Cyber Essentials Resources
Learn more about Cyber Essentials certification, requirements, and recommended practices.
What is cyber essentials?
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against common cyber threats. It defines a set of basic technical controls that all organisations should implement.
The scheme is operated by IASME Consortium and endorsed by the National Cyber Security Centre (NCSC). It’s suitable for organisations of all sizes and sectors, providing a foundation of basic cyber hygiene.
There are two levels of certification:
- Cyber Essentials: A self-assessment option that gives you protection against a wide variety of the most common cyber attacks.
- Cyber Essentials Plus: Includes everything in Cyber Essentials, plus a hands-on technical verification by an external certifying body.
Benefits of Certification
Protection
Guards against approximately 80% of common cyber attacks by implementing basic security controls.
Government Contracts
Required for many UK government contracts involving handling certain information or providing certain services.
Customer Confidence
Demonstrates to customers, suppliers, and partners that you take cybersecurity seriously.
Risk Reduction
Required for many UK government contracts involving handling certain information or providing certain services.
The Five Technical Controls
Cyber Essentials focuses on five key technical control areas. Explore each area below for detailed requirements.
Firewall & Boundary Protection
Firewalls create a buffer zone between your IT network and other networks, like the internet. They are a key protection against unauthorised access to your network.
Key Requirements:
- All devices connected to the internet must be protected by a firewall
- Default passwords must be changed on all firewalls, routers, and internet-connected devices
- Unused services and ports on firewalls must be disabled
- If staff access your network remotely, this must be done securely (e.g., using a VPN)
Best Practice: Use a combination of hardware and software firewalls. Hardware firewalls protect the network perimeter, while software firewalls on individual devices provide additional protection.
Secure Configuration
Computers and network devices should be configured to minimise vulnerabilities and provide only the services required to fulfil their role.
Key Requirements:
- Remove or disable unnecessary user accounts (e.g., guest accounts, administrative accounts)
- Remove or disable unnecessary software and services
- Ensure that default configurations are changed before deployment
- Use the latest supported versions of operating systems and applications
Best Practice: Maintain a documented standard for securely configuring systems and regularly audit systems against this standard.
User Access Control
Ensure user accounts are assigned appropriate access privileges and are controlled effectively.
Key Requirements:
- All user accounts must be assigned to authenticated individuals
- Administrative privileges must only be provided to those who need them
- Access to systems must be limited to only what users need for their role
- Strong authentication methods should be used (complex passwords, multi-factor authentication)
Best Practice: Implement the principle of least privilege - users should only have access to the specific information and resources necessary for their legitimate purpose.
Malware Protection
Protect your organisation from malware by implementing appropriate controls.
Key Requirements:
- Anti-malware software must be installed on all devices that support it
- Anti-malware software must be kept up-to-date with the latest malware definitions
- Anti-malware software must be configured to scan files automatically upon access
- Users must not be able to disable or bypass malware protection
Best Practice: Use a layered approach to malware protection, including email filtering, web filtering, application whitelisting, and user education.
Patch Management
Keep your devices and software updated to address known vulnerabilities.
Key Requirements:
- Software must be kept up-to-date with the latest security patches
- Operating systems must be kept up-to-date with the latest security patches
- Updates should be applied promptly after release (within 14 days for critical updates)
- Unsupported software must be replaced or isolated
Best Practice: Implement an automated patch management system and regularly audit systems to ensure patches have been successfully applied.
Ready to assess your organisation against these controls?
Frequently asked questions
What is cyber essentials?
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against common cyber threats. It defines a set of basic technical controls that all organisations should implement.
The scheme is operated by IASME Consortium and endorsed by the National Cyber Security Centre (NCSC). It’s suitable for organisations of all sizes and sectors, providing a foundation of basic cyber hygiene.
There are two levels of certification:
- Cyber Essentials: A self-assessment option that gives you protection against a wide variety of the most common cyber attacks.
- Cyber Essentials Plus: Includes everything in Cyber Essentials, plus a hands-on technical verification by an external certifying body.
Who should get Cyber Essentials certified?
Any organisation that wants to improve its cybersecurity posture can benefit from Cyber Essentials. It’s particularly relevant for:
- Organisations working with the UK government or in supply chains
- Small and medium-sized businesses looking to implement baseline security
- Organisations handling customer data or sensitive information
- Companies wanting to demonstrate their commitment to cybersecurity
How much does the Cyber Essentials certification cost?
The Cyber Essentials certification cost varies depending on the size of your organisation and whether you’re pursuing basic Cyber Essentials or Cyber Essentials Plus. Basic Cyber Essentials certification typically starts around £300, while Cyber Essentials Plus (which includes technical verification) starts from approximately £1,500.
Check with IASME certification bodies for current pricing.
How long does the Cyber Essentials certification process take?
For basic Cyber Essentials, the process typically takes 1-3 weeks from starting the assessment to receiving certification. This includes time for completing the self-assessment questionnaire and implementing any necessary controls. Cyber Essentials Plus can take longer, as it involves scheduling and completing technical verification by an external assessor.
How long is the Cyber Essentials certification valid?
The Cyber Essentials certification is valid for 12 months (one year) from the date of issue and must be renewed annually to maintain certification and listing on the National Cyber Security Centre’s certified list. The renewal ensures that security controls remain effective as threats evolve.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment where you answer questions about your security controls. Cyber Essentials Plus includes everything in Cyber Essentials but adds hands-on technical verification by an external certifying body. This includes vulnerability scanning, testing for insecure configurations, and testing access controls. Cyber Essentials Plus provides a higher level of assurance that controls are effectively implemented.
Do I need to implement all the cyber essential controls to pass?
Yes, you need to implement all the required security controls to achieve certification. However, the scheme recognises that organisations may have different setups, and provides some flexibility in how controls are implemented. The focus is on achieving the security outcomes rather than prescribing specific technologies.
How does our cyber risk assessment tool help?
Our cyber risk assessment tool helps you prepare for Cyber Essentials certification by:
- Evaluating your current security posture against Cyber Essentials requirements
- Identifying gaps that need to be addressed before applying for certification
- Providing recommendations for improvement
- Helping you understand the requirements in plain language
While our assessment isn’t an official certification, it’s designed to help you prepare for the official certification process.
What are the five control areas in cyber security?
The five control areas in cyber security are Identify, Protect, Detect, Respond, and Recover. Here’s the explanation:
Identify: This is about understanding and managing the risks to your systems, data, and assets. It involves creating a complete inventory of all hardware and software, and identifying business priorities and potential threats.
Protect: This area focuses on implementing safeguards to ensure the delivery of critical services. It includes access control, data encryption, staff training, and maintaining secure configurations.
Detect: This involves developing and implementing measures to identify cyber security events. It includes continuous monitoring, anomaly detection, and having robust detection processes in place.
Respond: This is about having a plan to deal with a detected cyber security incident. It includes having a clear response plan, communication strategies, and mitigation measures to limit the impact of the event.
Recover: This final area focuses on restoring normal operations after an incident has occurred. This includes recovery planning, improvements based on lessons learned from the incident, and restoring any compromised data or services.