Cyber Essentials
UK Government-Backed Cyber Security Certification Scheme
Standard Introduction
Cyber Essentials is the UK government-backed cyber security certification scheme developed by the National Cyber Security Centre (NCSC). Launched in June 2014, it provides a clear, practical framework for organizations to protect themselves against the most common cyber threats. The scheme focuses on five technical controls that, when properly implemented, can prevent approximately 80% of cyber attacks.
The scheme offers two levels of certification: Cyber Essentials (a verified self-assessment questionnaire) and Cyber Essentials Plus (a hands-on technical verification performed by an accredited Certification Body). Certification is valid for 12 months and is managed by IASME as the NCSC’s official delivery partner, with over 400 accredited Certification Bodies across the UK. Since October 2014, Cyber Essentials has been mandatory for UK government contracts involving handling personal information or providing ICT products and services.
Five Technical Controls
Addresses approximately 80% of common cyber attacks through five key controls: firewalls, secure configuration, user access control, malware protection, and security update management.
Two Certification Levels
Offers basic Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (hands-on technical verification by an accredited assessor).
Government Mandate
Mandatory for UK government contracts that involve handling personal information or providing certain ICT products and services.
list_alt Five Technical Controls
- Firewalls — boundary protection and configuration
- Secure configuration — default settings and hardening
- User access control — least privilege and MFA
- Malware protection — anti-malware and application whitelisting
- Security update management — patching within 14 days
- Cloud services configuration and security
- Password policy and multi-factor authentication
Who Needs to Comply?
All UK organizations seeking a baseline level of cyber security, and any organization bidding for UK government contracts involving sensitive data or ICT services. Suitable for organizations of all sizes.
Key Requirements
Boundary Firewalls and Internet Gateways
Configure firewalls on all devices connected to the internet. Only necessary network services should be accessible, and default passwords on network equipment must be changed.
Secure Configuration
Remove or disable unnecessary software, services, and user accounts. Change default passwords and ensure devices are configured to reduce vulnerabilities.
User Access Control
Control who has access to data and services. Implement least-privilege principles, require unique user accounts, and enforce multi-factor authentication where available.
Malware Protection
Deploy anti-malware software across all endpoints, configure automatic updates, and implement application whitelisting or sandboxing to prevent execution of malicious software.
Security Update Management
Apply critical and high-risk security patches within 14 days of release. Remove unsupported software and ensure all devices run supported operating systems.
Penalties & Enforcement
No direct legal penalties for non-certification. However, organizations without Cyber Essentials certification are ineligible for UK government contracts involving personal data. Loss of certification may also increase cyber insurance premiums and reduce customer trust.
Official Documentation
Cyber Essentials Requirements v3.2
PDF • ncsc.gov.uk • Technical Requirements Document
Cyber Essentials Portal
External Link • ncsc.gov.uk • Official Scheme Overview
IASME Certification Portal
External Link • iasme.co.uk • Certification & Assessment