Cyber Essentials

The scheme operates at two levels, and the distinction matters.

Cyber Essentials is a self-assessment certification. The organisation completes a questionnaire covering the five technical control areas, which is reviewed and verified by a licensed Certification Body. The assessment is based on the organisation’s own declarations about its controls. This is the baseline certification that satisfies most government contract requirements.

Cyber Essentials Plus includes an independent technical audit. A qualified assessor conducts hands-on testing of your systems to verify that the declared controls are actually in place and functioning correctly. This includes vulnerability scanning, testing of email and web browsing protections, and verification of access controls. Cyber Essentials Plus provides a significantly higher level of assurance and is increasingly preferred by both government and commercial clients.

Cyber Essentials focuses on five specific areas that, together, address the most common attack vectors.

Firewalls and internet gateways: Every device that connects to the internet must be protected by a properly configured firewall. This includes boundary firewalls, software firewalls on individual devices, and cloud security groups. Default firewall rules, unnecessary open ports, and administrative interfaces exposed to the internet are common failure points.

Secure configuration: Systems must be configured to reduce vulnerabilities. This means removing unnecessary software and services, changing default passwords, disabling unnecessary user accounts, and ensuring that only required functionality is enabled. The principle is simple: reduce the attack surface by removing everything that is not needed.

Access control: User accounts must be controlled and managed. This includes using individual accounts (not shared credentials), granting the minimum privileges necessary for each user’s role, controlling administrative access, and implementing strong authentication. Multi-factor authentication for administrative and cloud service accounts is now a requirement.

Malware protection: Systems must be protected against malicious software through anti-malware solutions, application whitelisting, or sandboxing. The approach can vary depending on the platform and operating environment, but the outcome must be effective protection against known malware.

Patch management: Software and firmware must be kept up to date with security patches. High-risk and critical vulnerabilities must be patched within 14 days of a fix being available. Unsupported software — products that no longer receive security updates — must be removed or isolated.

Any organisation bidding for UK government contracts that involve handling sensitive or personal information — certification is a mandatory procurement requirement. UK-based businesses of any size that want to demonstrate baseline cyber security to clients, partners, and insurers. Non-UK businesses selling to the UK market, particularly to government, healthcare, education, and financial services clients. Organisations seeking to reduce their cyber insurance premiums — many insurers offer discounts for Cyber Essentials certified organisations. Supply chain participants where the prime contractor requires security certification from subcontractors.

We prepare organisations for both Cyber Essentials and Cyber Essentials Plus certification. Our process begins with a pre-assessment against the five control areas to identify gaps before you submit for certification. We help you remediate any gaps — whether that involves firewall rule reviews, system hardening, access control improvements, or patch management process changes. For Cyber Essentials, we guide you through the self-assessment questionnaire to ensure accurate and complete responses. For Cyber Essentials Plus, we conduct pre-audit technical testing to identify and resolve issues before the assessor arrives.