Cyber Essentials Certification: Overview & Facts in 2023

Cyber Essentials is a government-supported scheme designed to protect organisations of any size against most cyber attacks and to aid compliance with GDPR for organisations handling EU and UK citizen personal information.

At our technical audit of your systems, we verify the five basic security controls. A random sample of computers within your organisation will be tested, while vulnerability scans will also be conducted.

man working banner network with cyber security overlay on floor

What are Cyber Essentials?

These are government backed schemes helping organisations of all sizes safeguard against common cyber attacks.

This certification covers five core areas of cybersecurity to address some of the most frequently occurring threats and provide a solid basis for any organisation’s information security approach.

Since 2014, when launched by the UK National Cybersecurity Centre, this cybersecurity standard has given organisations of any size or industry the chance to demonstrate that they follow basic cyber hygiene measures to protect their systems, networks, and data against cyberattack. These include providing firewalls and internet gateways; using robust passwords; training staff on best practices for cybersecurity management; installing anti-malware software on devices; as well as training staff.

Cyber Essentials Plus provides an in-depth audit of an organisation’s IT infrastructure. This requires testing and verification of all IT equipment by an external party, in addition to having completed Cyber Essentials self-certification as part of preparation for higher-level verification.

Certification signifies taking cybersecurity seriously, and large corporations increasingly expect their suppliers to obtain certification before engaging with them on sensitive projects. Certification requirements also exist for some Ministry of Defence projects and local authority contracts.

Tripwire Enterprise can assist in meeting compliance and attaining a cyber essentials certificate. Not only can it demonstrate that your IT infrastructure is protected against the most common attacks, but it can also display how it compares against standards such as CIS, PCI DSS, and ISO 27001 on an asset/vulnerability basis.


Cyberattacks are on the rise and can do significant harm to businesses of all sizes. Cyber essentials certification provides one way to protect your company against this form of threat; it offers companies protection from some of the most prevalent attacks and breaches.

In order to obtain cyber essentials certification, your business must complete both a self-assessment questionnaire and a technical audit. Either you or an outside security partner may complete these processes; there are also options such as managed services with fixed monthly fees that include the cost of technical assessments.

This self-assessment questionnaire covers five key security controls designed to thwart most cyber attacks, such as boundary firewalls and Internet gateways, secure configuration, malware protection, and access control. Designed for companies of all sizes, the questionnaire also serves as a great starting point for larger companies seeking cyber essentials plus certification.

Many companies turn to security partners in order to become cyber essentials compliant, offering services such as performing self-assessments on behalf of clients and conducting full technical audits; these may be free or cost around £300–500 (excluding assessment costs).

Once a business has successfully completed the self-assessment and technical audit, they will receive certification from an external certifying body. The three-year certificate can then be displayed prominently to demonstrate their commitment to cybersecurity.

Working with a certification body to perform assessments and Cyber Essentials Plus audits is an effective way for cybersecurity consultants to increase revenue while building long-term relationships. Many certification bodies will offer discounts off their advertised rates for any clients you refer, plus commission for any Plus audits completed successfully.

person holding phone with check mark

Technical Audit

Cyber Essentials, supported by the UK National Cyber Security Centre, outlines five core security controls businesses should implement to thwart the most common cyber attacks as well as deter more advanced threats. The certification process is relatively easy and can be accomplished via self-assessment through an online portal. IT Governance is proud to be accredited as both an assessor and a certified Cyber Essentials provider by CREST.

Technical auditing is an integral component of the project management life cycle. It helps ensure that deliverables produced by your team meet all requirements and are free from errors or defects, making this audit particularly helpful when projects are nearing the final development phase, providing a way to validate final products and make sure they live up to all expectations.

An audit begins by defining project objectives and developing a detailed plan to meet them. An auditor can use this plan to assess whether the project is meeting its goals; using this evaluation process, they may suggest changes to the plan as needed. An audit also involves evaluating employee and manager performance to make sure they are doing their jobs effectively.

While conducting their audit, auditors should remain on guard against any issues or problems that may arise during the implementation of a project. This includes making sure any software used for it works effectively and efficiently, as well as quickly resolving any related issues. They also need to ensure the project progresses as planned.

Cyber Essentials Plus is more rigorous than its standard counterpart. In addition to requiring that an organisation meet five security controls as outlined by Cyber Essentials, an assessor must perform tests on random computers used in an organisation and check they are configured correctly and patched, as well as run external port scans to check there are no misconfigurations or vulnerabilities present. When complete, an assessor can declare publicly that an organisation meets baseline standards and can add them to a directory of those certified as Cyber Essentials.

Independent Assessment

Cyber Essentials is an important first step towards improving cyber security, but it alone will not offer complete protection from all potential threats. While having it in place is beneficial, its sole reliance should not lead you astray or ignore other important aspects, such as GDPR data protection requirements.

Self-assessment questionnaires are designed to identify gaps in your cybersecurity. A qualified assessor will carefully consider your answers to each question, returning with additional questions if it becomes evident that they won’t provide sufficient protection under a particular scheme.

Certified cyber security experts will conduct a technical audit, which involves selecting random devices from your business and installing software agents on these computers. Vulnerability tests will then be run against these patches to check they are patched and configured properly; at the conclusion of which, you will receive an easy-to-read report that outlines any issues that require fixing in order to gain certification.

Cyber Essentials Plus certification adds an additional layer of verification to your organisational systems. A qualified assessor will visit, select a random sample of devices, and conduct an in-depth technical audit to validate the controls listed in your self-assessment—such as whether firewalls are functioning as intended and internet-facing devices are configured correctly—declared within Cyber Essentials self-assessments are actually implemented across your network. This includes five core protections as well as more basic checks like whether firewalls are functioning as expected and devices connected to them—such as whether firewalls work correctly and whether internet-facing devices are properly configured or not.

The COVID-19 pandemic has highlighted the need for businesses to ensure they have at least basic cyber security in place. One way of doing so is by attaining Cyber Essentials accreditation, which shows you’re taking measures against attacks that could have devastating repercussions for your company. Furthermore, having this standard may also help win business, as many new contracts now require it and may even go as far as demanding Cyber Essentials Plus certification—this change is especially significant for smaller firms that never had to prove they had these basics in place before!

Do I Need Cyber Essentials Certification?

The short answer to that question is an emphatic yes!

Cyber essentials certification has become a minimum requirement of many central government contracts that involve handling personal data or the supply of ICT products and services, such as Crown Commercial Service frameworks, since 2014. Furthermore, attaining Cyber essentials certification has now become mandatory if businesses wish to bid for Ministry of Defence contracts.

The scheme provides an effective first step towards protecting against the most common types of cyber attacks while giving your organisation an advantage when bidding for new work opportunities by showing that key measures have been taken to secure itself against future risks.

Cyber essentials certification comes in two flavours: the basic level and the enhanced version. To make an informed decision on which certification route to pursue, it’s crucial that one understands their differences before making a choice.

The basic level is an online portal provided by a certification body that allows individuals to self-assess. Once completed, an assessor will review your answers and conduct an external vulnerability scan of IP addresses on your network; if successful, you will be awarded basic-level certification.

The enhanced version of Cyber Essentials requires completion of the same basic steps plus additional requirements related to cloud services used by your business. It requires more in-depth compliance than its basic-level counterpart and requires you to provide evidence of steps taken by your organisation in controlling access and configuring cloud services (platform as a service, software as a service, and infrastructure as a service providers). A certificate for this level lasts one year but must be renewed each year for renewal purposes.

No matter the level of certification you pursue, IASME‘s National Cyber Security Centre-accredited assessments should help guide and support you throughout the process and assist with any problems or obstacles that arise.

Certain companies work to assist in attaining either the level of cyber essentials certification and ongoing compliance requirements or certified organisations that need help maintaining compliance. From helping create an action plan and implement your defences to working on continuous improvement projects.