Cyber Essentials
UK Government-Backed Cyber Security Certification Scheme
Standard Introduction
Cyber Essentials is the UK government-backed cyber security certification scheme developed by the National Cyber Security Centre (NCSC). Launched in June 2014, it provides a clear, practical framework for organizations to protect themselves against the most common cyber threats. The scheme focuses on five technical controls that, when properly implemented, can prevent approximately 80% of cyber attacks.
The scheme offers two levels of certification: Cyber Essentials (a verified self-assessment questionnaire) and Cyber Essentials Plus (a hands-on technical verification performed by an accredited Certification Body). Certification is valid for 12 months and is managed by IASME as the NCSC’s official delivery partner, with over 400 accredited Certification Bodies across the UK. Since October 2014, Cyber Essentials has been mandatory for UK government contracts involving handling personal information or providing ICT products and services.
Five Technical Controls
Addresses approximately 80% of common cyber attacks through five key controls: firewalls, secure configuration, user access control, malware protection, and security update management.
Two Certification Levels
Offers basic Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (hands-on technical verification by an accredited assessor).
Government Mandate
Mandatory for UK government contracts that involve handling personal information or providing certain ICT products and services.
list_alt Five Technical Controls
- Firewalls — boundary protection and configuration
- Secure configuration — default settings and hardening
- User access control — least privilege and MFA
- Malware protection — anti-malware and application whitelisting
- Security update management — patching within 14 days
- Cloud services configuration and security
- Password policy and multi-factor authentication
Who Needs to Comply?
All UK organizations seeking a baseline level of cyber security, and any organization bidding for UK government contracts involving sensitive data or ICT services. Suitable for organizations of all sizes.
Key Requirements
Boundary Firewalls and Internet Gateways
Configure firewalls on all devices connected to the internet. Only necessary network services should be accessible, and default passwords on network equipment must be changed.
Secure Configuration
Remove or disable unnecessary software, services, and user accounts. Change default passwords and ensure devices are configured to reduce vulnerabilities.
User Access Control
Control who has access to data and services. Implement least-privilege principles, require unique user accounts, and enforce multi-factor authentication where available.
Malware Protection
Deploy anti-malware software across all endpoints, configure automatic updates, and implement application whitelisting or sandboxing to prevent execution of malicious software.
Security Update Management
Apply critical and high-risk security patches within 14 days of release. Remove unsupported software and ensure all devices run supported operating systems.
Implementation Roadmap
Prepare scope and asset boundary
Define the organization, networks, cloud services, end-user devices, servers, mobile devices, and user groups in scope. Assign an owner for the self-assessment questionnaire and collect evidence for devices, accounts, internet-facing services, and cloud administration.
Gap analysis against the five controls
Review firewalls, secure configuration, user access control, malware protection, and security update management against the current NCSC requirements. Identify unsupported software, weak passwords, missing MFA, exposed services, and patching gaps.
Implement technical fixes
Harden devices and cloud services, remove unnecessary accounts and software, enable MFA, restrict admin privileges, deploy malware protection, and bring patching within the required timeframe. Retest high-risk internet-facing assets before submitting the assessment.
Certify and maintain readiness
Submit the verified self-assessment for Cyber Essentials or complete technical verification for Cyber Essentials Plus. Maintain device inventories, patch cadence, access reviews, and configuration checks so renewal is not a last-minute remediation project.
Compliance Checklist
checklist Scope & configuration
checklist Access & malware protection
checklist Patch and renewal operations
Cyber Essentials vs Cyber Essentials Plus vs ISO 27001
The schemes differ mainly in assessment depth and management-system scope.
| Aspect | Cyber Essentials | Cyber Essentials Plus | ISO 27001 |
|---|---|---|---|
| Assessment method | Verified self-assessment | Technical testing by an assessor | Independent certification audit |
| Control scope | Five technical controls | Same five controls with hands-on validation | Risk-based ISMS and Annex A controls |
| Validity | 12 months | 12 months | Three-year cycle with surveillance audits |
| Best fit | Baseline customer or contract assurance | Higher confidence in technical implementation | Enterprise-wide security governance |
Common Misconceptions
Cyber Essentials proves an organization is secure against all attacks.
It proves a baseline set of controls against common attacks, not comprehensive security maturity.
The questionnaire is just paperwork.
Answers must reflect the real technical environment, and Cyber Essentials Plus can test whether controls actually work.
Cloud security is entirely the provider’s responsibility.
Customers still own user access, MFA, configuration, data handling, and many administrative controls.
Penalties & Enforcement
No direct legal penalties for non-certification. However, organizations without Cyber Essentials certification are ineligible for UK government contracts involving personal data. Loss of certification may also increase cyber insurance premiums and reduce customer trust.
Frequently Asked Questions
What are the five Cyber Essentials controls?
expand_more
The five controls are firewalls, secure configuration, user access control, malware protection, and security update management. They are designed to prevent common internet-based attacks when implemented consistently across the scoped environment.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
expand_more
Cyber Essentials is a verified self-assessment questionnaire. Cyber Essentials Plus uses the same control set but adds hands-on technical testing by an assessor to validate that controls are operating on sampled devices and services.
Is Cyber Essentials mandatory?
expand_more
It is mandatory for some UK government contracts, especially where suppliers handle personal information or provide certain ICT products and services. Many private-sector customers also request it as a baseline assurance requirement.
How long does certification last?
expand_more
Cyber Essentials certification is valid for 12 months. Organizations should maintain evidence and control hygiene throughout the year because renewal requires current answers, not last year’s configuration.
Do cloud services count in scope?
expand_more
Yes. Cloud services that store, process, or administer organizational data are in scope. Organizations must consider cloud user access, MFA, administrative roles, secure configuration, and provider-managed responsibilities.
What patching standard is expected?
expand_more
In-scope software must be supported and security updates rated high or critical must be applied within the required period. Unsupported software should be removed, isolated, or replaced so it does not undermine the scope.
Can a small business use Cyber Essentials?
expand_more
Yes. The scheme is intentionally designed as a practical baseline for organizations of all sizes. Small businesses often benefit because the five controls are concrete, testable, and understandable to customers.
Does Cyber Essentials replace ISO 27001?
expand_more
No. Cyber Essentials is a focused technical baseline, while ISO 27001 is a full information security management system. Cyber Essentials can be a useful first step or supporting evidence for a broader ISMS.
Official Documentation
Cyber Essentials Requirements v3.2
PDF • ncsc.gov.uk • Technical Requirements Document
Cyber Essentials Portal
External Link • ncsc.gov.uk • Official Scheme Overview
IASME Certification Portal
External Link • iasme.co.uk • Certification & Assessment