the apmg ce and ce+ certification body terms and

The APM Group CE and CE+ Certification Body Terms and conditions v 1.1 issued 31st May 2018 Owner Head of Standards

The APMG CE and CE+ Certification Body Terms and Conditions

1. Purpose and structure of this document

APMG is a National Cyber Security Centre (NCSC) approved Accreditation Body for Cyber Essentials (CE) and Cyber Essentials Plus (CE+) schemes. The purpose of this document is to explain the application, assessment and certification process for approving Certification Bodies to offer this scheme and to provide the terms and conditions under which they must operate to provide CE & CE+ assessments to their clients. This is to ensure consistency in the implementation of the scheme. This APMG Cyber Essentials/ Cyber Essentials+ Scheme document is intended to summarise the terms and conditions, and the duties and responsibilities of each party, and clarify how it will be applied in practice. Certification Bodies can apply to be accredited by APMG and consequently may be granted a licence to use an APMG and CE/CE+ logos which demonstrates this accreditation. APMG accreditation will only be granted to organisations who have demonstrated that they fully meet the requirements of this APMG Cyber Essentials/ Cyber Essentials+ Scheme document. APMG maintains a register of accredited Certification Bodies (CBs) and a register of CE/CE+ Certified Organisations that have been certified by its CBs as meeting the requirements of the standard. These can be found on the APMG Cyber website (https://ces.apmg-certified.com/Organisations.aspx). A register of CB assessors who have been approved by APMG for use in the CE/CE+ scheme is also maintained, but this register is not currently published. All queries about the operation of the scheme should be addressed to [email protected] or by phone to +44 (0) 1494 452 450.

2. Who is involved in the official scheme?

As an accreditation body, APMG is responsible for the accreditation of organisations acting as a certification body. For further information on the scheme, please visit https://www.gov.uk/government/publications/cyber-essentials-scheme -overview Cyber Essentials is a certification scheme developed by UK Government, and backed by industry, that defines a set of basic controls all organisations should implement in order to mitigate the risk from common internet-based threats. It also offers a mechanism for organisations to demonstrate that they have taken these essential precautions. It is a basic version of the Government’s 10 steps to Cyber Security. Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. Government believes that implementing these measures can significantly reduce an organisation's vulnerability to common cyber-attacks. Cyber Essentials defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes. Two levels of certification are available: Cyber Essentials and Cyber Essentials Plus.

• Cyber Essentials: certification at this level provides a basic level of confidence that an

organisation has implemented controls correctly. Certification is awarded based on of a

verified self-assessment. An organisation undertakes their own assessment of their

implementation of the Cyber Essentials control themes via a questionnaire. The responses

https://ces.apmg-certified.com/Organisations.aspx

mailto:[email protected]

https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

https://www.gov.uk/government/publications/cyber-essentials-scheme-overview


must be approved by a senior executive such as the CEO. This questionnaire is then verified

by an independent Certification Body to assess whether an appropriate standard has been

achieved, and certification can be awarded. This option offers a basic level of assurance and

can be achieved at low cost.

• Cyber Essentials Plus: certification at this level tests whether the controls implemented by

the organisation are working effectively and are sufficient to protect against typical internet-

based threats. It offers a higher level of assurance through the external testing of the

organisation’s cyber security approach, against the test specification

(https://www.ncsc.gov.uk/documents/cyber-essentials-plus-illustrative-test-specification).

Given the more resource intensive nature of this process, Cyber Essentials Plus will cost

more than the foundation Cyber Essentials certification. An organisation must hold the CE

certification before they can be awarded the CE+ certification.

On successful completion at either level a certificate will be awarded. Organisations who receive a certificate will be able to display the appropriate Cyber Essentials or Cyber Essentials Plus badge.

3. References

APMG’s accreditation process for Certification Bodies has two specific routes: -

Route 1

A CB who holds valid, current accreditation from a National Accreditation Body which has been recognised by the International Accreditation Forum or the European Accreditation Forum as an IAF MLA or EA MLA signatory for ISO17021.

In addition, the CB must demonstrate that it fully meets the requirements contained in Annex 1, 2 & 3 and be approved by APMG. The CB must have an appropriate marketing/business development plan

for the 3-6 months following accreditation to promote the scheme take up.

Route 2

For an applicant CB who does NOT hold valid, current accreditation from a National Accreditation Body, the CB must demonstrate that it fully meets the requirements contained in Section 1 and Annex 1, 2 & 3 and be approved by APMG.

4. Terms and Definitions

Definitions of general terms can be found in ISO/IEC 9000 and ISO/IEC 17000. For the purposes of this document, the following definitions apply:

4.1 Accreditation Body

APMG is one of the NCSC approved Accreditation Bodies and scheme owner of the Cyber Essentials scheme and maintains a website listing all current certificates for certification bodies who are part of the scheme, except those clients who wish their details to remain private.

APMG owns the intellectual property (IP) that forms the basis of the registration scheme, together with the scheme logos.

4.2 Certified Organisations (CO)

An Organisation certified against Cyber Essentials by the Certification Body who wishes to be accredited with APMG and displayed on their website


4.3 APMG Decision Maker

An approved APMG representative who reviews the APMG’s Assessor recommendation on the CB’s suitability and decides whether CB accreditation should be granted.

4.4 Certification Body (CB)

An organisation which has been accredited by APMG under either Route 1 or Route 2.

4.5 National Accreditation Body (NAB)

An organisation that has been appointed as its country’s recognised accreditation body by IAF or EA to offer certification services.

4.6 Accreditation

A CB can provide CE/CE+ assessment services (as applicable)

Excluding

offering training courses, preparation and licensing of training courseware, or offering consultancy services to the same set of clients to whom it is offering certification services.

4.7 Accreditation Cycle

The period of time for which a CB is registered before needing to be re-registered. The duration of a standard APMG accreditation cycle is 3 years.

4.8 Non-conformities

Priority issues are Non-conformities arising from assessments where the CB has not fully met the scheme requirements or has not been able to evidence that they have done so. These are raised with the client at the time of the assessment and an agreed timescale is given to address the issue(s), depending on the severity of the issue.

4.9 Quality Management System (QMS)

The policies, procedures, processes, documented information and resources regulating the CB’s activities.

4.10 Relevant Dates

Accreditation starts from the date when the application is formally signed by the APMG decision maker. The priority issue resolution timescale is calculated from the date when the report is issued to the CB by APMG.

4.11 Requirement

A process, document or item that needs to be demonstrated to APMG during an assessment activity.

4.12 Use of Shall and Should

For the intent and purpose of this document, “Shall” indicates requirements that must be complied with. “Should” indicates requirement which are expected to be complied with, unless specific and justifiable reasons exist for not doing so.

.


Section 1: Initial Accreditation

1. Scope

A CB applicant is eligible to apply via one of two routes.

Route 1

A CB who holds valid, current accreditation from a National Accreditation Body which has been recognised by the International Accreditation Forum or the European Accreditation Forum as an IAF MLA or EA MLA signatory for ISO17021.

In addition, the CB must demonstrate that it fully meets the requirements contained in Annex 1, 2 & 3 and be approved by APMG.

ISO/IEC17021:2015 Quality Management Systems

ISO/IEC17020:2012 Requirements for the operation of various types of bodies performing inspection

ISO/IEC17065:2012 Product Certification

ISO/IEC17024:2012 Personnel Certification

(Please note that standards such as ISO/IEC9001:2015 are not acceptable entry criteria for this scheme as these are certification standards and not accreditation standards)

Route 2

For an applicant CB who does NOT hold valid, current accreditation from a National Accreditation Body, the CB must demonstrate that it fully meets the requirements contained below and also Annex 1, 2 & 3 and be approved by APMG.

1. Documents to demonstrate that it is a registered legal entity. 2. Copies of Professional Indemnity and Public Liability Insurance. 3. Copies of the CE certificate/CE+ certificate (CBs MUST hold a valid Cyber Essentials/+

certification to the level at which it intends to deliver the scheme). 4. Demonstrate that it can support the organisation’s operations, such that a full certification cycle

can be maintained. 5. Organisation chart describing the responsibilities and duties of each person within the

organisation, including the delegation of authority from the CEO/head of the organisation to assessors /administrators.

6. A copy of the client terms and conditions for use on the APMG website. 7. Records/CVs which demonstrate that the assessment and support personnel have appropriate

experience and competence to assess clients for CE and CE+ (as applicable). 8. A process describing which facilities and equipment (including computer hardware/software) is

utilised in the management of the scheme(s). 9. A process describing how subcontracting is used, a current list of subcontractors and how they

are recruited evaluated and trained. 10. A process describing how the organisation logs, tracks, handles and closes complaints and

appeals, including SLAs. 11. A process describing how the organisation manages and controls continual improvement

(including non-conformity handling, and closing down issues). 12. A process describing how internal audits and management review of the QMS is achieved. 13. A process describing corrective and preventative actions. 14. A process describing control of documents and records. 15. For CE+ applicants only - Methodology intended to be used for assessment of Cyber Essentials

Plus clients. 16. Details of the CBs white label site requirements.


2. Registration

Step one - Application To register as an CB, the following documents must be completed and submitted to [email protected]

1. The APMG CB application form. (https://apmg-international.com/file/8856/download?token=S2R2j625)

2. Evidence that the CB is a registered legal entity (please note, the address on this document MUST match the address in the APMG CB application form).

3. If applying via Route 1 - A copy of the NAB certificate with a current validity date (please note, the address on this document MUST match the address in the APMG CB application form).

4. If applying via Route 2 – a copy of the QMS which must include items 2-16 above. 5. The registration fee. 6. Names of a minimum of two assessors who meet the criteria listed on Annex 3 below. 7. If applying via Route 2 - A copy of the Methodology intended to be used for assessment of

Cyber Essentials Plus clients if appropriate. 8. A business development/marketing plan for the forthcoming 3-6 months

The application fee is non-refundable, regardless of whether the application is successful. Please note that submission of the application form and/or payment of any registration fee does not guarantee accreditation by APMG. See Annex 4 for fee schedule. The accreditation application process will not commence until all fees have been paid. The CE Scheme Administrator will liaise with you throughout the registration process. Accreditation, if granted, is not retrospective. Any assessments carried out before the effective date of accreditation will not have been conducted under the APMG Scheme and therefore must not be certified as such. If there has been no progress to an application within three months of receipt by APMG, the application may be withdrawn. If the applicant organisation decides to continue at a later date a new application should be required.

Step two - Review

On receipt of a completed and signed APMG CB application form, and all required supporting documentation, APMG will check the following details:

• That the applicant Organisation is a legally registered entity, able to apply for CB status with APMG.

• That the CB registered legal name and address supplied in the legal documents with the application matches that on the NAB accreditation certificate.

• That the NAB accreditation certificate has been issued by an IAF or EA MLA signatory as shown on www.iaf.nu and is current and valid

• That the applicant CB holds current, valid certification for CE/CE+ as applicable, for the scheme(s) it intends to offer.

• That the nominated assessors meet the relevant eligibility requirements detailed above and in Annex 3.

• The suitability of the CB’s QMS procedures for processing its CE/CE+ certification scheme clients as applicable.

Step three - Acceptance

APMG will advise the applicant CB in writing whether their application has been accepted and will proceed to assessment.

mailto:[email protected]

http://www.iaf.nu/


On acceptance of the application, APMG will issue the applicant:

• An invoice for the registration fee detailed in the application. These fees must be paid before any assessment is undertaken.

• A CB Agreement to be signed electronically.

• An electronic copy of the logo and Cyber Essentials branding guidelines will be supplied to CBs on registration being granted.

• Access to the APMG on-line portal will be granted to permit the CB to process CE applications. This includes the CBs bespoke (https://ces.apmg-certified.com)

• If the applicant is a CE+ CB, they will be sent log in details to the Accreditation Body CE+ portal (https://portal.cyberessentials.live) for access to the latest test files.

• The CB’s approved assessors will be:-

a. added to the CE portal to permit them to manage the workflow and

b. Undergo a training webinar with an APMG Cyber Essentials administrator on how to use the portal.

If the CB Agreement cannot be signed electronically via EchoSign, these should be printed, signed, and any necessary stamps applied and returned to APMG by email.

If there has been no progress to an application within three months of receipt by APMG, the application may be withdrawn. If the applicant organisation decides to continue after the three-months a new application and fee is required.

Step Four - Assessment

On acceptance of an application, APMG shall evaluate the organisation’s suitability for certification through assessment activity. At initial accreditation, this is usually through desk top review.

3. Assessment activities

3.1 Desk top review Assessment of CB documentation

APMG will assess that the organisation has adequate procedures as part of its Quality Management System (QMS) to operate the scheme and the appropriate level, valid, current organisational certification in place to offer the scheme. This assessment will also ensure that the organisation has personnel including assessors who are APMG approved, competent, and working in accordance with the APMG CE/CE+ Scheme.

For initial accreditation assessments, APMG focusses on two elements:

1. Evidence that the organisation has documented processes that they intend to use to deliver services. This is referred to as reviewing evidence of intention.

2. Evidence that the documented processes have been implemented. This is referred to as reviewing evidence of action.

To grant initial accreditation, APMG will look for evidence of intention by reviewing the documents submitted by the applicant.

Evidence of action will be reviewed during a telephone interview with the technical assessor and/or evidence of output that the documented processes have been implemented.

https://ces.apmg-certified.com/

https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.cyberessentials.live%2F&data=02%7C01%7Cben.lancaster%40apmg-international.com%7Ca0f2cca033744e471f1e08d5c217782d%7C7e9e560eba8e47d69927c6d21f3b7dcd%7C0%7C1%7C636628328476522251&sdata=nj29Fo4RGruIQSVjbK81LaBCtPDJucnN6O6%2Bb%2BeETfU%3D&reserved=0


3.2 Assessment of Assessors

A CB shall employ at all times, a minimum of two APMG approved assessors who shall conduct all assessments. One person to conduct the assessment and make a certification recommendation, the other to independently review and take the certification decision. If a CB is a micro business, they may partner with another approved APMG CB to achieve this separation, with APMG’s knowledge and approval. However, no assessments shall be conducted by assessors who are not APMG approved.

A CB may request to have an administrator approved to triage incoming applications before being passed to an APMG approved assessor for assessment.

Team members or technical experts may be consulted to reach a recommendation or certification decision.

ANNEX3 describes the criteria for approving APMG CE/CE+ assessors.

4. Assessment Dynamics

APMG will assign an adequately skilled and suitably independent assessor for all CB assessment activities.

The APMG assessor will evaluate whether the organisation and its individuals meet the specific requirements for accreditation.

Assessments will be based on the objective evidence made available by the CB. For each assessment, the assessor will submit a written report as to the applicant’s suitability based on the assessment findings and any issues found. The report will include a recommendation to APMG:

• Suitable - Recommendation for accreditation.

• Not Suitable - Not recommended for accreditation at this time.

Where an issue is found during the assessment, it will be documented and categorised as follows:

• Mandatory IAR

Definition These are issues presenting a major threat to the services provided leading to a “Not Suitable” recommendation.

Examples include: major errors, omissions, systematic occurrences of the same issue, or an accumulation of priority 2 issues. These may suggest further issues exist in non-sampled areas and that the assessed activity cannot be delivered as intended.

Timing: From the assessment report date, a corrective action plan shall be submitted to APMG within one month, and the issue shall be closed within a total of three months.

• Recommendation

Definition These are issues presenting a minor threat to the result of the assessed activity. Individually, these issues do not prevent a “Suitable” recommendation, subject to satisfactory correction. However, a pattern of minor priority 2 issues in the assessment will result in a priority 1 issue.

Examples include: minor errors or omissions in specific areas, discreet occurrences of an issue, which do not accumulate to a Priority 1 issue. These do not suggest further issues exist in the non-sampled areas and that the assessed activity does not currently threaten the achievement of the intended results.

Timing: From the assessment report date, a corrective action plan shall be submitted within three months, and the issue shall be closed within a total of six months.

• Observation

Definition: These are observations the assessor makes for the CB to consider.


Examples include: potential future nonconformities, a situation that may result in a deterioration of the services provided if not addressed. Observations are not nonconformities at the time of the assessment.

Timing: There is no requirement for a formal response, but they will be reviewed at the next assessment.

• Opportunities for Improvement (OFI)

Definition: These are areas which, in the opinion of the assessor, may add value to the services provided.

Examples include: examples of industry best practice widely in use, standard approaches to resolving specific issues, suggestions based on the assessor’s previous experience.

Timing: OFIs are not nonconformities and do not require a formal response. OFIs are highlighted in the body of the report and are not included in the findings reports.

Failure to meet the stated timescales for initial accreditation will result in withdrawal of the application. A new application and application fee will be payable if the applicant wishes to reapply.

Failure to meet the stated timescales for reaccreditation shall lead to suspension/withdrawal of existing accreditation.

Where a Not Suitable recommendation is made, APMG may apply additional assessment fees to conduct further assessments, where a maximum of one CB evidence submission to address the issues has been made but have failed to close down the issues raised.

Specific rules surrounding suspension and withdrawal are detailed in Section 2 of this document.

Upon receipt of APMG’s report, the organisation shall review the report’s findings to action any issues in accordance with the priority level assigned and the relevant timescales.

5. Accreditation

When all requirements have been demonstrated through successful assessment(s), accreditation will be recommended, and if appropriate, accreditation will be granted. This includes an APMG certificate, which makes clear the scope (CE and/or CE+) and period of accreditation. All accreditation is subject to contractual terms and conditions, and conformance being maintained through surveillance and re-accreditation as listed in Section 2 of this document.

For each accreditation assessment undertaken, an authorised APMG decision-maker will consider the Assessor’s recommendation and any other relevant information to make an informed accreditation decision. The applicant CB will be notified of this decision in writing.

The accreditation certification date on the issued certificate is the date when the authorised APMG decision-maker makes the accreditation certification decision. All certificates remain the property of APMG and must be returned to APMG upon request.

• Approved CB Organisations will be listed on https://ces.apmg-certified.com/Selection.aspx.

• Approved CB organisations will be added to the APMG website on the individual CB’s white label site as agreed.

6. Complaints and Appeals

Complaints and Appeals by CBs against registration decisions taken by APMG will be considered in accordance with the APMG process for Complaints and Appeals which is shown on the APMG website.


7. Client Responsibility

In applying for accreditation, the applicant CB is responsible for implementing, maintaining and operating in accordance with the requirements of the scheme and standards against which accreditation is granted. Any changes to the CB’s status, organisation, structure, location, or significant changes to its systems must be notified to APMG in writing immediately. The CB also agrees to refer to accreditation and certification appropriately, and to use accreditation and certification marks/logos as specified in the rules for the use of such.

8. Changes

CBs will be notified of any changes to the Scheme and will be expected to respond to such changes in a reasonable timescale.

9. Use of APMG Logo

The APMG Cyber Essentials logo is a registered trademark and all use of the logo should be in accordance with the Cyber Essentials branding guidelines. The CB is licensed to use the appropriate logo, either in colour or black and white, for the following purposes:

• In marketing collateral describing the Scheme and any specific service that they offer • On certificates issued to organisations certified following an assessment

When used in colour, the logo shall be reproduced in the exact colours and font of the issued logo. An electronic copy of the logo will be supplied to CBs on registration being granted. In particular the logo must not be altered or used in a misleading way, for example to imply certification of something which is not certified. No other use of the logo is permitted and APMG will take strong action against any perceived abuse of the logo, whether by a CB or any other organisation.

Section 2: Surveillance and Re-accreditation

10. Purpose

Once approved, the CB and its Approved Assessors must maintain compliance with the relevant requirements listed in Section 4. In order to confirm ongoing compliance, APMG will conduct

surveillance and re-accreditation activities.

11. Accreditation Lifecycle

The duration of a standard APMG CB accreditation cycle is 3 years. The initial accreditation approval marks year zero of the cycle. Surveillance activities will be performed annually during the cycle. A re-accreditation will be required to start a new accreditation cycle.

The following paragraphs detail the activities required.

12. Surveillance and Reaccreditation

12.1 QMS CB procedure review

During the standard 3-year cycle, APMG will assess that the organisation continues to operate adequate QMS procedures describing the method used for processing its CE/CE+ scheme.

All CBs will be required to undergo a re-accreditation prior to the end of the 3-year cycle.


Every CB will undergo surveillance activities annually during the 3-year cycle. These activities may be via desk top review, web enabled remote audit or on-site audit.

13. Suspension

13.1 CB Suspension

In circumstances where an CB does not meet APMG’s accreditation or contractual requirements, their accreditation shall be suspended.

Potential reasons for suspension of accreditation include:

• Failure to undergo surveillance activities within the required timescale.

• Failure to submit corrective actions within the specified timescales.

• Failure to close priority issues within the specified timescales.

• A recommendation of “Not Suitable” for a CB currently approved.

• The CB no longer fulfils the eligibility requirements for the service they are accredited to offer.

• The CB does not employ a minimum of two suitably approved APMG Assessors for the scheme or fails to have a formal partnership with another similar organisation to provide the review of assessments.

• Failure to return a signed contract.

• Any behaviour which may bring APMG or the scheme into disrepute.

• Breach of APMG or scheme owner IP reuse guidelines.

• Default of payment terms.

• Failure to conduct a Cyber Essentials PLUS assessment using the latest version of Cyber Essentials PLUS test files as published on https://portal.cyberessentials.live/

During suspension of certification the following shall occur:

• The CB and its clients shall be removed from the CB and client web listings on the APMG-International Cyber website.

• The CB shall cease to use any marketing material that contains reference to APMG certification.

• The CB shall not be permitted to register any new certified clients.

A formal notification of suspension and, where applicable, lifting of suspension, will be sent to the CB. This notification will advise the reason and the date from which the suspension applies, the corrective action required and the timescale in which this must be resolved. The CB will be suspended for a maximum period of three months from commencement of suspension.

To lift the suspension, the CB must complete appropriate corrective action as noted in the formal notification. APMG may lift suspension on the condition that special measures are imposed on the CB. These measures may include payment upfront for CB surveillance or re-accreditation activities.

Where suspension has not been lifted within three months, the CB will be withdrawn from the scheme for the reasons stated in the suspension letter.



14. Withdrawal

14.1 CB Withdrawal

If accreditation is withdrawn, the CB will be notified in writing. The following will occur:

• The CB will be required to return or, alternatively, destroy any valid APMG accreditation certificate.

• The CB will be removed from the list of Approved CE/CE+ organisations.

• Access to the APMG on-line cyber portal will be removed.

• The list of certified organisations will be removed from the APMG website.

• The CB shall cease to use any marketing material that contains reference to certification and related IP.

To regain accreditation following withdrawal, the CB will be required to re-apply for accreditation. A full assessment in accordance with the scheme conditions may be required. Details of the activity required shall depend on the circumstances and should be discussed with APMG.


Annex 1 Scoping of certificates

The scope on the CE+ certificate Must be the same as that on the CE certificate

It must fully describe the equipment (software & hardware), geographical location and range as per

the below diagram and in accordance with the NCSC guidelines

(https://www.ncsc.gov.uk/information/requirements-it-infrastructure-cyber-essentials-scheme)

https://www.ncsc.gov.uk/information/requirements-it-infrastructure-cyber-essentials-scheme


The scope of certification must cover the essential IT systems used in support of the principle

business of the organisation. This must include any system that is used to process, collect, store or

destroy sensitive data which might include personal details, bank details, client details and many

other types of information. The scope will define where the controls need to be applied in order to

meet the Cyber Essentials criteria. A clear description of the boundary of the scope must be given.

The physical location of the IT system(s) in scope must be given and the boundary of that system.

Where a cloud-based system is used this must be defined in some way perhaps by referring to the

third-party supplier of that service.

If all the IT systems within an organisation fall within the scope of the assessment, then the

organisation itself can be named as the scope and the certificate will reflect this. If that is not the

case, then a name must be given for the system(s) in scope and that name will be used for the CE

and CE+ certificates.

It is preferable to use a simple diagram as shown here in order to aid the description of the scope of

certification.


Annex 2 - Competence of CB Assessors for CE and CE+ Competence of CE Lead Assessors and Assessors They will be expected to demonstrate all of the following competences:

1. Consultancy or Professional Services in cyber security – this can be achieved with a CV which demonstrates that the assessor is experienced in managing and delivering cyber security services to paying clients.

2. Audit Experience – it is expected that an individual can demonstrate they understand how to perform an audit and report on the outcomes. Typical certifications to support this would be

a. Lead or Senior CCP Auditor, ITSO or SIRA b. ISO/IEC27001 Auditor c. CISA d. CISSP e. Other qualifications may be considered for approval by APMG f. Vulnerability Testing experience

It should be noted that holding one of the qualifications listed, or similar, does not in itself make someone acceptable as an assessor. Evidence of undertaking assessments of processes, of QMSs and similar activities will also be required. Competence of CE+ Lead Assessors and Assessors All Lead Assessor and assessors undertaking CE+ reviews must be listed by the CB as part of the application process. They will be expected to demonstrate all of the following competences in addition to those required for a CE assessor given above:

3. For CE+ it is essential that the tester can demonstrate their competence in planning and

performing the security testing component.

4. The individual would be expected to have evidence of at least one of the following qualifications:

a. CHECK b. Tiger Scheme c. PCI ASV d. CEH - Certified Ethical Hacker e. IASME Technical Cyber Auditing Course

Other qualifications may be considered, upon application to APMG.

5. All assessors will be required to undertake a Product Knowledge interview, which may be by telephone, web-ex or face to face, to demonstrate that their product knowledge and competence is acceptable. Evidence of ongoing continuing professional development will be expected in order to demonstrate that the individual has maintained their competence following the attainment of their qualifications. A minimum of 10 hours CPD per annum is required, and may comprise of attending a formal course with a certificate as evidence; for an informal course or internal training from the CB – a certificate of attendance or signed declaration; for training undertaken on a personal basis, such as self-study – a signed declaration from their CB Manager of the nature of this and hours CPD taken is required to evidence this.


Annex 3 Methodology for CE and CE+ Assessments

Methodology for CE Assessments

• The methodology must align with the current version of the Illustrative test specification as published by the scheme owner in addition to using the latest test files published by the Accreditation Bodies (APMG) on https://portal.cyberessentials.live/

Methodology for CE+ Assessments The applicant Certification Body (CB) organization shall meet three criteria to be approved to offer Cyber Essentials Plus.

1. CB must have a current Cyber Essentials & Cyber Essentials Plus certificate and meet the APMG requirements for a Certifying Body If the potential CB does not already have it, a plan must be in place to obtain Cyber Essentials Plus within three months of any application being submitted to APMG. The scope of the Cyber Essentials Plus certificate must detail any tools, devices or systems that are used by the CB in the certification process for clients.

2. The CB must provide a methodology statement describing how they will perform CE+ reviews

for their target clients. It is understood that this will have some variation depending on the company size, but the aim is to ensure a consistent approach for all clients, reinforced by the QMS. The methodology must align with the current version of the Common Test Specification as published by the scheme owner. The methodology statement shall include:

i. How the CB will approach the CE+ assessment ii. The tools the CB will use to undertake the CE+ assessment iii. What are the criteria which the CB uses to select the appropriate tools for

each client?

3. A named Lead Assessor must be put forward as the main interface for APMG on Cyber Essentials Plus engagements. This individual is expected to review and perform the final decision making for all CE+ reports undertaken by the CB in line with the approved QMS.

4. All Lead Assessor and assessors that the CB intends to use to undertake CE+ reviews

needs to be approved as competent by APMG and listed on the application form and shall be formally approved by APMG prior to any assessments being undertaken.



Annex 4 - Schedule of CB charges

Fee structure and definitions The price list that is effective from 1st November 2017 is shown below in this document. Our prices are reviewed annually and are subject to amendment at any time.

Item Price £

CB CE Scheme Registration

initial application fee includes a one-day desk top review

1200.00

CB CE PLUS scheme Registration 1700.00

Reregistration fee (every 3 years) 1200.00

CE Client Assessment Fee 300.00

Additional auditor days (on/off site) 650.00

Review of non-conformity findings - per auditor day, charged in increments

of 0.25 days

650.00

Non UK Travel time - per auditor day 650.00

Auditor Travel & Subsistence Expenses charged back at cost POA

CE Plus assessments - it is the responsibility of the CB to agree the fee with

the client, issue the invoice and take payment

POA

CE Applications - CBs receive £100 per application 100.00

CE Plus CBS pay £250 per application to APMG 250.00

NB The standard of air travel is normally economy on short haul, premium economy on medium haul and business class on long haul (i.e. flights of more than 7 hours, including connecting flights without an overnight stopover) APMG will, where possible, group CBs by geographical region to share the costs of travel and the cost of the time taken to travel by each CB. These arrangements will be communicated to you ahead of the visit for your agreement.

Units of Time

Rates for our services will be calculated in days, half days or quarter days per person. We will not bill our time for journeys wholly within the United Kingdom mainland. If the working day is unduly prolonged, an additional half or quarter day per person may be charged. Travel rechargeable time Total travel time to reach assessment destinations outside of the United Kingdom and/or offshore work which is based in the UK will be charged at the relevant day rate in days, half days or quarter days per person. For the purposes of calculating total travel rechargeable time, United Kingdom will include the Crown Dependencies where the total travel time is less than 3 hours. APMG reserves the right to charge for travel time for an assessment resource to travel from outside of the UK to conduct an assessment in the UK, where that assessment resource is specifically required by the customer. Time spent during trapped weekend days are not generally billed, unless worked at customer’s request. However, assessment team expenses for trapped days will be billed (See below for current Travel & Subsistence rate). Expenses See details in the price list above. Cancellation policy and charges


Where the customer cancels or postpones the date of a visit after it has been agreed, a fee is payable as set out below. Surveillance and Reassessment visits will normally be booked and agreed with the customer three or more months in advance. Other assessments, including witnessed assessments associated with surveillance and reassessment visits are booked at shorter notice. If a customer cancels or postpones a visit, once this has been agreed, the costs incurred by APMG will be invoiced in full. APMG reserves the right to withhold any grant, maintenance or renewal of accreditation until it is settled. Non-payment of invoices which require payment in advance of the assessment date on the due date of the invoice is considered as a cancellation of the assessment by the customer and the cancellation policy will apply. Reinstatement Fee Where a customer’s accreditation is suspended for financial reasons e.g. late-payment of invoices, a fee will be charged for reinstating the accreditation when the debt has been settled. Quotations Customers are entitled to quotations before work begins and are required to confirm their acceptance of the quotation within 14 days of the date of issue. Once work has started, the customer is deemed to have accepted the quotation and is committed to paying for the quoted quantity of effort and any expenses incurred in arranging the visit. Although we will endeavour to carry out the job within the effort allowed by the quotation, we reserve the right to agree and bill for a different quantity if this is what is actually worked. Accordingly, it is in customers’ interests to ensure that their records and evidence are of the agreed standard. Any non-conformities that are identified during an assessment will require additional effort and therefore will result in additional charges. Invoicing Invoices are normally raised in sterling and are due and payable in full, are raised in electronic format and sent via email and, may be raised in stages, for example for lengthy projects or in relation to overseas work where UKAS incurs substantial travel costs in advance of visits. We may, on a case by case basis, be able to invoice in other currencies, upon application. Value Added Tax will be applied according to UK rules. Any non-UK taxes and all other transaction charges relating to the payment remain the responsibility of the customer. Payment terms For UK customers, our standard payment terms are 30 days from the date of the invoice, except where indicated that payment is required before any work is undertaken. We reserve the right to withdraw credit, (for example in cases of bad credit or payment history) in which case payment is required in advance of any work being undertaken. For customers who are required to pay in advance of any work undertaken, invoices will be issued as soon as work is scheduled and no more than four months in advance of the day that work is to be undertaken. Fees up to and including initial assessment and any associated supplementary or close out work must be paid before accreditation is granted. Payment Methods We accept electronic payment via bank transfers, PayPal and or credit card payments by phone. You can make a payment by phone by calling CIT on 0044(1) 494 452450 between 0830-1730 Monday to Friday.


Annex 5 - Continuing Professional Development

1. Background

Continuing Professional Development (CPD) is a measure of the continued maintenance and development of all skills associated with a specific professional qualification, career or skills set. In many organisations this has now become a very important factor helping to ensure that people are still able to carry out tasks and roles. APMG uses CPD in a number of areas and is extending its use into other qualifications where it is appropriate. This is a requirement set by CESG in order to demonstrate that individuals are maintaining their professional knowledge for CESG Certified Professional (CCP) and for GCHQ Certified Training (GCT) trainers. It is a standard requirement of various other international qualifications and APMG have to show this in a number of areas for which they are accredited by the UK Accreditation Service (UKAS).

Some will say simply doing the job is enough professional development but it is felt that this is a rather limited view point. The world is changing so rapidly in most business areas that not keeping abreast of the latest developments is likely to result in a significant reduction in an individual’s capability and competence, and that is what APMG wish to avoid. There are a number of different ways of doing so though, including attendance at events, reading, web-based research, authoring, study, presenting or teaching others, to mention just a small selection.

2. Points

Many organisations promote the collecting of points as a way of measuring and approving individuals CPD. This is promoted by the CPD UK organisation www.cpduk.co.uk (amongst others around the world) who define CPD as:

… the holistic commitment of professionals towards the enhancement of personal skills and proficiency throughout their careers.

In agreement with the organising body, points are awarded for attendance at events of many different types and the individual is able to claim those points usually through the collection of a certificate. Various bodies set a requirement of a number of points to be collected during a year sometimes defining different types of event or activity– so many from reading, so many from conferences and exhibitions, and so on. Whilst collecting points is a perfectly adequate way of recording CPD, there is an issue with points, as most professionals will realise, which is that attending an event and getting something of value from that event are often not equivalent. Most professional people will have attended a major conference or exhibition, wandered around the stands or listened to speakers, and then gone home little wiser or more knowledgeable than when they arrived. Nevertheless, they are able to claim CPD for attendance. It is for that reason that APMG has adopted a more flexible but hopefully rigorous approach to the recognition of CPD.

3. APMG Approach

APMG has recognised that it is not the attendance at events which is important, but the knowledge gained from that attendance. They have therefore decided to use the knowledge as a measure of the CPD rather than simplistically collecting points. APMG has therefore NOT set a specific number of points to be gained during a given period. Instead it asks those required to demonstrate their CPD to record what they have done, why and how they have used what they gained from it in free text form. APMG has developed an online CPD system within the CCP scheme web site which can be used to record CPD and produce reports that can be used for any purpose as well as in support of a CCP Certification. The system can be accessed through the individual login that is used to achieve certification. Login to the account will be available via a link on the left-hand menu entitled ‘CPD Area’. It offers a variety of ways of recording different types of event/activity but each requires the addition of free text saying what was done, the benefits of it and the impact on work. Don’t forget

http://www.cpduk.co.uk/


soft skills need to be developed too so, for example, charity work and other less formal CPD should also be included. Any on-going pieces of CPD can be made private until it is appropriate for them to be shared with APMG Admin and Assessors. Please be aware that all CPD items will need to be set as public for APMG and Assessors to view. Alternatively, any recording format including a Word table or Excel spreadsheet for example is quite acceptable. The likely headings required are:

Date

(to –

fro

m)

Du

rati

on

(as

app

licab

le)

Tit

le a

nd

pu

rpo

se

(of th

e

activity)

Desc

rip

tio

n

(of th

e

activity)

Org

an

ise

r

Ou

tco

me

(what w

as

the learn

ing

gain

ed)

Imp

act

(on w

ork

or

els

ew

here

)

22 Apr 0.5 day

Networking seminar – The PMO. To explore the development of a PMO

To understand the role of the PMO and why it is becoming more important.

APM Understand the problem PMO was set up to address. Issues with current PMOs and their ongoing development.

Helped me to advise those in the project team on how we should enhance our PMO activities.

4. Assessment

So, what do assessors expect to see as CPD; how can it be recorded and presented? The answer to that is that an applicant must be able to convince the assessor that they have maintained their professional knowledge in the areas pertinent to the certification(s) they have achieved. Information should be recorded as and when appropriate, best perhaps soon after the event whilst it is still fresh in the mind. It should not be left until the assessment of it is due. The presentation of the information is not as important as the information itself and so any readable format can be used. The assessment of CPD is based on a number of factors and will be affected by the specific certification(s) it is submitted to support. The factors that will determine the assessor’s view of the records include, but are not limited to: The subject covered. Clearly it has to be relevant to the certification(s) although it does not need

necessarily to be training directly targeted at that area. Provided a reasonable connection can be

made between the activity and the professional knowledge and development of the applicant, it

will be considered by the assessor.

The type of event. Attending a seminar run by a professional body is probably more significant

and valuable as CPD than walking around an exhibition looking at stands unless the purpose is

specifically stated as being to gain more information about a particular product, service, etc. which

is best gained by talking to the representatives on a stand. A smaller networking event with a

presentation, Q&A session and an opportunity to talk to the presenter, could be considered to be

more valuable than attendance at a large conference even if the speakers are well-known.

Formal or informal. A formal training course which might result in a recognised qualification is

clearly very valuable CPD . Informal training whilst valuable, can sometimes be a less reliable

indicator of CPD.

The organiser. Where the organiser is, for example, a well-recognised national or international

trade body, then the events and training they provide can usually be regarded as high quality. If


the event is run by a supplier for example, it may be more limited in its value since it is primarily

designed to try and persuade people to buy their goods and services.

Internal or external training. If a course or event is laid on by the employer for example, this might

be useful for a specific task or role within that company but is perhaps less useful than a more

generic external course which enhances the overall understanding and capability of the individual.

Teaching others. This can be a very powerful way of enhancing the skills of an individual. It is

often said that only by teaching others can someone truly learn about a topic. However,

delivering the same course week in, week out is not likely to enhance the skills and could in fact

be diminishing them though boredom, complacency and inactivity. However, developing a new

course almost always requires some degree of research and learning, and should be seen as

providing good opportunities for CPD.

Impact at work. CPD is intended to maintain professional skills and competences in order that an

individual continues to be able to fulfil the tasks they are set. Therefore how the specific CPD

activity enhances, or at least maintains, their competence is clearly a critical factor. There is also

the aspect of enhancing their skills and growing their knowledge base and this too must be

recognised as contributing significantly to CPD activity.

5. How much is required?

The amount of CPD required is clearly an important issue. The bottom line has to be that there must be enough to convince an assessor that the applicant is keeping up to date with the changes in the areas of the certification(s). This will clearly vary from area to area. The following are provided as examples only and should not be seen in any way as being prescriptive. For cyber security and related areas. It is essential anyone working in this field maintains a

current knowledge of the changes in the security of systems, information, technology and related

areas. Following a respected web site on a weekly basis would be appropriate as would

attendance at briefings two or three times a year. Reading books may be useful but will often not

address the latest or current issues. Attendance at conferences and major exhibitions on an

annual basis would also be appropriate provided something useful in terms of specific knowledge,

understanding or information was gained from it. Attendance at two or three seminars on

particular specialist areas of interest and value would also be appropriate.

Project, programme, portfolio management and related areas. The changes in these areas are

less frequent but are nevertheless significant. Agile has produced a raft of options and

alternatives in a range of areas and the growth of benefit management, together with cultural

change management must also be seen as significant. For a project manager, for example, not

to have recorded reading books, attending seminars or conferences on topics related to this

during the course of a year would be unacceptable. Two or three good events might be enough

but this will also be dictated by the value of the event as described above.

Service management and related areas. Whilst the principles of good service management may

not have changed too much, there continues to be a growth and increased recognition of the

importance and value of effective service management. Reading books on the latest

developments and certifications, attendance at seminars or conferences two or three times a year

would be appropriate. There is a growing belief that cyber security and service management

should be brought back together and undertaking study or workshops looking at those

developments would also be useful CPD.

Other more general areas. In many cases attendance at two or more events per year or the

equivalent, taking into account the nature of the activity as given above, would be considered


appropriate CPD. These could be varied and appropriate CPD might include, but not be

restricted to learning about:

a) new legislation,

b) new trade body standards,

c) revised compliance requirements,

d) new approaches to specific issues or topics,

e) new software supporting the business area.