What is Cyber Essentials?

Developed by the UK government, Cyber Essentials provides a clear set of basic security controls to help organizations protect themselves against the most common cyber threats.

Award winning ThreatDown EDR stops threats that others miss

What is Cyber Essentials?

Cyber Essentials is a certification scheme designed to help organizations of all sizes implement basic cybersecurity measures. It was launched in 2014 by the UK government in partnership with the industry to make the UK a safer place to conduct business online. The scheme offers two levels of certification: Cyber Essentials and Cyber Essentials Plus.

  1. Cyber Essentials: This level involves a self-assessment questionnaire, verified by an external assessor. It ensures that basic cyber hygiene measures are in place.
  2. Cyber Essentials Plus: This higher level includes all the requirements of Cyber Essentials but adds an independent, external assessment to verify the organization’s cybersecurity practices.

Why Cyber Essentials Matters

The rise in cyber-attacks, such as ransomware, phishing, and malware, has made it imperative for businesses to adopt comprehensive cybersecurity strategies. Here are some reasons why Cyber Essentials is vital:

  1. Protection Against Common Threats: Cyber Essentials focuses on mitigating common cyber threats, which constitute the majority of attacks. By implementing its controls, organizations can defend against approximately 80% of cyber-attacks.
  2. Reputation and Trust: Achieving Cyber Essentials certification demonstrates a commitment to cybersecurity, enhancing an organization’s reputation and building trust with customers, partners, and stakeholders.
  3. Compliance and Regulatory Requirements: Many regulatory frameworks and industry standards require organizations to adopt robust cybersecurity measures. Cyber Essentials can help businesses meet these requirements and avoid potential fines and penalties.
  4. Business Opportunities: Some government contracts and private sector tenders require Cyber Essentials certification. Being certified can open doors to new business opportunities and partnerships.

Core Components of Cyber Essentials

The Cyber Essentials framework consists of five technical controls designed to protect against common cyber threats. These controls are:

  1. Firewalls and Internet Gateways: Firewalls act as a barrier between a trusted internal network and untrusted external networks. Properly configured firewalls prevent unauthorized access and ensure that only safe and necessary network traffic is allowed.
  2. Secure Configuration: This involves configuring systems and devices to reduce vulnerabilities and protect against threats. It includes removing unnecessary accounts, changing default passwords, and disabling unneeded services.
  3. Access Control: Access control ensures that only authorized individuals can access systems and data. This is achieved through user accounts management, using the principle of least privilege, and employing multi-factor authentication.
  4. Malware Protection: Protecting systems from malware is critical. This can be achieved through anti-malware software, whitelisting applications, and educating users about safe practices to avoid malware infection.
  5. Patch Management: Keeping software and systems up to date with the latest patches is crucial. This prevents attackers from exploiting known vulnerabilities in outdated software.

Steps to Achieve Cyber Essentials Certification

The cybersecurity landscape is constantly evolving, with adversaries employing increasingly sophisticated tactics and techniques to target critical infrastructure and disrupt essential services. CISA adapts to these evolving threats by employing a range of strategies:

  1. Assessment and Gap Analysis: The first step is to assess the current cybersecurity posture of the organization and identify gaps relative to Cyber Essentials requirements.
  2. Implementation of Controls: Implement the necessary controls to address the identified gaps. This may involve configuring firewalls, setting up secure configurations, managing access controls, installing malware protection, and ensuring regular patch management.
  3. Self-Assessment and Verification: For Cyber Essentials, complete the self-assessment questionnaire and submit it for verification by an external assessor. For Cyber Essentials Plus, undergo an additional independent assessment.
  4. Certification and Maintenance: Once certified, organizations must maintain their cybersecurity posture by regularly reviewing and updating their controls to adapt to evolving threats.

Benefits of Cyber Essentials

  1. Enhanced Security Posture: By adhering to Cyber Essentials, businesses can significantly improve their security posture, making it more difficult for cybercriminals to succeed.
  2. Customer Assurance: Certification provides assurance to customers that their data is being handled securely, which can be a significant competitive advantage.
  3. Cost Savings: Preventing cyber incidents can save businesses substantial amounts in recovery costs, downtime, and potential regulatory fines.
  4. Operational Efficiency: Implementing structured cybersecurity controls can lead to more streamlined and efficient operations, reducing the risk of disruptions.
  5. Peace of Mind: Knowing that robust measures are in place to protect against common cyber threats allows business leaders to focus on strategic growth rather than constant firefighting.


Cyber Essentials offers a pragmatic and effective approach to cybersecurity, particularly for small and medium-sized enterprises that may lack extensive resources. By implementing the core controls and achieving certification, organizations can protect themselves against the most common cyber threats, build trust with stakeholders, and ensure compliance with regulatory requirements. As cyber threats continue to evolve, maintaining robust cybersecurity through frameworks like Cyber Essentials is not just advisable but essential for the sustainability and success of any business.

Featured Resources

Frequently Asked Questions (FAQ) about Cyber Essentials

What are the main benefits of obtaining Cyber Essentials certification for my business?

Obtaining Cyber Essentials certification offers several significant benefits:

  1. Enhanced Security Posture: Implementing the recommended controls improves your business’s defenses against common cyber threats, reducing the risk of incidents.
  2. Customer Assurance: Certification demonstrates a commitment to cybersecurity, providing customers and partners with confidence that their data is handled securely.
  3. Cost Savings: By preventing cyber incidents, businesses can avoid the substantial costs associated with data breaches, system downtime, and potential regulatory fines.
  4. Operational Efficiency: Structured cybersecurity controls streamline processes and reduce the risk of operational disruptions, leading to more efficient business operations.
  5. Peace of Mind: Knowing that your business is protected against common cyber threats allows you to focus on strategic initiatives rather than constant firefighting.

What are the five core technical controls of Cyber Essentials, and why are they important?

The five core technical controls of Cyber Essentials are:

  1. Firewalls and Internet Gateways: These act as barriers to block unauthorized access to your network, ensuring only safe and necessary traffic is allowed.
  2. Secure Configuration: Properly configuring systems and devices reduces vulnerabilities and helps protect against cyber threats by removing unnecessary accounts and changing default settings.
  3. Access Control: Ensuring that only authorized individuals can access systems and data protects sensitive information and reduces the risk of insider threats.
  4. Malware Protection: Using anti-malware software and practices helps prevent malicious software from infecting your systems.
  5. Patch Management: Regularly updating software and systems with the latest patches fixes known vulnerabilities and prevents attackers from exploiting outdated software.

These controls are crucial as they address the most common ways cybercriminals exploit vulnerabilities, thereby significantly enhancing an organization’s overall cybersecurity.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

The primary difference between Cyber Essentials and Cyber Essentials Plus lies in the level of assessment and verification:

  1. Cyber Essentials: This involves completing a self-assessment questionnaire that is then verified by an external assessor. It ensures that basic cybersecurity measures are in place within the organization.
  2. Cyber Essentials Plus: In addition to meeting all the requirements of Cyber Essentials, this level includes an independent, external assessment to verify the organization’s cybersecurity practices more thoroughly. This may involve technical testing and vulnerability scans performed by a qualified assessor.

Cyber Essentials Plus provides a higher level of assurance due to the independent verification of cybersecurity controls, making it particularly beneficial for businesses seeking to demonstrate robust security practices to clients and partners.