Cyber Essentials: UK Government Cybersecurity Certification

Cyber Essentials is the UK government's baseline cybersecurity certification scheme, designed to help organizations protect against the most common cyber threats. It focuses on five fundamental technical controls that, when properly implemented, can prevent the majority of commodity cyberattacks.

What Cyber Essentials Covers

The scheme focuses on five technical control themes:

Firewalls — Ensuring boundary firewalls and internet gateways are configured to protect internal networks from unauthorized access.

Secure Configuration — Removing or disabling unnecessary functionality, changing default passwords, and configuring systems to minimize vulnerabilities.

Security Update Management — Keeping software and devices patched and up to date, applying critical patches within 14 days of release.

User Access Control — Managing user accounts, controlling access privileges, and implementing authentication requirements.

Malware Protection — Deploying anti-malware solutions, application whitelisting, or sandboxing to protect against malicious software.

Two Certification Levels

Cyber Essentials — A self-assessment questionnaire verified by a licensed Certification Body. Organizations answer questions about their implementation of the five controls and submit evidence. This is the faster, more affordable option suitable for demonstrating basic cyber hygiene.

Cyber Essentials Plus — Includes everything in Cyber Essentials plus hands-on technical verification. A qualified assessor performs vulnerability scans, tests email and web browser defenses, and verifies controls through practical testing. This provides higher assurance.

Who Needs Cyber Essentials

Cyber Essentials is mandatory for UK government contracts involving the handling of certain sensitive and personal information. Beyond government, it provides an affordable baseline certification for organizations of any size.

The scheme is particularly popular among SMBs that need to demonstrate cybersecurity credentials to customers and partners but find ISO 27001 too costly or complex as a first step. Over 130,000 certificates have been issued since the scheme launched.

Getting Certified

1. Self-assess — Evaluate your current posture against the five control themes
2. Remediate gaps — Address any missing controls (typically patching, configuration, and access management)
3. Choose a Certification Body — Select an NCSC-licensed assessor
4. Complete the assessment — Submit the self-assessment questionnaire (or schedule the Plus assessment)
5. Receive certification — Valid for 12 months from the date of issue

Most organizations can achieve Cyber Essentials certification within one to four weeks of focused effort. Cyber Essentials Plus typically requires an additional two to four weeks for scheduling and completing the technical assessment.