Introduction: Cyber Essentials (UK) — An Auditor's Deep Dive
Cyber Essentials is a UK Government-backed cyber security certification scheme designed to help organisations of any size guard against the most common internet-borne cyber attacks. Launched in 2014 and operated on behalf of the National Cyber Security Centre (NCSC) by IASME Consortium as the sole Cyber Essentials Partner (delivery partner since April 2020), the scheme sets out five fundamental technical controls that, when correctly implemented, protect against approximately 80% of common cyber attacks such as phishing, malware, ransomware and password-guessing.
There are two levels of certification. Cyber Essentials is a verified self-assessment against a defined question set, and Cyber Essentials Plus adds an independent, hands-on technical audit performed by a qualified Certification Body assessor. This guide is written from the perspective of a CERT-In empanelled auditor and PCI QSA to give practitioners an accurate, control-by-control roadmap to achieving and sustaining certification. Terminology, control names and the requirement structure reflect the current 'Montpellier' question set and the 'Cyber Essentials: Requirements for IT Infrastructure' document.
What is Cyber Essentials
Cyber Essentials is a baseline cyber hygiene certification that focuses exclusively on technical controls at the boundary and endpoint of an organisation's IT estate. Unlike broader management-system standards such as ISO/IEC 27001, Cyber Essentials does not assess governance maturity, risk management processes or documentation depth. Instead, it verifies that a defined set of technical controls is in place across all internet-facing and end-user systems within scope.
The scheme is built around five technical control themes. Each theme contains specific, testable requirements. The self-assessment (Cyber Essentials) requires an organisation to answer the full question set truthfully, with sign-off by a board-level representative, after which a Certification Body marks the answers. Cyber Essentials Plus retains the same five control themes but validates them through independent technical testing including authenticated vulnerability scans of a sample of devices, tests of malware protection, and simulated phishing/email-based attacks.
| Attribute | Detail |
|---|---|
| Scheme owner | UK National Cyber Security Centre (NCSC / GCHQ) |
| Delivery partner | IASME Consortium (sole Cyber Essentials Partner) |
| Certification levels | Cyber Essentials (verified self-assessment); Cyber Essentials Plus (independent audit) |
| Control themes | Five: Firewalls, Secure Configuration, Security Update Management, User Access Control, Malware Protection |
| Question set | Versioned by release name (e.g. Montpellier); refreshed periodically |
| Validity | 12 months from certificate issue; annual recertification required |
| Assessment platform | IASME certification portal (self-assessment question set) |
| Attack coverage | Protects against ~80% of common internet-based attacks |
Who Must Comply
Cyber Essentials is voluntary for most organisations but is contractually mandatory in several UK Government supply-chain contexts and is increasingly demanded in commercial procurement, insurance and framework qualification.
| Category | Applicability |
|---|---|
| UK central government suppliers | Mandatory where a contract involves handling certain sensitive/personal information or provision of certain ICT products and services |
| MOD Defence suppliers | Cyber Essentials (and DEFCON 658 / DEFSTAN compliance) required where DEFCON conditions apply |
| NHS and health/social care suppliers | Frequently required via DSPT and procurement frameworks |
| Public sector framework bidders | Often a pass/fail condition on Crown Commercial Service and local authority tenders |
| SMEs seeking cyber insurance | Certification commonly reduces premiums and satisfies underwriting baselines |
| Any organisation wanting baseline assurance | Voluntary adoption to demonstrate due diligence to clients and partners |
| Charities and third-sector bodies | Adopted for grant eligibility and donor/partner assurance |
- Organisations bidding for UK public-sector contracts that specify Cyber Essentials as a condition.
- Managed Service Providers (MSPs) whose clients require supply-chain assurance.
- Businesses that want an affordable, government-recognised demonstration of baseline security.
- Firms seeking to reduce cyber insurance premiums or meet insurer prerequisites.
Structure of Cyber Essentials
The scheme is organised into five technical control themes. Each theme groups a set of specific, testable requirements applied consistently across all in-scope devices — including servers, desktops, laptops, tablets, mobile phones, thin clients and cloud services. The table below summarises the five themes and their core intent.
| Control theme | Purpose | Applies to |
|---|---|---|
| Firewalls | Ensure only safe and necessary network services are accessible from the internet | Boundary firewalls, internet gateways, host-based/software firewalls, home/remote workers |
| Secure Configuration | Configure devices and software to reduce inherent vulnerabilities and remove unnecessary functionality | All servers, end-user devices, cloud services, network equipment |
| Security Update Management | Keep operating systems and applications supported, licensed and patched | All software: OS, firmware, applications, plugins |
| User Access Control | Grant access only to those who need it, with strong authentication and least privilege | All user and administrative accounts across devices and cloud services |
| Malware Protection | Restrict execution of known and unknown malicious software | End-user devices and internet-facing servers |
In addition to the five themes, current question sets embed several cross-cutting requirements: multi-factor authentication (MFA) for cloud services, treatment of Bring Your Own Device (BYOD), account separation for administration, and end-of-life/unsupported software handling. Cloud services — Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) — are all explicitly in scope, with the organisation and the cloud provider holding shared responsibility for the controls.
Master Assessment Checklist
This is the core of the guide. Each of the five control themes is enumerated below with its specific requirements, what an auditor verifies, and the typical evidence expected in a Cyber Essentials or Cyber Essentials Plus assessment. Every requirement area is covered — do not treat any as optional. For Cyber Essentials Plus, expect the assessor to independently verify these through authenticated scanning and live testing rather than relying on declarations.
Control Theme 1 — Firewalls
This theme ensures that every device is protected by a correctly configured firewall (or equivalent network device) between the internal network/device and the internet. It covers boundary firewalls and host-based (software) firewalls, including protection for home and remote workers not sitting behind a corporate boundary firewall.
| What to verify | Typical evidence |
|---|---|
| A boundary firewall or internet gateway is present at every internet connection | Network diagram, firewall inventory, ISP/router model list |
| Default administrative passwords on firewalls/routers have been changed to strong, unique values | Password change records, configuration screenshots, MFA/passphrase evidence |
| No unauthenticated inbound connections are permitted by default | Firewall rule base export, deny-all default rule evidence |
| Every inbound firewall rule is documented, business-approved and necessary | Firewall change register, rule justification records |
| Inbound rules that are no longer required are removed promptly | Rule review log, change tickets showing rule removal |
| The firewall administration interface is not accessible from the internet unless protected by MFA or IP allow-listing | Configuration screenshots, remote-access policy |
| Host-based (software) firewalls are enabled on devices used outside the corporate boundary (e.g. home/remote workers) | Endpoint firewall status reports, MDM/GPO configuration |
| Any port forwarding or DMZ configuration is justified and documented | Firewall config, business justification records |
Control Theme 2 — Secure Configuration
This theme ensures devices and software are configured to minimise vulnerabilities: removing or disabling unnecessary accounts, software and services, changing default credentials, and applying screen-lock/device-lock protections. It also covers auto-run/auto-play restrictions and the treatment of default installations.
| What to verify | Typical evidence |
|---|---|
| Unnecessary user accounts (e.g. guest, default) are removed or disabled | Account inventory, local user list screenshots |
| Default or guessable passwords on devices and software are changed before deployment | Build/hardening checklist, configuration records |
| Unnecessary software (applications, services, roles) is removed or disabled | Installed software inventory, build image documentation |
| Auto-run/auto-play of executable content from removable media is disabled | GPO/MDM policy export, device configuration screenshots |
| Devices lock (require re-authentication) after a period of inactivity | Screen-lock policy, MDM configuration, timeout settings |
| A device unlock/authentication mechanism protects each device (password, PIN, biometric) | Lock-screen policy, device configuration evidence |
| Where PINs/passwords protect device unlock, brute-force protection or minimum length rules apply | Configuration showing throttling/lockout or length requirements |
| Cloud service configurations are hardened (e.g. no default admin, secure defaults reviewed) | Cloud console configuration exports, tenant settings screenshots |
Control Theme 3 — Security Update Management
This theme ensures all software remains supported by its vendor, is licensed, and is kept up to date. Critical and high-severity security updates must be applied within a defined window (currently 14 days of release). Unsupported/end-of-life software must be removed from scope or the device removed from the network.
| What to verify | Typical evidence |
|---|---|
| All operating systems and applications in scope are still supported by the vendor (not end-of-life) | Software/OS version inventory mapped to vendor support lifecycle |
| All software is licensed and supported | Licence records, subscription/support agreements |
| Automatic updates are enabled where available | Update-management configuration, MDM/WSUS/patch-tool settings |
| High-risk or critical security updates are applied within 14 days of vendor release | Patch deployment reports with dates, vulnerability-scan results |
| Unsupported software is removed from devices or the device removed from scope | Decommissioning records, removal tickets, scope exclusion notes |
| Firmware on firewalls/routers and other network devices is kept updated | Firmware version records, update logs |
| Mobile and BYOD devices receive OS/app updates within the required timeframe | MDM patch-compliance reports |
| Browser plugins, extensions and add-ons are patched or removed | Plugin inventory, update evidence |
Control Theme 4 — User Access Control
This theme ensures access to systems and data is granted only to authorised individuals, following least privilege, with a robust account-provisioning and de-provisioning process. It mandates strong authentication, separation of administrative accounts, and multi-factor authentication for cloud services and administrator access.
| What to verify | Typical evidence |
|---|---|
| A documented process exists to create, approve and remove user accounts | Joiner-mover-leaver (JML) procedure, access-request records |
| Each user has a unique account (no shared accounts) | User account inventory, directory export |
| User accounts are granted least-privilege access appropriate to the role | Access review records, role-to-permission mapping |
| Administrative accounts are separate from standard day-to-day accounts | Admin account list, separation policy, directory groups |
| Administrative privileges are only used for administrative tasks (no web/email on admin accounts) | Admin usage policy, technical controls blocking browsing on admin accounts |
| Multi-factor authentication (MFA) is enabled on all cloud services | MFA configuration screenshots per cloud tenant/service |
| MFA is enabled for all administrator accounts on cloud services | Admin MFA enforcement evidence |
| Password-based authentication meets minimum standards (length, deny-list, throttling or account lockout) | Password policy configuration, deny-list/throttling settings |
| Accounts of leavers are disabled or removed promptly | Leaver tickets, disabled-account audit |
| Access is reviewed periodically to remove redundant privileges | Access recertification records |
Control Theme 5 — Malware Protection
This theme ensures devices are protected against malicious software using at least one of three approved mechanisms: anti-malware software, application allow-listing, or (historically) sandboxing. The mechanism must be kept current and configured to prevent execution of malicious code.
| What to verify | Typical evidence |
|---|---|
| At least one approved malware protection mechanism is implemented on in-scope devices | Anti-malware deployment report or allow-list configuration |
| Anti-malware software (where used) updates signatures/definitions automatically | Definition-update logs, console reports |
| Anti-malware scans files on access and prevents connection to known malicious websites where supported | AV policy configuration, web-protection settings |
| Where application allow-listing is used, only approved applications can execute | Allow-list policy, application control configuration |
| Mobile devices are protected (via app store restrictions, MDM app control or anti-malware) | MDM policy, managed app store configuration |
| Malware protection is active and cannot be disabled by standard users | Tamper-protection settings, endpoint policy |
| Cloud-delivered and internet-facing servers have appropriate malware protection or justified exclusion | Server AV reports or documented control rationale |
Cross-Cutting Requirements
Beyond the five themes, the current question set embeds requirements that span multiple controls. Auditors verify these explicitly.
| What to verify | Typical evidence |
|---|---|
| BYOD devices accessing organisational data/services are within scope and meet the controls | BYOD policy, MDM enrolment records, device compliance reports |
| Thin clients (if relied upon in scope) are supported and receiving updates | Thin-client inventory, vendor support confirmation |
| Home working devices connecting to organisational services meet firewall, update and malware controls | Remote-working policy, endpoint compliance evidence |
| Cloud service responsibilities are correctly split between organisation and provider | Shared-responsibility mapping, provider assurance (e.g. provider's own certifications) |
| The whole organisation (or a clearly defined, self-contained sub-set) is in scope | Scope statement, network/asset boundary description |
Scoping
Correct scoping is the single most important decision in a Cyber Essentials engagement, and the most common cause of assessment failure or rework. The preferred and default scope is the whole organisation. A sub-set scope is permitted only where it is a clearly separable business unit or network segment with its own defined boundary — a partial scope reduces the assurance value of the certificate and must be described precisely.
- Whole-organisation scope covers all devices, users, networks and cloud services used to access organisational data and services.
- In-scope assets include all end-user devices (desktops, laptops, tablets, mobile phones), servers, network equipment, and all cloud services (IaaS, PaaS, SaaS).
- Home workers and their devices are in scope when they access organisational data or services; the home router is generally out of scope but a software firewall on the device is required.
- BYOD devices used to access organisational email, documents or applications are in scope (with limited exceptions for read-only voice/multimedia and certain native app access — check the current question set).
- A sub-set scope must be network-segregated (e.g. by VLAN or firewall) from the rest of the organisation and clearly named on the certificate.
- End-of-life/unsupported software must be segregated onto a network with no internet access to be excluded from scope, or it fails the assessment.
Implementation Approach
A structured, phased approach de-risks certification, particularly for Cyber Essentials Plus where independent testing leaves no room for undocumented gaps. The following four phases move an organisation from discovery to sustained compliance.
Phase 1 — Discover and Scope
- Activities: Build a complete asset inventory (devices, servers, cloud services, network equipment); identify all internet connections; map users and administrative accounts; define scope (whole organisation vs justified sub-set); confirm question-set version.
- Deliverables: Asset and cloud-service inventory, scope statement, network diagram, current-state summary.
Phase 2 — Assess Gaps
- Activities: Map current configuration against each of the five control themes and cross-cutting requirements; run internal vulnerability scans; identify unsupported software, missing MFA, default credentials and unpatched systems.
- Deliverables: Gap analysis against the full question set, prioritised remediation plan, risk register of exceptions.
Phase 3 — Remediate
- Activities: Change default passwords; enable and configure firewalls; harden device builds; enable automatic updates and patch within 14 days; deploy/verify MFA on all cloud services; separate admin accounts; deploy malware protection; remove or segregate unsupported software.
- Deliverables: Hardened build/configuration baselines, MFA rollout evidence, patch-compliance reports, updated firewall rule base, remediation closure log.
Phase 4 — Certify and Sustain
- Activities: Complete the self-assessment question set with board sign-off; submit to a Certification Body; for Plus, support the assessor's technical testing; embed ongoing patching, access reviews and configuration control.
- Deliverables: Submitted question set, certificate (CE / CE Plus), annual recertification plan, BAU control-maintenance schedule.
Certification Levels and Assurance Model
Cyber Essentials offers two assurance levels. The self-assessment gives verified assurance (a Certification Body marks the answers), while Plus adds independent technical validation. The table below contrasts the levels along the assurance dimension, functioning as the scheme's maturity/scoring model.
| Level | Assurance mechanism | What is tested | Typical effort |
|---|---|---|---|
| Cyber Essentials | Verified self-assessment marked by a Certification Body | All five themes via question set with board-level sign-off | Days to a few weeks depending on estate size |
| Cyber Essentials Plus | Independent hands-on technical audit by a qualified assessor | Sample of devices via authenticated vulnerability scan; malware protection test; email/web-based (phishing) attack simulation; MFA and patch verification | Cyber Essentials must be held first (within 3 months); additional 1-3 days of testing plus remediation |
There is no numeric scoring; certification is binary pass/fail against the requirements. However, organisations can benchmark internal maturity to plan improvement. The illustrative maturity ladder below (a CyberSigma planning aid, not an NCSC construct) helps track readiness.
| Maturity stage | Description | Indicative indicators |
|---|---|---|
| Ad hoc | Controls inconsistent or undocumented | Default passwords exist; patching irregular; no MFA |
| Defined | Controls documented across the estate | Build baselines exist; patch SLA defined; MFA partially deployed |
| Managed | Controls consistently applied and monitored | 14-day patch SLA met; MFA on all cloud; admin separation enforced |
| Verified | Cyber Essentials self-assessment achieved | Certificate held; annual recert scheduled |
| Assured | Cyber Essentials Plus achieved and sustained | Independent testing passed; continuous monitoring in place |
Assessment and Audit Approach
The formal route to certification follows a defined sequence. For Cyber Essentials Plus, the technical audit must occur within three months of the underlying Cyber Essentials certification.
- Select an IASME-accredited Certification Body and register on the assessment platform.
- Confirm scope (whole organisation or a defined sub-set) and the applicable question-set version.
- Complete the self-assessment question set accurately across all five control themes and cross-cutting requirements.
- Obtain board-level (senior/company director) sign-off attesting the answers are true.
- Submit for marking; the Certification Body reviews answers and may request clarification or evidence.
- Remediate any non-conformities identified during marking and resubmit if required.
- On a pass, receive the Cyber Essentials certificate (valid 12 months).
- For Plus: schedule the independent audit within three months; the assessor selects a representative sample of devices.
- The assessor performs authenticated vulnerability scans, tests malware protection, and runs email/web-based attack simulations against sample devices.
- Any critical/high-severity vulnerabilities or control failures found must be remediated within the defined window to pass.
- On a pass, receive the Cyber Essentials Plus certificate; plan annual recertification for both levels.
Evidence Request List
Prepare the following categorised evidence in advance. For Cyber Essentials Plus, the assessor will also generate live evidence during testing.
- Scope and asset: asset inventory, cloud-service inventory, network diagram, scope statement, sub-set segregation evidence (if applicable).
- Firewalls: firewall/router inventory, rule base export, default-password change records, remote-management/MFA evidence, host firewall status reports.
- Secure configuration: build/hardening baselines, installed-software inventory, GPO/MDM policy exports, screen-lock and auto-run configuration, account lists.
- Security update management: OS/application version inventory mapped to vendor lifecycle, patch-deployment reports with dates, licence/support records, firmware update logs.
- User access control: JML procedure, unique-account directory export, admin-account list and separation policy, MFA configuration per cloud service, access-review records, leaver de-provisioning tickets.
- Malware protection: anti-malware deployment and definition-update reports, application allow-list configuration, tamper-protection settings, mobile/MDM app-control policy.
- Governance: board sign-off attestation, policies (remote working, BYOD, password/authentication), previous certificate (for recertification/Plus).
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Board / Company Director | Sponsors the programme and signs off the self-assessment attestation as true |
| IT / Infrastructure Lead | Owns firewalls, secure configuration, patching and network scope |
| Security Lead / CISO | Coordinates control implementation, evidence and gap remediation |
| System / Cloud Administrators | Configure MFA, harden cloud tenants, maintain admin account separation |
| Service Desk / IAM Team | Executes joiner-mover-leaver process and access reviews |
| Endpoint / MDM Administrator | Deploys malware protection, device lock, updates and BYOD controls |
| Certification Body Assessor | Marks the self-assessment and performs the Plus technical audit (external) |
| Compliance / Project Lead | Manages scope, timelines, evidence collation and recertification |
KPIs to Track
- Percentage of in-scope devices with critical/high patches applied within 14 days.
- Percentage of cloud services and administrator accounts with MFA enforced (target 100%).
- Number of unsupported/end-of-life software instances in scope (target zero, or fully segregated).
- Percentage of devices with malware protection active and up to date.
- Number of open inbound firewall rules without documented justification (target zero).
- Mean time to disable a leaver's accounts after departure.
- Percentage of devices with default/guessable passwords remaining (target zero).
- Percentage of user accounts operating under least privilege (no unnecessary admin rights).
- Number of non-conformities raised at last assessment and time to close them.
- Days remaining until certificate expiry / recertification readiness status.
Readiness Checklist
- Complete asset and cloud-service inventory produced and scope defined and agreed.
- All internet connections protected by a correctly configured boundary firewall.
- Default administrative passwords changed on all firewalls, routers and devices.
- Host-based firewalls enabled on home/remote-working devices.
- Unnecessary accounts, software and services removed or disabled.
- Device lock (screen lock with re-authentication) enforced on all devices.
- All operating systems and applications supported and licensed (no end-of-life in scope).
- Critical and high-severity updates applied within 14 days across the estate.
- MFA enabled on all cloud services and all administrator accounts.
- Administrative accounts separated from standard accounts and not used for web/email.
- Least-privilege access enforced with a working joiner-mover-leaver process.
- Malware protection deployed, active, tamper-protected and up to date on all in-scope devices.
- BYOD and remote-working policies documented and technically enforced.
- Board-level sign-off obtained for the self-assessment attestation.
- Certification Body engaged and (for Plus) technical audit scheduled within three months.
Common Gaps
- Incorrect or over-narrow scoping — attempting to exclude servers, business units or cloud services that are genuinely in scope.
- MFA not enabled on all cloud services and administrator accounts (a frequent Plus failure).
- Unsupported/end-of-life operating systems or applications still connected to the network.
- Critical patches not applied within the 14-day window; no evidence of patch dates.
- Default or shared credentials remaining on devices, network equipment or applications.
- Administrator accounts used for everyday tasks such as email and web browsing.
- Home and BYOD devices overlooked, with no host firewall or malware protection.
- Malware protection disabled or without tamper protection, allowing users to switch it off.
- Inbound firewall rules left open without documentation or business justification.
- Leaver accounts not disabled promptly, and no periodic access review.
- Treating cloud providers' certifications as covering all controls, ignoring the organisation's share of responsibility.
- Board sign-off obtained without the signatory understanding the truthfulness of answers.
Cyber Essentials Mapped to Other Frameworks
Cyber Essentials provides a technical baseline that maps cleanly onto broader frameworks. It is not a substitute for a management system but is an excellent foundation and can accelerate wider compliance.
| Cyber Essentials theme | ISO/IEC 27001:2022 (Annex A) | NIST CSF 2.0 | PCI DSS v4.0 | CIS Controls v8 |
|---|---|---|---|---|
| Firewalls | 8.20 Network security; 8.22 Segregation of networks | PROTECT (PR.AA / PR.IR) | Req 1 Network security controls | Control 4, Control 13 |
| Secure Configuration | 8.9 Configuration management | PROTECT (PR.PS) | Req 2 Secure configurations | Control 4, Control 12 |
| Security Update Management | 8.8 Management of technical vulnerabilities | IDENTIFY / PROTECT (ID.RA, PR.PS) | Req 6 Develop and maintain secure systems | Control 7 |
| User Access Control | 8.2 / 8.3 / 5.15-5.18 Access control & identity | PROTECT (PR.AA) | Req 7 & 8 Access control and identification/authentication | Control 5, Control 6 |
| Malware Protection | 8.7 Protection against malware | DETECT / PROTECT (DE.CM, PR.PS) | Req 5 Protect against malicious software | Control 10 |
| Cross-cutting (MFA, BYOD, cloud) | 5.14, 8.1, 5.23 Cloud services | PROTECT / GOVERN | Req 8.4/8.5 MFA; Req 12 policies | Control 6, Control 15 |
Frequently asked questions
Need help with Cyber Essentials?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
