Cyber Essentials is the UK government's baseline cyber security certification, backed by the NCSC. It is required for many government contracts and increasingly expected by private sector clients. As a Cyber Essentials certified organisation ourselves, and having guided several clients through the certification process, we can confirm that it is achievable for any organisation willing to invest a few weeks of focused effort.
The certification covers five technical controls. Firewalls and internet gateways must be configured to restrict inbound and outbound traffic to only what is necessary. Secure configuration requires that devices and software are configured to reduce vulnerabilities, including removing unnecessary accounts and changing default passwords. Security update management requires that all software is kept up to date with the latest patches, applied within 14 days for critical and high-severity vulnerabilities.
Cyber Essentials is not complex, but it requires discipline. The controls are basic security hygiene that every organisation should implement regardless of certification.
User access control requires that user accounts are managed properly: least-privilege access, individual accounts rather than shared credentials, and multi-factor authentication for all internet-facing services. Malware protection requires that anti-malware measures are in place and active on all devices. For organisations using modern operating systems, this typically means ensuring that built-in security features like Windows Defender are properly configured and up to date.
The Five Controls
The self-assessment for basic Cyber Essentials involves completing an online questionnaire that asks about your implementation of each control. The questionnaire is detailed and requires specific answers about your configurations, not just yes or no responses. An assessor reviews your answers and may request clarification. Cyber Essentials Plus adds an external vulnerability scan and an on-site or remote technical audit that verifies your controls are actually implemented as described.
The most common stumbling blocks we see are inconsistent patch management, shared administrator accounts, and overly permissive firewall rules. Patch management is the most time-consuming to fix if you do not already have a process in place. We recommend using a patch management tool that provides visibility across all devices and automated deployment for routine updates. For a small organisation, this might be as simple as enabling automatic updates on all endpoints and verifying compliance weekly.
- Plan four to six weeks for preparation if starting from scratch
- Address patch management first as it is the most common gap
- Eliminate shared accounts and implement multi-factor authentication
- Review firewall rules and remove any overly permissive configurations
- Consider Cyber Essentials Plus for enhanced assurance and competitive advantage
- Use the annual renewal as a driver for continuous security improvement
The certification is valid for twelve months and must be renewed annually. Use the renewal as an opportunity to review and improve your security posture rather than just resubmitting the same answers. Each renewal should reflect improvements made over the previous year. The investment in Cyber Essentials pays for itself through reduced risk, improved client confidence, and eligibility for government contracts that require certification.
