Everything You Need to Know About UK Cyber Essentials

What is UK Cyber Essentials?

Cyber Essentials is a government-backed scheme that was created to help organisations of all sizes protect themselves from a wide range of common cyber attacks. It was established to ensure a baseline level of cyber security is accessible and achievable for all

There are two levels of Cyber Essentials certification:

  • Cyber Essentials – This level of certification involves a self-assessment aimed at protecting you from basic common cyber attacks (that if left open can lead to more serious and complex attacks). Working towards compliance with this certification will walk you through the steps needed to address the basics and prevent the most common attacks.
  • Cyber Essentials Plus – This level of certification involves the same protections and simplicity of approach, with an added hands-on technical verification. Both certifications can either be achieved at the same time or the “Plus” can be achieved within 3 months of the basic certification.

Cyber Essentials was created by the British Government together with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF). IASME is now the official Cyber Essentials delivery partner and they provide help, guidance and the ability for organisations to become certified. Certificates awarded by IASME for compliance with Cyber Essentials are valid for a 12-month period after which they need to be renewed.

UK Cyber Essentials

The framework itself is built on compliance against 5 technical controls:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Security Update Management

Each of these main areas encompasses its own detailed objectives and requirements to apply to the scope of your assessment. 

The overall goal of the NCSC and Cyber Essentials is to make the UK a safer place to do business with. The main benefits of becoming Cyber Essentials certified are listed on their site as:

  • Reassure customers that you are working to secure your IT against cyber attack
  • Attract new business with the promise you have cyber security measures in place
  • You have a clear picture of your organisation’s cyber security level
  • Some Government contracts will require Cyber Essentials certification

History & updates

An independently-verified certification, Cyber Essentials was originally released for public use on June 5th, 2014 and has received updates since. On January 24th, 2022, a new set of technical requirements and question sets came into effect. Any assessments that begin on or after this date are now certified to the new standard. IASME has noted that there is a grace period until January 2023 for organisations to meet certain technical requirements

Who does Cyber Essentials apply to?

Cyber Essentials is suitable for any organisation, of any size, in any sector. Whilst it has been created for organisations within the UK, certification is available for any organisation overseas who wishes to meet UK Cyber Essentials requirements. 

Since October 2014, the British Government required all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme. The NCSC writes more recently on their website that organisations who want to bid for a government contract should clarify for each contract as to their expectations for Cyber Essentials, as requirements and exemptions may vary between departments.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Unique Aspects versus other Compliance Frameworks

Cyber Essentials is created especially for organisations in the UK, whilst still offering certification to organisations from overseas. It takes a relatively simple approach and does not include a vast number of controls as per some of the other cybersecurity frameworks.

What is unique to certification, for example with IASME, is that they offer automatic free cyber insurance to eligible organisations who achieve Cyber Essentials certification.

Particular care has been afforded the Education sector as they have been hit with an enormous number of cyber attacks, ransomware and data breaches over the last year. To that effect, a Cyber Essentials pilot scheme built especially for schools has been released by IASME together with the Risk Protection Arrangement (RPA). The RPA is an alternative to commercial insurance for public sector schools in England. It aims to protect public sector schools against losses due to unforeseen and unexpected events. You can find details of what the RPA covers and how to become a member at The Risk Protection Arrangement (RPA) for schools – GOV.UK (www.gov.uk).

What happens if you don’t comply?

Cyber Essentials is not a set of laws so non-compliance will not result in penalties or fines. Not achieving Cyber Essentials may mean: 

  • Not bidding for or being accepted for government contracts 
  • Not being protected against common cyber attacks
  • Being unable to show your customers that you are committed to best Cybersecurity practices and protections.

Steps to Compliance

The National Cyber Security Centre (NCSC) detailed steps to compliance in the new requirements released in January 2022.  The three main steps are:

1. Establish the boundary of scope for your organisation and determine what is in scope within this boundary.

2. Review each of the five technical control themes and the controls they embody as requirements.

3. Take steps as necessary to ensure that your organisation meets every requirement, throughout the scope you have determined.

To finish the certification process, a board member from your organisation should sign a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body like IASME will then evaluate the responses. In the event that you pass you receive a certificate. [If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your cyber security.]

Cyber Essentials Solution

The best way to achieve the Cyber Essentials objectives is to use a compliance management platform that will break down the requirements into a simple questionnaire, tracking your progress towards full compliance and offering actionable remediation insights to bridge any gaps. Centraleyes offers a built-in Cyber Essentials questionnaire that will prepare your organisation for certification using built-in powerful automated tools to guide you through the process simply and efficiently. 


Amongst the vast array of features we offer, our risk and compliance platform uses SmartMapping so that preparation for Cyber Essentials certification can be simultaneously mapped to other global cybersecurity frameworks and standards, saving you hundreds of hours in preparation for future compliance goals. You can book a demo here to learn how Centraleyes can drive compliance to Cyber Essentials and bring value to your organisation.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days