Overview

Cyber Essentials is a government-backed certification that demonstrates your organisation has implemented basic cyber security controls. There are two levels:

Cyber Essentials: Self-assessment questionnaire verified by external body
Cyber Essentials Plus: Includes hands-on technical verification by qualified assessor

When required

Bidding for UK government contracts involving handling of sensitive or personal information
Contracts involving provision of certain ICT products or services
Many private sector contracts now specify Cyber Essentials as a requirement

Five technical controls

Cyber Essentials five technical controls

The five core technical controls that Cyber Essentials certification addresses, with key requirements for each.

Cyber Essentials certification addresses five core technical controls that protect against approximately 80% of common cyber threats:

Firewalls and Internet Gateways: Establish boundaries between your organisation and the internet. Properly configured firewalls on all internet connections with default deny policy for incoming connections.
Secure Configuration: Remove unnecessary accounts and software, disable insecure defaults, lock unattended devices. Change default passwords, implement automatic screen locking (maximum 10 minutes).
Access Control: Manage user accounts, enforce unique credentials, use multi-factor authentication (MFA) for cloud services. MFA mandatory for administrator accounts, remote access, and cloud services handling sensitive data.
Malware Protection: Protect devices from malware using anti-malware software. Automatic updates enabled, regular scans configured, email scanning for attachments and links.
Security Update Management: Apply security updates within 14 days of release for critical patches. Automatic updates enabled where possible, documented approach for legacy systems.

Control 1: Firewalls and Internet Gateways: Default deny policy, only necessary services exposed, regular review of firewall rules
Control 2: Secure Configuration: Disable unnecessary accounts/software/services, change default passwords, auto-lock after 10 minutes maximum
Control 3: Access Control: Unique user accounts, strong passwords, MFA for admin/remote/cloud, least privilege principle
Control 4: Malware Protection: Anti-malware on all devices, automatic updates, regular scans, email scanning
Control 5: Security Update Management: Apply critical patches within 14 days, automatic updates enabled, documented approach for unsupported software
MFA mandatory for: Administrator accounts, remote access, cloud services handling sensitive data
Screen lock maximum timeout: 10 minutes
Security update timeline: Within 14 days for high-risk vulnerabilities

Review five technical controls

Review the five technical controls and assess your current compliance
Choose certification level

Choose between Cyber Essentials (self-assessment) or Cyber Essentials Plus (verified)
Select certification body

Select an NCSC-approved certification body
Complete assessment

Complete the self-assessment questionnaire or arrange technical assessment
Pay certification fee

Pay certification fee (typically £300-£500 for basic, £1,500+ for Plus)
Maintain certification annually

Maintain certification annually (valid for 12 months)

Get Cyber Essentials certified

Legal basis

UNDER CONSTRUCTION

Content Graph

Guvnor

Cyber Essentials Certification

Overview

When required

Five technical controls

Review five technical controls

Choose certification level

Select certification body

Complete assessment

Pay certification fee

Maintain certification annually

Compliance Assistant

🚧 UNDER CONSTRUCTION

◉ Content Graph

Overview

When required

Five technical controls

Review five technical controls

Choose certification level

Select certification body

Complete assessment

Pay certification fee

Maintain certification annually

Related guides in Digital & Technology

Cyber security requirements for UK businesses

Get Cyber Essentials certified

Cyber security basics for small businesses

Cyber security for financial services firms

Tech Sector Compliance Overview

UNDER CONSTRUCTION

Content Graph