Understanding Cyber Essentials
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber attacks.
Managed by the National Cyber Security Centre (NCSC), it provides a clear framework of basic security controls that every business should have in place.
The scheme is increasingly important for UK businesses, particularly those working with government contracts or handling sensitive data. Many public sector tenders now require Cyber Essentials certification as a minimum.
Two Levels of Certification
The scheme offers two levels:
Cyber Essentials - A self-assessment questionnaire verified by an external certifying body. It demonstrates that your organisation has the fundamental security controls in place.
Cyber Essentials Plus - Includes everything in the basic level plus an independent, hands-on technical audit of your systems. This provides a higher level of assurance.
The Five Security Controls
Both levels assess your organisation against five key technical controls:
1. Firewalls
Every device that connects to the internet must be protected by a properly configured firewall. This includes your network boundary firewall and software firewalls on individual devices.
Default admin passwords must be changed, and unnecessary network services should be disabled.
2. Secure Configuration
Computers and network devices should be configured to reduce vulnerabilities.
This means removing unnecessary software, changing default passwords, and disabling features you do not use.
3. User Access Control
User accounts should follow the principle of least privilege. This means giving people access only to what they need for their role.
Admin accounts should only be used for administration tasks, and all accounts should use strong, unique passwords.
4. Malware Protection
Your organisation must have protection against malware. This can be achieved through anti-malware software, application whitelisting, or sandboxing.
Whichever method you choose, it must be kept up to date.
5. Patch Management
All software and devices must be kept up to date with the latest security patches. Critical and high-severity patches should be applied within 14 days of release.
Unsupported software must be removed or isolated.
Benefits of Certification
Demonstrate commitment to security to clients, partners, and stakeholders
Win government contracts that require Cyber Essentials as a prerequisite
Reduce your risk of falling victim to common cyber attacks
Free cyber insurance is included with Cyber Essentials certification for eligible UK businesses
Build customer confidence by showing you take data protection seriously
How to Get Certified
Review the Cyber Essentials requirements and assess your current posture
Address any gaps in your security controls
Choose an accredited certification body
Complete the self-assessment questionnaire (basic) or arrange a technical audit (Plus)
Receive your certificate, valid for 12 months
We Can Help
Achieving Cyber Essentials certification can feel daunting, but it does not have to be.
Our security team guides businesses through the entire process, from initial gap analysis to successful certification. We are also accredited to help with Cyber Essentials Plus assessments.