HomeCyber EssentialsCE PlusArticlesFAQPricingAboutContact
Free Consultation
← Back to Articles
Certification Guide
8 min read

What is Cyber Essentials? A Complete Guide

Everything you need to know about the UK government's cybersecurity certification scheme, from basic requirements to business benefits and the certification process.

Key Takeaway

Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organisations demonstrate their commitment to cybersecurity through five fundamental security controls.

Understanding Cyber Essentials

Cyber Essentials is a UK government-backed cybersecurity certification scheme managed by the National Cyber Security Centre (NCSC) and delivered by IASME (Information Assurance for Small and Medium Enterprises). Launched in 2014, it provides a clear statement of the basic controls all organisations should have in place to protect themselves from common cyber attacks.

The scheme is designed to be achievable for organisations of all sizes, from sole traders to large enterprises. It focuses on defending against the most common types of cyber attacks, which NCSC estimates account for around 80% of successful cyber incidents.

Why Cyber Essentials Exists

The UK government created Cyber Essentials in response to the growing threat of cyber attacks and the need for a standardised approach to cybersecurity. The scheme addresses several key challenges:

  • Rising cyber threats: With cyber attacks becoming more frequent and sophisticated, businesses needed clear guidance on essential security measures
  • Lack of cybersecurity knowledge: Many organisations, particularly SMEs, lacked the expertise to implement effective cybersecurity measures
  • Supply chain security: Large organisations needed assurance that their suppliers and partners maintained adequate security standards
  • Government procurement: The public sector required a way to verify the cybersecurity credentials of potential contractors

The Five Cyber Essentials Controls

Cyber Essentials focuses on five key areas of cybersecurity. These controls are designed to protect against the most common attack vectors:

1. Boundary Firewalls and Internet Gateways

Secure configuration of devices that connect your organisation to the internet. This includes firewalls, routers, and other gateway devices that control traffic between your internal network and the outside world.

  • • Configure firewalls to deny traffic by default
  • • Enable application-layer filtering where supported
  • • Secure remote access with multi-factor authentication
  • • Regular review and documentation of firewall rules

2. Secure Configuration

Ensuring all devices and software are configured securely by default. This involves removing unnecessary functionality and establishing secure baseline configurations.

  • • Apply security configuration guides for operating systems
  • • Remove or disable unnecessary applications and services
  • • Configure applications securely by default
  • • Regular review and update of security configurations

3. User Access Control

Controlling who has access to your systems and data, ensuring users only have the minimum access rights they need to do their job (principle of least privilege).

  • • Implement user account management procedures
  • • Enforce strong password policies or multi-factor authentication
  • • Apply principle of least privilege
  • • Regular review of user access rights

4. Malware Protection

Implementing appropriate malware protection across all systems. This includes antivirus software, email security, and web filtering to prevent malicious software from infecting your systems.

  • • Install approved anti-malware software on all devices
  • • Enable real-time scanning and automatic updates
  • • Configure email security and web filtering
  • • Regular scanning for malware and threats

5. Security Update Management

Keeping all software up to date with the latest security patches. This is one of the most effective ways to protect against known vulnerabilities.

  • • Enable automatic security updates where possible
  • • Implement patch management procedures
  • • Test updates in non-production environments first
  • • Maintain inventory of software requiring updates

Business Benefits of Cyber Essentials

Achieving Cyber Essentials certification provides numerous benefits beyond just improved cybersecurity:

  • Government contract eligibility: Required for many UK government contracts involving personal information and ICT
  • Enhanced reputation: Demonstrates commitment to cybersecurity to customers and partners
  • Insurance benefits: Many insurers offer reduced premiums for certified organisations
  • Supply chain advantages: Increasingly required by large organisations for their suppliers
  • Competitive differentiation: Sets you apart from competitors who lack certification
  • Employee confidence: Staff feel more secure knowing proper protections are in place
  • Regulatory compliance: Helps meet various regulatory requirements like GDPR

The Certification Process

Getting Cyber Essentials certified is straightforward and can typically be completed within a few days:

  1. Choose your certification body: Select an IASME-approved certification body like Net Sec Group
  2. Complete the self-assessment: Fill out an online questionnaire covering the five security controls
  3. Submit for review: Your responses are reviewed by certified assessors
  4. Address any issues: If gaps are identified, you'll receive guidance on remediation
  5. Receive your certificate: Once approved, you'll receive your certificate valid for 12 months

Cyber Essentials vs Cyber Essentials Plus

There are two levels of Cyber Essentials certification:

  • Cyber Essentials: Self-assessment questionnaire reviewed by certified assessors
  • Cyber Essentials Plus: Includes everything from CE plus independent technical verification through vulnerability scanning and device testing

Both certifications assess the same five controls, but CE+ provides additional assurance through hands-on testing. The choice depends on your organisation's needs, budget, and the level of assurance required by your stakeholders.

Getting Started

If you're considering Cyber Essentials certification, the best approach is to start with a gap analysis to understand where your current security posture stands against the five controls. Many certification bodies offer free consultations to help you understand the requirements and plan your certification journey.

Remember, Cyber Essentials is not just about getting a certificate – it's about implementing fundamental security practices that will genuinely improve your organisation's resilience against cyber threats.

Ready to Get Certified?

Start your Cyber Essentials journey with expert guidance from Net Sec Group. Fast turnaround, proven success, and comprehensive support.

Get Cyber EssentialsFree Consultation

Related Articles

Cyber Essentials vs Cyber Essentials Plus

Compare the two certification levels to make an informed decision about which option best suits your organisation's needs.

Mastering Secure Configuration

Learn how to implement secure configuration practices that will help you pass your Cyber Essentials assessment.

Ready to get certified?

Get CECall Us