verified_user
Standardful
Homechevron_rightStandardschevron_rightCyber Essentials
ActiveInternational Standardupdate Standard Updated: Apr 2025fact_check Fact checked: Jun 28, 2026

Cyber Essentials

UK Government-Backed Cyber Security Certification Scheme

apartmentPublishing Organization:National Cyber Security Centre (NCSC)

Standard Introduction

Cyber Essentials is the UK government-backed cyber security certification scheme developed by the National Cyber Security Centre (NCSC). Launched in June 2014, it provides a clear, practical framework for organizations to protect themselves against the most common cyber threats. The scheme focuses on five technical controls that, when properly implemented, can prevent approximately 80% of cyber attacks.

The scheme offers two levels of certification: Cyber Essentials (a verified self-assessment questionnaire) and Cyber Essentials Plus (a hands-on technical verification performed by an accredited Certification Body). Certification is valid for 12 months and is managed by IASME as the NCSC’s official delivery partner, with over 400 accredited Certification Bodies across the UK. Since October 2014, Cyber Essentials has been mandatory for UK government contracts involving handling personal information or providing ICT products and services.

shield

Five Technical Controls

Addresses approximately 80% of common cyber attacks through five key controls: firewalls, secure configuration, user access control, malware protection, and security update management.

workspace_premium

Two Certification Levels

Offers basic Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (hands-on technical verification by an accredited assessor).

gavel

Government Mandate

Mandatory for UK government contracts that involve handling personal information or providing certain ICT products and services.

list_alt Five Technical Controls

  • Firewalls — boundary protection and configuration
  • Secure configuration — default settings and hardening
  • User access control — least privilege and MFA
  • Malware protection — anti-malware and application whitelisting
  • Security update management — patching within 14 days
  • Cloud services configuration and security
  • Password policy and multi-factor authentication

Who Needs to Comply?

groups

All UK organizations seeking a baseline level of cyber security, and any organization bidding for UK government contracts involving sensitive data or ICT services. Suitable for organizations of all sizes.

Key Requirements

1

Boundary Firewalls and Internet Gateways

Configure firewalls on all devices connected to the internet. Only necessary network services should be accessible, and default passwords on network equipment must be changed.

2

Secure Configuration

Remove or disable unnecessary software, services, and user accounts. Change default passwords and ensure devices are configured to reduce vulnerabilities.

3

User Access Control

Control who has access to data and services. Implement least-privilege principles, require unique user accounts, and enforce multi-factor authentication where available.

4

Malware Protection

Deploy anti-malware software across all endpoints, configure automatic updates, and implement application whitelisting or sandboxing to prevent execution of malicious software.

5

Security Update Management

Apply critical and high-risk security patches within 14 days of release. Remove unsupported software and ensure all devices run supported operating systems.

Implementation Roadmap

1
Phase 1schedule Duration: 1-2 weeks

Prepare scope and asset boundary

Define the organization, networks, cloud services, end-user devices, servers, mobile devices, and user groups in scope. Assign an owner for the self-assessment questionnaire and collect evidence for devices, accounts, internet-facing services, and cloud administration.

2
Phase 2schedule Duration: 1-3 weeks

Gap analysis against the five controls

Review firewalls, secure configuration, user access control, malware protection, and security update management against the current NCSC requirements. Identify unsupported software, weak passwords, missing MFA, exposed services, and patching gaps.

3
Phase 3schedule Duration: 2-6 weeks

Implement technical fixes

Harden devices and cloud services, remove unnecessary accounts and software, enable MFA, restrict admin privileges, deploy malware protection, and bring patching within the required timeframe. Retest high-risk internet-facing assets before submitting the assessment.

4
Phase 4schedule Duration: Annual renewal

Certify and maintain readiness

Submit the verified self-assessment for Cyber Essentials or complete technical verification for Cyber Essentials Plus. Maintain device inventories, patch cadence, access reviews, and configuration checks so renewal is not a last-minute remediation project.

Compliance Checklist

0 / 12

checklist Scope & configuration

checklist Access & malware protection

checklist Patch and renewal operations

Cyber Essentials vs Cyber Essentials Plus vs ISO 27001

The schemes differ mainly in assessment depth and management-system scope.

AspectCyber EssentialsCyber Essentials PlusISO 27001
Assessment methodVerified self-assessmentTechnical testing by an assessorIndependent certification audit
Control scopeFive technical controlsSame five controls with hands-on validationRisk-based ISMS and Annex A controls
Validity12 months12 monthsThree-year cycle with surveillance audits
Best fitBaseline customer or contract assuranceHigher confidence in technical implementationEnterprise-wide security governance

Common Misconceptions

cancel
Myth

Cyber Essentials proves an organization is secure against all attacks.

check_circle
Reality

It proves a baseline set of controls against common attacks, not comprehensive security maturity.

cancel
Myth

The questionnaire is just paperwork.

check_circle
Reality

Answers must reflect the real technical environment, and Cyber Essentials Plus can test whether controls actually work.

cancel
Myth

Cloud security is entirely the provider’s responsibility.

check_circle
Reality

Customers still own user access, MFA, configuration, data handling, and many administrative controls.

Penalties & Enforcement

warning

No direct legal penalties for non-certification. However, organizations without Cyber Essentials certification are ineligible for UK government contracts involving personal data. Loss of certification may also increase cyber insurance premiums and reduce customer trust.

Frequently Asked Questions

What are the five Cyber Essentials controls?

expand_more

The five controls are firewalls, secure configuration, user access control, malware protection, and security update management. They are designed to prevent common internet-based attacks when implemented consistently across the scoped environment.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

expand_more

Cyber Essentials is a verified self-assessment questionnaire. Cyber Essentials Plus uses the same control set but adds hands-on technical testing by an assessor to validate that controls are operating on sampled devices and services.

Is Cyber Essentials mandatory?

expand_more

It is mandatory for some UK government contracts, especially where suppliers handle personal information or provide certain ICT products and services. Many private-sector customers also request it as a baseline assurance requirement.

How long does certification last?

expand_more

Cyber Essentials certification is valid for 12 months. Organizations should maintain evidence and control hygiene throughout the year because renewal requires current answers, not last year’s configuration.

Do cloud services count in scope?

expand_more

Yes. Cloud services that store, process, or administer organizational data are in scope. Organizations must consider cloud user access, MFA, administrative roles, secure configuration, and provider-managed responsibilities.

What patching standard is expected?

expand_more

In-scope software must be supported and security updates rated high or critical must be applied within the required period. Unsupported software should be removed, isolated, or replaced so it does not undermine the scope.

Can a small business use Cyber Essentials?

expand_more

Yes. The scheme is intentionally designed as a practical baseline for organizations of all sizes. Small businesses often benefit because the five controls are concrete, testable, and understandable to customers.

Does Cyber Essentials replace ISO 27001?

expand_more

No. Cyber Essentials is a focused technical baseline, while ISO 27001 is a full information security management system. Cyber Essentials can be a useful first step or supporting evidence for a broader ISMS.

Official Documentation

View All

Implementation Timeline

rocket_launch
Jun 2014
Cyber Essentials scheme launched by UK government
gavel
Oct 2014
Made mandatory for UK government contracts involving sensitive data
update
Jan 2022
Major update: requirements v3.0 with cloud services and MFA requirements
description
Apr 2023
Requirements v3.1 published with enhanced guidance
security
Apr 2025
Requirements v3.2 with updated cloud, MFA, and password management controls

Related Categories