME).

CE+ builds on this and must be earned within three months of earning the CE certification. If it has not been earned within this timeframe, the organisation must start the process again. The CE+ assessment process is much more rigorous, involving an independent, on-site review of organisations' security capabilities and a full vulnerability scan.

Why all AEC firms must be ready to earn these certifications

CE/CE+ are essential for all firms looking to win contracts with public sector organisations, as they will always be required to participate in the bid process. Until fairly recently, this largely only applied to prime contractors, with subcontractors and organisations across the supply chain not necessarily being required to display the certification as part of the bid. However, this is changing, as new regulations will require all suppliers involved in public sector contracts to have earned Cyber Essentials Plus. 

An established roadmap for implementing cyber security best practice

Even if you are not looking to earn public sector contracts, an increasing awareness of the cyber threat landscape across all sectors means that customers will expect firms to demonstrate a clear commitment to maintaining robust cyber security. CE/CE+ represent an internationally recognised baseline for current cyber security best practice, and one that customers are likely to expect to see.

However, it is important to note that CE/CE+ should not be treated as the conclusion of your cyber security journey, but rather its beginning. Cyber security is constantly evolving, as bad actors devise ever more sophisticated, aggressive measures to access organisations' critical data. Your firm's long-term cyber security strategy should therefore factor in additional certifications and frameworks, such as SOC2-Service Organisation Control v2, ISO 27001/NIST800, and the Security Policy Framework. Expanding your range of accreditations and becoming active on additional frameworks will not only build customer confidence in your security capabilities, but also open the door to bidding on the most prestigious public sector contracts, so there is a strong business case to be made for investing time in the annual assessment processes.

Establishing an evolving cyber security culture across your firm

Indeed, once you have earned the certification, you will need to plan for its annual renewal. However, rather than treating this as an onerous burden, use it as an opportunity to engage with your technology partners and ensure your cyber security ecosystem remains fit for purpose and able to defend against emerging threats.

Whether your firm has already earned CE/CE+ or is looking to begin the assessment process for the first time, do not hesitate to contact us. Our team are ready and able to not only support you throughout the CE/CE+ assessments, but also ensure your cyber security ecosystem is fully optimised for AEC projects, with the flexibility and scalability to maintain the critical edge in an increasingly complex threat landscape.