Cyber Essentials: Gap Analysis

Introduction

Knowing what an organisation has in place currently (current state) and where it would like to be in the future (target state) is crucial for organisations in planning strategy and defining change. Understanding this ‘gap’ and setting a way forward is a common technique when developing strategy. A similar approach can be taken by organisations when considering Cyber Essentials:

1. Target State: could be having technical controls in place to protect from common forms of internet-based threats and in achieving Cyber Essentials Plus certification.
2. Current State: this could be where the organisation is currently positioned in terms of technical controls and certification status.
3. Difference/gap: is what needs to happen in order to achieve the target state.
4. Gap Analysis: will review the differences and define an action plan.

 

Why a Gap Analysis is Important

If a gap analysis is not carried out, there’s a risk that both the current and target states are not clearly defined. As a result, any required change/transition may not be clear. Without that clarity, organisations may risk working on the wrong things and be impacted with:

1. Time – delays and unforeseen blockers
2. Quality – potential inability to meet the requirements 
3. Cost – additional time and unplanned/extra resources being required

A gap analysis helps organisations gain clarity, set priorities, and plan resources effectively for Cyber Essentials compliance.

Gap Analysis for Cyber Essentials

• Target state: understand the requirements, determine the scope for your environment, set out how the technical controls should be applied, consider the current network architecture, devices, data and services
• Current state: consider where organisational data / services currently resides, which devices (company and personal) and accounts access that data, whether they’re internet connected and whether technical controls are currently applied (or not)
• Gap – focus on the differences, consider different options, set direction and define an action plan

 

Considerations and Key Notes

Recognising the need to support organisations with Cyber Essentials and Cyber Essentials Plus, NCSC has appointed Cyber Advisor’s. These are trusted professionals, qualified to provide expert advice on implementing Cyber Essentials technical controls. Their expertise includes producing a tailored gap analysis for organisations of different sizes.

IASME have key resources that can be leveraged for gap analysis support, including a Cyber Essentials readiness tool – which is aimed at providing guidance and advice for organisations. 

 

Key Notes

• NCSC Cyber Advisors are also available and specially trained to assist with Cyber Essentials – including scoping

• An asset list/inventory is not one of the key controls for Cyber Essentials, but is needed to form input into the process – it’s crucial to understand the devices that can access organisational data/services

• A Cyber Essentials Readiness tool is designed to help organisations evaluate what may be required to achieve the implementation of the technical controls – an example of that is shown below:

 

Example Scenario

To bid for contracts, organisations ABC is required to hold Cyber Essentials Plus. Cyber security has not been a top priority. Growing threats like data breaches and ransomware drive the need for certification. There’s recognition that achieving Cyber Essentials will reduce risk, boost trust, include free cyber liability insurance and can lead to Organisation ABC bidding for new contracts.

• Organisations ABC reads the Cyber Essentials Requirements for IT Infrastructure to gain an understanding of the scheme and what needs to be in place
• The organisation goes through the IASME readiness tool to see how close they are to achieving the required target state
• A decision is made to receive support to help clarify scope, create an action plan and implement the required controls – a Cyber Advisor is contacted for support
• The organisation quickly determines where to focus resources and works with the Cyber Advisor to implement the technical controls across the whole organisation
• Cyber Essentials Plus certification is quickly achieved through the support of an IASME Certification Body
• The organisation reduces risk, is able to bid for new contracts, receives free cyber liability insurance and has enhanced trust from customers and suppliers

 

Tips and Recommendations

• Having a clear plan can reduce impacts on time, quality, and cost
• Support is available from trusted sources such as NCSC Assured Service Providers and NCSC Assured Cyber Advisors
• Documenting an asset or inventory list helps track devices accessing organisational data, understand risks, and support decision-making
• Using the IASME readiness tool supports gap analysis and highlights the importance of Cyber Essentials requirements

 

How We Help

At RB Consultancy Ltd, we support organisations to improve cyber security and to meet Cyber Essentials and Cyber Essentials Plus requirements. As NCSC assured service providers and IASME certification body:

• We explain the importance of Cyber Essentials, can define a gap analysis and action plan
• We can explain why the Cyber Essentials questions are being asked and how they intend to protect organisations
• We support organisations to achieve Cyber Essentials and Cyber Essentials Plus
• We assess and issue organisations with certifications

 

Conclusion

Having a gap analysis for Cyber Essentials and Cyber Essentials Plus helps clarify where to focus and apply key resources. Without a gap analysis, organisations face delays, unexpected issues, and no clear plan. Ensuring Cyber Essentials compliance reduces risk and boosts trust. It also enables contract bids, includes free cyber liability insurance, and enhances security. If you need any assistance with Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.