Cyber Essentials: What It Is, Why It Matters, and How to Get Certified

What Is Cyber Essentials?

Cyber Essentials is a UK Government-backed cybersecurity certification scheme, developed by the National Cyber Security Centre (NCSC) in partnership with industry. It defines a set of fundamental security controls that, when properly implemented, protect organisations against the most common and prevalent cyber threats.

The scheme was launched in 2014 and has grown to become a recognised standard for baseline security across the UK — mandatory for certain government contracts and increasingly expected by larger organisations when vetting their supply chains.

The Two Levels of Certification

There are two tiers of Cyber Essentials certification

Cyber Essentials

A self-assessment questionnaire completed by the organisation and independently reviewed by a Certification Body. It asks you to confirm that you've implemented the five key controls (covered below) and to evidence this through documentation. It's designed to be achievable by organisations of any size.

Cyber Essentials Plus

Everything included in the base certification, plus an independent technical audit carried out by an assessor who will verify your controls are working as described. This involves vulnerability scanning of your external IP addresses and internal devices, and testing of your configuration. It's the more rigorous — and more credible — of the two levels.

The Five Technical Controls

Cyber Essentials is built around five core areas. Each one addresses a specific attack vector that is routinely exploited in real-world incidents:

1. Firewalls

A firewall controls what traffic can enter and leave your network. For Cyber Essentials, you need a properly configured boundary firewall (or equivalent) that blocks traffic that isn't explicitly required. This applies to both on-premise networks and cloud-hosted services. The default ruleset — deny all inbound, allow outbound — is the right starting point.

2. Secure Configuration

Default settings on routers, software, and operating systems are often insecure — they're designed to make initial setup easy, not to minimise attack surface. Secure configuration means disabling unnecessary services, changing default credentials, removing software that isn't needed, and ensuring settings reflect security best practice.

3. User Access Control

Limiting what each user can do based on what they need to do. In practice, this means most staff should be using standard user accounts, not administrator accounts. Administrative access should be separate, monitored, and restricted to specific tasks. The principle of least privilege is the guiding framework here.

4. Malware Protection

Protection against malicious software — viruses, ransomware, trojans, and so on. Cyber Essentials requires either signature-based antivirus with up-to-date definitions, or application allowlisting (a more advanced control where only explicitly approved software is permitted to run). Managed endpoint protection platforms such as ThreatDown (powered by Malwarebytes) or Microsoft Defender Antivirus meet this requirement.

5. Patch Management

Software vulnerabilities are discovered and disclosed regularly. Vendors release patches to fix them. Cyber Essentials requires that your operating system and applications are kept up to date — with critical and high-severity patches applied within 14 days of release. Unsupported operating systems (those no longer receiving security updates) are explicitly excluded.

Who Needs It?

Cyber Essentials is not legally mandatory for most organisations, but it is effectively required in a growing number of situations:

Government contracts: Since October 2014, any organisation bidding for central government contracts that involve handling personal information or providing certain technical products or services must hold Cyber Essentials certification.

Cyber insurance: Many insurers now ask for Cyber Essentials as a condition of cover, or factor it into your premium. Some won't insure you without it.

Supply chain requirements: Large enterprises — particularly in defence, finance, and healthcare — are increasingly requiring their suppliers to be certified before onboarding.

Tender processes: Even where it's not mandatory, holding the certification frequently gives you a credibility advantage when competing for contracts.

Beyond the external requirements, the certification process itself is valuable. Working through the five controls forces a structured review of your security posture that many organisations have never done.

What Cyber Essentials Does Not Cover

It's important to be clear about the scope. Cyber Essentials addresses the most common, opportunistic attacks — it is not a comprehensive security framework. It does not cover:

Targeted or sophisticated attacks (advanced persistent threats).

Physical security.

Staff security awareness and phishing susceptibility.

Incident response planning.

Business continuity or disaster recovery.

If your risk profile demands coverage in these areas — and for most businesses it should — Cyber Essentials is the foundation, not the ceiling. Additional measures such as security awareness training, penetration testing, and a documented incident response plan should sit on top of it.

The Certification Process: What to Expect

Readiness assessment: Review your current position against the five controls. Identify gaps.

Remediation: Address the gaps — whether that's applying patches, reconfiguring your firewall, or deploying endpoint protection.

Self-assessment: Complete the questionnaire through an approved Certification Body such as IASME.

Review and certification: The Certification Body reviews your answers and issues the certificate if the controls are in place.

Annual renewal: Cyber Essentials must be renewed every 12 months, as the threat landscape and scope requirements evolve.

For Cyber Essentials Plus, add a technical verification stage — typically a half-day assessment involving external and internal scanning.

The Cost of Not Being Certified

The direct cost of obtaining Cyber Essentials is relatively low — particularly at the base level. The indirect cost of not holding it is harder to quantify but very real.

A data breach caused by one of the five vulnerabilities addressed by Cyber Essentials carries the potential for ICO investigation, regulatory fines under GDPR, reputational damage, and the operational cost of recovery. The 2023 Cyber Security Breaches Survey found that 32% of businesses and 24% of charities reported a cyber breach or attack in the preceding 12 months — with phishing being the most common vector.

For the majority of these incidents, Cyber Essentials controls would have provided meaningful protection.

---