Cyber Essentials (Plus) Scheme & Certification Simplified

What Is Cyber Essentials?

Cyber Essentials is a information assurance scheme operated by the National Cyber Security Centre (NCSC) that helps organisations to protect themselves against online threats.

The Government collaborated with the Information Assurance for Small and Medium Enterprises (IASME) and the Information Security Forum (ISF) to create a set of technical controls to help organisations protect themselves against online security threats.

The complete scheme was launched on June 5, 2014. The Federation of Small Businesses (FSB), the Confederation of British Industry (CBI) and several insurance companies support it.

Want a 77% head start on ISO 27001 certification?

The Scheme Is Suitable for Any Organisation, Large or Small

The Cyber Essentials scheme is the UK Government’s answer to a safer internet space for any organisation of any size. 80% of the most common cyber security threats are covered by the Cyber Essentials controls. Developed and defined by the National Cyber Security Centre, implementation of these basic controls by your organisation should mitigate your business from the risk of cyber attacks.

Cyber Essentials certification provides a way of demonstrating to customers, investors, insurers and others that you have taken the minimum precautions to protect your organisation against cyber threats.

What is The Cyber Essentials Plus Scheme?

Cyber Essentials and its Plus variant differ in one way, Cyber Essentials Plus includes the requirement for an independent assessment to be carried out by an auditor for the purpose of certification.

Cyber Essentials Plus Audit Explained

  • An audit is performed to ensure that the devices used within your organisation are securely configured per the scheme specifications. A random a sample of computers used within your organisation are tested.
  • Vulnerability scans are completed on the sample of chosen machines to confirm patching and basic configuration is acceptable.
  • An external port scanning of your organisations internet-facing addresses is conducted to ensure no apparent misconfigurations or vulnerabilities.
  • A test is conducted on internet browsers and email providers to confirm appropriate security provisions are configured; to prevent fake malicious files and similar from being executed.

Cyber Essentials Plus is the maximum level of certification (against Cyber Essentials) involving a more stringent test on an organisation’s systems by a 3rd party.

Why You Need Cyber Essentials (Plus)

  • Win new business and retain existing clients/contracts.
  • Secure new funding and investment to take your business to the next level.
  • Ensure reputation management with potential customers showcasing data security is at the heart of your organisation.
  • Avoid data breaches and fines.
  • Demonstrate your business takes compliance and its legal obligations seriously.

Why Cyber Essentials Is Important?

Irrespective of your company size, you could be a target of a cyber attack. Suppliers, vendors, and larger companies are all part of a network entwined with each other.

The damage caused by a cyber security breach will ripple down your supply chain. To ensure they are not the weakest link, organisations need to evaluate their threat profile, implement strategies and employee training in cyber security. The fines and costs associated with data breach can put small organisations out of business or cause irreparable damage.

How Much Does It Cost to Become Cyber Essentials and Plus Certified?

Cyber Essentials costs start from £300 + VAT.

Costs are dependent on the size and complexity of your organisation, the cost of preparing for Cyber Essentials Plus will be different.

Cyber Essentials & Bidding for Public Sector Contracts

Cyber Essentials certification is a requirement for government contract tenders.

Suppliers will have to comply with the Cyber Essential controls if they bid on government contracts. This mandate was introduced, October 1, 2014, during the Conservative and Liberal Democrat coalition government period.

For example, the Education Skills and Funding Agency (ESFA) has introduced requirements that universities, colleges, training, contractors and employers within higher education must be Cyber Essentials compliant (2020/2021), Cyber Essentials Plus certified (2021/2022) or demonstrate compliance to an equivalent framework or standard.

Further requirements to become ISO 27001 certified and the need to demonstrate a business continuity policy are intended to be introduced at a later date.

Want a 77% head start on ISO 27001 certification?

Cyber Essentials VS ISO 27001

ISO 27001 is the more comprehensive certification, but the Cyber Essentials guarantees the core elements of your business security are in line with the National Cyber Security Centre standards.

Certification in 27001 Does Not Guarantee Compliance in Cyber Essentials

A Cyber Essentials badge can be viewed as an essential indicator of cyber security, even though ISO/IEC 27001 is seen as offering a more extensive level of assurance.

There will be some clients who will require a Cyber Essentials certificate. The two should be seen as being complementary rather than competing.

ISO 27001Cyber Essentials
What is itThe requirements of an Information Security Management System to manage information security risk are set out in an international standard. The standard is not mandatory however many contracts require it. The NCSC backed UK assurance scheme addresses five technical security controls to help businesses address common vulnerabilities. It’s a requirement for government contracts to have cyber essentials.
RiskISO 27001 uses a risk-based approach, where they set their risk acceptance criteria and risk methodology. This can be used to determine how risks are addressed.In order to address the most common vulnerabilities in the organisation, Cyber Essentials is needed. It’s not a risk-based approach at all.
RecognitionAround the world, ISO 27001 is recognised as an international standard.Cyber Essentials is a UK based scheme that is not well known in other countries.
Time to implementMonths.Days to weeks.
Certification processThe certification is provided by a certifying body. Stage 1 and Stage 2 audits are included in this. As long as the organisation passes the audits, certification lasts for three years.If you want to take Cyber Essentials Plus, you need to complete a self-assessment questionnaire, undergo vulnerability scans, and be assessed by a IASME Cyber Essentials Assessor. It is a requirement that certification be repeated annually.
CostsMedium to high cost.Low cost.
ScopeThe scope is defined by the organisation, but the standard is more than just focused on IT.Cyber Essentials focuses on:
  • Access control.
  • Secure devices and software.
  • Secure internet connection.
  • Security update management.
  • Malware protection.
ApplicabilityAimed at businesses of all sizes.Aimed at all businesses, but also targets smaller businesses that may not have thought about cybersecurity.

Cyber Essentials & GDPR

Cyber Essentials focuses on fundamental technical controls, but it’s not enough for GDPR.

You can display to the ICO that you are on the right path by using the technical controls of Cyber Essentials putting your organisation on the right path to GDPR compliance.

As GDPR is a extensive regulation that requires businesses protect personal data; for example:

  • UK citizen’s personal information (such as bank details or home address).
  • Personal information of any government employees, ministers, or advisors (such as expenses information).

Remember, if your organisation handles personally identifiable information of EU citizens, you must comply with GDPR. Abiding by the Cyber Essentials does not ensure compliance with GDPR.

How Is Cyber Essentials Implemented?

There are five basic control areas that organisations should tackle to mitigate risk from the most common cyber attacks. These controls shows a clear commitment to improving your organisations approach to cyber security.


What Are the Cyber Essentials Controls?

These five control areas should prevent up to around 80% of cyber attacks.

  1. Use of a firewall to protect devices connected to the internet.
  2. Make sure you use secure settings. For example, leaving your hardware (such as a router) on a default configuration makes your organisation vulnerable.
  3. Consider who has access to your data, and make sure you put in relevant controls to protect access from unauthorised parties.
  4. Ensure your devices are protected from viruses and malware attacks. The wannaCry attack on the NHS in 2017 shows how quickly these malicious attacks can spread.
  5. See that your organisations’ devices and software is kept up-to-date with the latest security updates to ensure complete protection.

It helps to remember that technology is only as effective as the people using it when it comes to security, even though the five controls outlined in Cyber Essentials are fundamental technical measures. It is always advisable to conduct staff awareness training to mitigate the risk of mistakes by employees.

Want a 77% head start on ISO 27001 certification?

Frequently Asked Questions

What Is the Difference Between Cyber Essentials and Cyber Essentials Plus?

Currently, the scheme offers two levels, Cyber Essentials and Cyber Essentials Plus. The Cyber Essentials Plus scheme includes the Cyber Essentials questionnaire and an additional independent tech audit of your organisations' systems to ensure that the relevant controls are in place.

The Basic Level of Cyber Essentials Is Self-Assessed

There are eight sections and 70 questions in the questionnaire. All the questions must be answered. Your answers must be approved by a board-level representative, business owner, or equivalent. The chosen representative needs to sign a declaration that all the answers are correct before you submit your assessment.

Cyber Essentials Self-Assessment

You will need to finish the Cyber Essentials self-assessment in order to be certificated to Cyber Essentials Plus. You will need to finish your Cyber Essentials Plus audit within three months of your basic certification if you already have the self-assessed Cyber Essentials. Depending on the size and complicatedness of your organisation, the assessment cost will vary. The Cyber Essentials certification process includes a check against key governance aspects while also checking the technical controls. These key governance aspects are as follows:
  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Backup
  • Incident response and business continuity

What Is the Difference Between Cybersecurity and Information Security?

Cybersecurity protects against common cyber attacks in cyberspace such as data, storage, devices, etc. Information security is meant to protect data from any threats regardless of its form. Cybercrimes, cyber frauds and law enforcement are dealt with in cyber security. Information security involves unauthorised access, disclosure modification, and disruption. Specialists who are trained to deal with advanced persistent threats are in charge of cybersecurity. Information security lays the foundation of data security and are trained to prioritise resources first before eliminating threats or attacks.

Do I Have to Have Cyber Essentials Before Getting Cyber Essentials Plus?

It's possible to achieve Cyber Essentials Plus without first obtaining Cyber Essentials. A certification body of your choice will work with you to complete the questionnaire needed for Cyber Essentials and verify compliance as part of the process of gaining Cyber Essentials Plus certification.

Who accredits Cyber Essentials Plus?

The Information Assurance for Small and Medium Enterprises and the Information Security Forum collaborated with the Government. Releasing a set of technical controls to help protect organisations against online security threats.

How Long Is the Cyber Essentials Certification Is Valid For?

The UK Government recommends that all Cyber Essentials certificate holders review their certification every year to remain on the formal register of certified businesses. Every day new requirements and best practices are being established for cyber security. It's essential that you stay up to date with the latest developments in your organisation. Demonstrating to your clients that you are improving your security is one of the benefits of re-certifying.

Can You Become Cyber Essentials Certified Outside the UK?

If your organisation isn't based in the UK, you can still obtain a Cyber Essentials certification. Remember, Cyber Essentials are mandatory for businesses looking to secure UK government contracts and UK Ministry of Defence contracts.

Cyber Essentials is a certification. GDPR is regulation and mandatory

While Cyber Essentials is a good start, the new General Data Protection Regulation (GDPR) means you must demonstrate your commitment to protecting personal data for your staff, customers and other EU/UK citizens. Cyber Essentials compliance helps with some of the computer and network security requirements of the GDPR. can help you comply with the new regulations right now, and whether or not you get Cyber Essentials today or in the future. It’s not a question of one or the other, but if you are considering the improvement of your information security, then we suggest you start with GDPR compliance and consider applying for Cyber Essentials later. You are then in a great place to start protecting all your valuable information assets by aligning to, or achieving, ISO 27001 certification.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.