Cyber Essentials is a UK Government-backed certification scheme. It's designed to help organisations protect themselves against the most common internet-based attacks. It's not a deep security audit – it's a baseline. And for most small and medium-sized businesses, it's the right place to start.
But there's a lot of confusion about what it actually involves. So here's a plain-English walkthrough.
The five controls
Cyber Essentials covers five technical controls. That's it. Five things the scheme considers fundamental to basic security hygiene.
Firewalls. You need a firewall between your devices and the internet. For most businesses, this means your router is configured properly and you're not exposing things that shouldn't be exposed. If your staff work remotely, their devices need software firewalls enabled too.
Secure configuration. Devices and software should be configured to reduce vulnerability. That means removing unnecessary accounts, changing default passwords, and disabling features you don't use. It's about reducing the attack surface – fewer doors means fewer things to lock.
User access control. People should only have access to what they need for their job. Admin accounts should be used only for admin tasks. This is the control that trips up most small businesses, because it's tempting to give everyone admin access for convenience.
Malware protection. You need measures to prevent malware from running on your devices. This could be antivirus software, application whitelisting, or sandboxing – the scheme allows different approaches depending on your setup.
Patch management. Software must be kept up to date. Security patches should be applied within 14 days of release. Unsupported software – anything that's no longer receiving updates – needs to be removed or isolated.
What the assessment looks like
For basic Cyber Essentials (not Plus), the assessment is a self-assessment questionnaire. You fill in a form describing how you meet each of the five controls, and an accredited assessor reviews your answers. It's not a technical test – nobody scans your network or logs into your systems.
Cyber Essentials Plus adds a hands-on technical verification. An assessor will test your systems to confirm that what you said in the questionnaire is actually true. This includes vulnerability scans and checks on a sample of your devices.
What it proves (and what it doesn't)
Cyber Essentials proves that you've thought about the basics and have them in place. It's a useful credential for winning contracts – particularly public sector work, where it's often a requirement. It also comes with cyber insurance for claims up to £25,000, which is a nice bonus.
What it doesn't prove is that you're secure against sophisticated attacks. It doesn't cover things like phishing awareness, incident response planning, supply chain risk, or data backup. It's a floor, not a ceiling.
For most businesses, getting Cyber Essentials is a sensible first step. But it shouldn't be the last one.
← All filings