6 min read

What is Cyber Essentials?

What is Cyber Essentials?

Cyber Essentials is a simple, yet very effective scheme backed by the UK Government. It is designed to help protect companies, regardless of their size, against a huge range of cyber attacks.

Protect against basic cyber attacks

Cyber attacks come in various shapes and sizes but most are incredibly basic in nature. They are typically carried out by individuals who are not skilled – this can be compared to a thief trying the front door to see if you have left it open. Cyber Essentials offers a good level of protection against these unsophisticated attacks.

In this guide we will cover:

What is Cyber Essentials?
Why Cyber Essentials?
Scope of Cyber Essentials
Cyber Essentials or Cyber Essentials Plus?
Why do I need Cyber Essentials?
What happens if you’re not covered?
Requirements for boundary firewalls and internet gateways
Requirements for secure configuration
Requirements for malware protection
Requirements for patch management
How long does it take to become Cyber Essentials certified?


What is Cyber Essentials?

Launched in 2014 by the Department for Business, Innovation and Skills, this Government scheme encourages businesses to protect their data from the most common threats online. The scheme was developed in conjunction with the Information Security Forum, the Information Assurance for Small and Medium Enterprises (IASME) Consortium, the British Standards Institution and various industry partners.


Why Cyber Essentials?

Watch the video about to understand why businesses get Cyber Essentials certified.

Not only does it show a business’ ability to keep data protected but also there are other benefits. Being Cyber Essentials certified gives a big advantage when it comes to bidding for Government contracts. It has also been suggested by insurers that being certified could lead to lower insurance premiums. By carrying out the measures, you show that you’re protected against common cyber attacks. It’s also a great accreditation to display on your website, showing your clients, you’re protecting their data.


Which companies are Cyber Essentials certified?

If you are looking to secure your supply chain, NCSC provide a very useful tool to search for companies that are Cyber Essentials certified. Remember, Cyber Essentials certification only lasts 12 months, so consider reviewing your supplier's security annually. 

On the flip side your company, too, can be easily found by potential clients:

IAMSE company search tool

Scope of Cyber Essentials

Cyber Essentials covers five core areas to provide a basic level of protection against cyber-attacks:

  1. Using office firewalls and Internet gateways
  2. Maintaining secure configuration of your computer equipment
  3. Controlling user accounts and restricting use of administrative accounts
  4. Protecting against malware
  5. Keeping software and devices up to date

Cyber Essentials or Cyber Essentials Plus?

There are two certification options to choose from:

  1. Cyber Essentials, requiring the submission of a self assessment to the certification body, IASME Consortium. It's a great starting point for addressing your business' security and the UK's entry cybersecurity certification.

  2. Cyber Essentials Plus is verified by an external auditor. This is carried out within four months of becoming Cyber Essentials certified and ensures policies (in Cyber Essentials) are being adhered. This is a great accreditation for businesses that want to demonstrate that they go the extra mile to secure their business.

Why do I need Cyber Essentials?

There are many reasons why you might want to gain Cyber Essentials accreditation for your business:

  • Customers feel assured knowing that your IT is protected
  • Attract new business
  • Determine your organisation’s security level
  • Comply with the increasing numbers of contracts stipulating Cyber Essentials as a requirement

What happens if you’re not covered?

Your business may be left vulnerable and open to attack without the basic protection included in Cyber Essentials.

Many believe that criminals only target big companies, but this is not the case. Smaller businesses may be consciously targeted because of their limited budget and not having the tech required to put up adequate defences.

Ultimately, it is important because it can provide customers peace of mind and confidence to work with your company safely. Cyber Essentials is the best and easiest way to show that you meet an industry standard and it may even help you to win more customers.


Cyber Essentials requirements for boundary firewalls and internet gateways

  • Default administrative passwords must be changed to a more complex password. For help on creating a secure password, make sure you check out our guide on how to create the perfect password. Alternatively, you can disable remote administrative access completely.
  • Do not allow internet access to the administrative firewalls interface unless there is a documented business reason. Even then you should make sure two-factor authentication or an IP whitelist is implemented for secure access.
  • By default, block unauthenticated inbound connections.
  • Any firewalls must be documented and authorised by an individual with the business need included too.
  • Be able to remove and disable rules quickly when they are no longer required.
  • Use a host-based firewall on devices that are used on untrusted networks, such as public Wi-Fi hotspots.

Ensure that only safe and necessary network services can be accessed from the Internet. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

Tick off list

Firewall to secure your business


Maintaining secure configuration of your computer equipment

When new equipment is bought, it is important to alter the settings. Manufacturers of computers and other equipment will have a default setting that will normally enable the new user access to absolutely everything. In terms of cybersecurity, this is not best practice. As a general rule, only allow employees access to what they need. Remember, if a device is stolen, if the user only has limited access, then less damage can be done by the criminal.

This means you will need to:

Check settings

Setting have been altered to the individuals needs and privileges have been checked.Adapt the settings to the users needs. Only allow access to what the team member needs. IT administrator rights should only be accessible to the few people that need it. Extra permissions are only be given to those who need them. 


All devices where company data can be accessed, whether it be your laptop phone or IoT device should have a password. The password should be unique and hard to guess. It's important to remember that default passwords, like 'password' or your company name are easy for hackers to guess.

Two Factor Authentication (2FA)

We would recommend 2FA for all accounts, whether it be your social accounts or CRM. What this means is, when you log on, you will be asked for your password like normal - that's the first authentication. But then you may get another code texted to your mobile. That would be the second factor authentication.


To ensure that employees and suppliers only have access to the administration privileges that they need and control what can be accessed. 

Tick off list

Secure settings for your devices and software


Cyber Essentials requirements for secure configuration

  • User accounts that are no longer needed must be removed and disabled.
  • Default or weak passwords must be changed to something more secure.
  • Unused software applications must be disabled or removed.
  • Features such as automatic downloads from the internet should be disabled, with user authorisation being implemented.
  • Make sure users get authenticated before having network-connected access to business data.

Another requirement for secure configuration is a well-implemented password policy.


Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

Tick off list

Control who has access to data and services

Cyber Essentials requirements for malware protection

There are three main sections of requirements when it comes to malware protection:

Anti-malware software

  • The software must be kept up to date.
  • Files must be scanned automatically upon access, including when they’re opened and downloaded.
  • Websites must be scanned by the software when accessed to make sure they’re safe for browsing. If the website is not safe, the software must prevent access to the site unless there is a documented business need.

Application whitelisting

  • Only applications that have been approved are allowed to execute on devices. A list of these applications must be documented and approved before being deployed to devices.
  • Any applications that are not approved or documented should not be able to be downloaded.

Application sandboxing

Sandboxing is a holding system that prevents access from applications etc. until that access has been approved by a user. This includes:

  • Other sandboxed applications
  • Data stores, such as those holding documents and photos
  • Sensitive peripherals, such as the camera, microphone and GPS
  • Local network access

Objective — Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data. Software updates are now more important than ever. They remove potential vulnerabilities on your network, in turn making you more cyber secure.

Protect from viruses and other malware

Cyber Essentials requirements for patch management

There are three rules for software and applications for patch management when it comes to Cyber Essentials:

  • Make sure software is licensed and supported.
  • When support ends for the software, ensure that it is removed from all devices.
  • Any ‘high risk’ or ‘critical’ update should be installed within two weeks.

Objective — Ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Keep devices up to date

How long does it take to become Cyber Essentials certified?

There’s no definitive answer to this question. If you have all the controls already in place and pass the assessment first time, you could be certified in a week. On the other hand, if you have to make several changes to your systems to become compliant, it could take several months.


Become Cyber Essentials certified

Ready to be assessed

The Cyber Essentials assessment is ran by IASME Consortium, having won a five year contract with Cyber Essentials in April 2020. You can find out more about the certification on the NCSC website.

Help to be come compliant

If you are interested in becoming Cyber Essentials certified, but don't have security expertise inhouse, we can help. Visit our Cyber Essentials Consultancy webpage for details. Our security expert, Mark Poulding has also created a number of videos running through IASME Cyber Essentials frequently asked question.


Become certified

Cyber Esseentials video FAQ

Cyber Essentials Checklist: Is your IT company competent to help you pass?

Cyber Essentials Checklist: Is your IT company competent to help you pass?

Many businesses turn to their IT company to help them pass Cyber Essentials accreditation. The National Cyber Security Centre (NCSC) recently...

Read More
IASME Cyber Essentials FAQs

IASME Cyber Essentials FAQs

IASME Cyber Essentials was introduced by the UK Government to help small businesses tackle cyber threats and prove to their customers and clients...

Read More
What is malware?

What is malware?

Short for malicious software, you may have heard the term malware used when it comes to computer security. Here at Superfast IT we’ve seen the...

Read More