Definition and purpose

The Cyber Essentials scheme was introduced to set a baseline of cyber security for all organizations. The main purpose of the scheme is to promote the adoption of best practices in information security and ensure that organizations have fundamental protections against a range of the most common cyber threats.

Governing Body

The scheme was launched by the UK government and is overseen by the National Cyber Security Centre (NCSC), a part of GCHQ (Government Communications Headquarters).

Last updated

The most recent update was released in April 2023 with version 3.1 of the Cyber Essentials Requirements.

Applies to

Cyber Essentials is suitable for all organizations, of any size, and in any sector, whether private, public, or non-profit. It's particularly recommended for organizations that handle personal data or are suppliers to government bodies.

Controls and requirements

The Cyber Essentials scheme focuses on five key controls that, when properly implemented, can prevent up to 80% of cyber attacks:

• Boundary Firewalls and Internet Gateways: Ensuring that devices that connect networks to the internet have the proper settings to prevent unauthorized access.
• Secure Configuration: Ensuring that systems are configured in the most secure way for the needs of the organization.
• User Access Control: Managing user accounts by giving only those who need access the appropriate level of access rights and ensuring proper authentication methods.
• Malware Protection: Ensuring that virus and malware protection is installed and kept up-to-date.
• Patch Management: Ensuring that the latest supported versions of applications and OS are used and that all the necessary patches have been applied.

Please refer to the official Cyber Essentials documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

Organizations can achieve two levels of certification:

• Cyber Essentials: This requires organizations to complete a self-assessment questionnaire, with the responses independently reviewed by an external certifying body.
• Cyber Essentials Plus: This involves both the self-assessment questionnaire and an independent external test of the organization's cyber security approach.

While the basic Cyber Essentials certification involves a self-assessment, the Cyber Essentials Plus certification requires hands-on technical verification.

The certificate is valid for 12 months from the date of issue. Thus, organizations should consider annual reassessment to maintain their certification. The duration of the audit, especially for Cyber Essentials Plus, would depend on the size and complexity of the organization's network and systems.