Knowledge Center / Cyber Essentials
UK NCSC / IASME · United Kingdom

Cyber Essentials (UK)

A UK government-backed certification for baseline cyber hygiene.

Introduction: Cyber Essentials (UK) — An Auditor's Deep Dive

Cyber Essentials is a UK Government-backed cyber security certification scheme designed to help organisations of any size guard against the most common internet-borne cyber attacks. Launched in 2014 and operated on behalf of the National Cyber Security Centre (NCSC) by IASME Consortium as the sole Cyber Essentials Partner (delivery partner since April 2020), the scheme sets out five fundamental technical controls that, when correctly implemented, protect against approximately 80% of common cyber attacks such as phishing, malware, ransomware and password-guessing.

There are two levels of certification. Cyber Essentials is a verified self-assessment against a defined question set, and Cyber Essentials Plus adds an independent, hands-on technical audit performed by a qualified Certification Body assessor. This guide is written from the perspective of a CERT-In empanelled auditor and PCI QSA to give practitioners an accurate, control-by-control roadmap to achieving and sustaining certification. Terminology, control names and the requirement structure reflect the current 'Montpellier' question set and the 'Cyber Essentials: Requirements for IT Infrastructure' document.

Copyright and Trademark Note
'Cyber Essentials' and 'Cyber Essentials Plus' are trademarks and the scheme is owned by the UK National Cyber Security Centre (NCSC), part of GCHQ, and delivered by the IASME Consortium. This guide is original CyberSigma commentary written for educational purposes. It paraphrases publicly available requirements and does not reproduce NCSC or IASME copyrighted question-set text, marking schemes or certification documents. Always work from the official current requirements document and question set (versioned by release name, e.g. 'Montpellier') and engage a licensed Certification Body for formal certification.

What is Cyber Essentials

Cyber Essentials is a baseline cyber hygiene certification that focuses exclusively on technical controls at the boundary and endpoint of an organisation's IT estate. Unlike broader management-system standards such as ISO/IEC 27001, Cyber Essentials does not assess governance maturity, risk management processes or documentation depth. Instead, it verifies that a defined set of technical controls is in place across all internet-facing and end-user systems within scope.

The scheme is built around five technical control themes. Each theme contains specific, testable requirements. The self-assessment (Cyber Essentials) requires an organisation to answer the full question set truthfully, with sign-off by a board-level representative, after which a Certification Body marks the answers. Cyber Essentials Plus retains the same five control themes but validates them through independent technical testing including authenticated vulnerability scans of a sample of devices, tests of malware protection, and simulated phishing/email-based attacks.

AttributeDetail
Scheme ownerUK National Cyber Security Centre (NCSC / GCHQ)
Delivery partnerIASME Consortium (sole Cyber Essentials Partner)
Certification levelsCyber Essentials (verified self-assessment); Cyber Essentials Plus (independent audit)
Control themesFive: Firewalls, Secure Configuration, Security Update Management, User Access Control, Malware Protection
Question setVersioned by release name (e.g. Montpellier); refreshed periodically
Validity12 months from certificate issue; annual recertification required
Assessment platformIASME certification portal (self-assessment question set)
Attack coverageProtects against ~80% of common internet-based attacks

Who Must Comply

Cyber Essentials is voluntary for most organisations but is contractually mandatory in several UK Government supply-chain contexts and is increasingly demanded in commercial procurement, insurance and framework qualification.

CategoryApplicability
UK central government suppliersMandatory where a contract involves handling certain sensitive/personal information or provision of certain ICT products and services
MOD Defence suppliersCyber Essentials (and DEFCON 658 / DEFSTAN compliance) required where DEFCON conditions apply
NHS and health/social care suppliersFrequently required via DSPT and procurement frameworks
Public sector framework biddersOften a pass/fail condition on Crown Commercial Service and local authority tenders
SMEs seeking cyber insuranceCertification commonly reduces premiums and satisfies underwriting baselines
Any organisation wanting baseline assuranceVoluntary adoption to demonstrate due diligence to clients and partners
Charities and third-sector bodiesAdopted for grant eligibility and donor/partner assurance
  • Organisations bidding for UK public-sector contracts that specify Cyber Essentials as a condition.
  • Managed Service Providers (MSPs) whose clients require supply-chain assurance.
  • Businesses that want an affordable, government-recognised demonstration of baseline security.
  • Firms seeking to reduce cyber insurance premiums or meet insurer prerequisites.

Structure of Cyber Essentials

The scheme is organised into five technical control themes. Each theme groups a set of specific, testable requirements applied consistently across all in-scope devices — including servers, desktops, laptops, tablets, mobile phones, thin clients and cloud services. The table below summarises the five themes and their core intent.

Control themePurposeApplies to
FirewallsEnsure only safe and necessary network services are accessible from the internetBoundary firewalls, internet gateways, host-based/software firewalls, home/remote workers
Secure ConfigurationConfigure devices and software to reduce inherent vulnerabilities and remove unnecessary functionalityAll servers, end-user devices, cloud services, network equipment
Security Update ManagementKeep operating systems and applications supported, licensed and patchedAll software: OS, firmware, applications, plugins
User Access ControlGrant access only to those who need it, with strong authentication and least privilegeAll user and administrative accounts across devices and cloud services
Malware ProtectionRestrict execution of known and unknown malicious softwareEnd-user devices and internet-facing servers

In addition to the five themes, current question sets embed several cross-cutting requirements: multi-factor authentication (MFA) for cloud services, treatment of Bring Your Own Device (BYOD), account separation for administration, and end-of-life/unsupported software handling. Cloud services — Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) — are all explicitly in scope, with the organisation and the cloud provider holding shared responsibility for the controls.

Master Assessment Checklist

This is the core of the guide. Each of the five control themes is enumerated below with its specific requirements, what an auditor verifies, and the typical evidence expected in a Cyber Essentials or Cyber Essentials Plus assessment. Every requirement area is covered — do not treat any as optional. For Cyber Essentials Plus, expect the assessor to independently verify these through authenticated scanning and live testing rather than relying on declarations.

Control Theme 1 — Firewalls

This theme ensures that every device is protected by a correctly configured firewall (or equivalent network device) between the internal network/device and the internet. It covers boundary firewalls and host-based (software) firewalls, including protection for home and remote workers not sitting behind a corporate boundary firewall.

What to verifyTypical evidence
A boundary firewall or internet gateway is present at every internet connectionNetwork diagram, firewall inventory, ISP/router model list
Default administrative passwords on firewalls/routers have been changed to strong, unique valuesPassword change records, configuration screenshots, MFA/passphrase evidence
No unauthenticated inbound connections are permitted by defaultFirewall rule base export, deny-all default rule evidence
Every inbound firewall rule is documented, business-approved and necessaryFirewall change register, rule justification records
Inbound rules that are no longer required are removed promptlyRule review log, change tickets showing rule removal
The firewall administration interface is not accessible from the internet unless protected by MFA or IP allow-listingConfiguration screenshots, remote-access policy
Host-based (software) firewalls are enabled on devices used outside the corporate boundary (e.g. home/remote workers)Endpoint firewall status reports, MDM/GPO configuration
Any port forwarding or DMZ configuration is justified and documentedFirewall config, business justification records

Control Theme 2 — Secure Configuration

This theme ensures devices and software are configured to minimise vulnerabilities: removing or disabling unnecessary accounts, software and services, changing default credentials, and applying screen-lock/device-lock protections. It also covers auto-run/auto-play restrictions and the treatment of default installations.

What to verifyTypical evidence
Unnecessary user accounts (e.g. guest, default) are removed or disabledAccount inventory, local user list screenshots
Default or guessable passwords on devices and software are changed before deploymentBuild/hardening checklist, configuration records
Unnecessary software (applications, services, roles) is removed or disabledInstalled software inventory, build image documentation
Auto-run/auto-play of executable content from removable media is disabledGPO/MDM policy export, device configuration screenshots
Devices lock (require re-authentication) after a period of inactivityScreen-lock policy, MDM configuration, timeout settings
A device unlock/authentication mechanism protects each device (password, PIN, biometric)Lock-screen policy, device configuration evidence
Where PINs/passwords protect device unlock, brute-force protection or minimum length rules applyConfiguration showing throttling/lockout or length requirements
Cloud service configurations are hardened (e.g. no default admin, secure defaults reviewed)Cloud console configuration exports, tenant settings screenshots

Control Theme 3 — Security Update Management

This theme ensures all software remains supported by its vendor, is licensed, and is kept up to date. Critical and high-severity security updates must be applied within a defined window (currently 14 days of release). Unsupported/end-of-life software must be removed from scope or the device removed from the network.

What to verifyTypical evidence
All operating systems and applications in scope are still supported by the vendor (not end-of-life)Software/OS version inventory mapped to vendor support lifecycle
All software is licensed and supportedLicence records, subscription/support agreements
Automatic updates are enabled where availableUpdate-management configuration, MDM/WSUS/patch-tool settings
High-risk or critical security updates are applied within 14 days of vendor releasePatch deployment reports with dates, vulnerability-scan results
Unsupported software is removed from devices or the device removed from scopeDecommissioning records, removal tickets, scope exclusion notes
Firmware on firewalls/routers and other network devices is kept updatedFirmware version records, update logs
Mobile and BYOD devices receive OS/app updates within the required timeframeMDM patch-compliance reports
Browser plugins, extensions and add-ons are patched or removedPlugin inventory, update evidence

Control Theme 4 — User Access Control

This theme ensures access to systems and data is granted only to authorised individuals, following least privilege, with a robust account-provisioning and de-provisioning process. It mandates strong authentication, separation of administrative accounts, and multi-factor authentication for cloud services and administrator access.

What to verifyTypical evidence
A documented process exists to create, approve and remove user accountsJoiner-mover-leaver (JML) procedure, access-request records
Each user has a unique account (no shared accounts)User account inventory, directory export
User accounts are granted least-privilege access appropriate to the roleAccess review records, role-to-permission mapping
Administrative accounts are separate from standard day-to-day accountsAdmin account list, separation policy, directory groups
Administrative privileges are only used for administrative tasks (no web/email on admin accounts)Admin usage policy, technical controls blocking browsing on admin accounts
Multi-factor authentication (MFA) is enabled on all cloud servicesMFA configuration screenshots per cloud tenant/service
MFA is enabled for all administrator accounts on cloud servicesAdmin MFA enforcement evidence
Password-based authentication meets minimum standards (length, deny-list, throttling or account lockout)Password policy configuration, deny-list/throttling settings
Accounts of leavers are disabled or removed promptlyLeaver tickets, disabled-account audit
Access is reviewed periodically to remove redundant privilegesAccess recertification records

Control Theme 5 — Malware Protection

This theme ensures devices are protected against malicious software using at least one of three approved mechanisms: anti-malware software, application allow-listing, or (historically) sandboxing. The mechanism must be kept current and configured to prevent execution of malicious code.

What to verifyTypical evidence
At least one approved malware protection mechanism is implemented on in-scope devicesAnti-malware deployment report or allow-list configuration
Anti-malware software (where used) updates signatures/definitions automaticallyDefinition-update logs, console reports
Anti-malware scans files on access and prevents connection to known malicious websites where supportedAV policy configuration, web-protection settings
Where application allow-listing is used, only approved applications can executeAllow-list policy, application control configuration
Mobile devices are protected (via app store restrictions, MDM app control or anti-malware)MDM policy, managed app store configuration
Malware protection is active and cannot be disabled by standard usersTamper-protection settings, endpoint policy
Cloud-delivered and internet-facing servers have appropriate malware protection or justified exclusionServer AV reports or documented control rationale

Cross-Cutting Requirements

Beyond the five themes, the current question set embeds requirements that span multiple controls. Auditors verify these explicitly.

What to verifyTypical evidence
BYOD devices accessing organisational data/services are within scope and meet the controlsBYOD policy, MDM enrolment records, device compliance reports
Thin clients (if relied upon in scope) are supported and receiving updatesThin-client inventory, vendor support confirmation
Home working devices connecting to organisational services meet firewall, update and malware controlsRemote-working policy, endpoint compliance evidence
Cloud service responsibilities are correctly split between organisation and providerShared-responsibility mapping, provider assurance (e.g. provider's own certifications)
The whole organisation (or a clearly defined, self-contained sub-set) is in scopeScope statement, network/asset boundary description

Scoping

Correct scoping is the single most important decision in a Cyber Essentials engagement, and the most common cause of assessment failure or rework. The preferred and default scope is the whole organisation. A sub-set scope is permitted only where it is a clearly separable business unit or network segment with its own defined boundary — a partial scope reduces the assurance value of the certificate and must be described precisely.

  • Whole-organisation scope covers all devices, users, networks and cloud services used to access organisational data and services.
  • In-scope assets include all end-user devices (desktops, laptops, tablets, mobile phones), servers, network equipment, and all cloud services (IaaS, PaaS, SaaS).
  • Home workers and their devices are in scope when they access organisational data or services; the home router is generally out of scope but a software firewall on the device is required.
  • BYOD devices used to access organisational email, documents or applications are in scope (with limited exceptions for read-only voice/multimedia and certain native app access — check the current question set).
  • A sub-set scope must be network-segregated (e.g. by VLAN or firewall) from the rest of the organisation and clearly named on the certificate.
  • End-of-life/unsupported software must be segregated onto a network with no internet access to be excluded from scope, or it fails the assessment.
Scoping Pitfall
Excluding a business unit or 'legacy' server simply because it is inconvenient does not create a valid sub-set scope. Sub-sets must be genuinely segregated. Cloud services cannot be descoped by claiming the provider is responsible — the organisation must demonstrate the shared-responsibility controls are met on its side.

Implementation Approach

A structured, phased approach de-risks certification, particularly for Cyber Essentials Plus where independent testing leaves no room for undocumented gaps. The following four phases move an organisation from discovery to sustained compliance.

Phase 1 — Discover and Scope

  • Activities: Build a complete asset inventory (devices, servers, cloud services, network equipment); identify all internet connections; map users and administrative accounts; define scope (whole organisation vs justified sub-set); confirm question-set version.
  • Deliverables: Asset and cloud-service inventory, scope statement, network diagram, current-state summary.

Phase 2 — Assess Gaps

  • Activities: Map current configuration against each of the five control themes and cross-cutting requirements; run internal vulnerability scans; identify unsupported software, missing MFA, default credentials and unpatched systems.
  • Deliverables: Gap analysis against the full question set, prioritised remediation plan, risk register of exceptions.

Phase 3 — Remediate

  • Activities: Change default passwords; enable and configure firewalls; harden device builds; enable automatic updates and patch within 14 days; deploy/verify MFA on all cloud services; separate admin accounts; deploy malware protection; remove or segregate unsupported software.
  • Deliverables: Hardened build/configuration baselines, MFA rollout evidence, patch-compliance reports, updated firewall rule base, remediation closure log.

Phase 4 — Certify and Sustain

  • Activities: Complete the self-assessment question set with board sign-off; submit to a Certification Body; for Plus, support the assessor's technical testing; embed ongoing patching, access reviews and configuration control.
  • Deliverables: Submitted question set, certificate (CE / CE Plus), annual recertification plan, BAU control-maintenance schedule.

Certification Levels and Assurance Model

Cyber Essentials offers two assurance levels. The self-assessment gives verified assurance (a Certification Body marks the answers), while Plus adds independent technical validation. The table below contrasts the levels along the assurance dimension, functioning as the scheme's maturity/scoring model.

LevelAssurance mechanismWhat is testedTypical effort
Cyber EssentialsVerified self-assessment marked by a Certification BodyAll five themes via question set with board-level sign-offDays to a few weeks depending on estate size
Cyber Essentials PlusIndependent hands-on technical audit by a qualified assessorSample of devices via authenticated vulnerability scan; malware protection test; email/web-based (phishing) attack simulation; MFA and patch verificationCyber Essentials must be held first (within 3 months); additional 1-3 days of testing plus remediation

There is no numeric scoring; certification is binary pass/fail against the requirements. However, organisations can benchmark internal maturity to plan improvement. The illustrative maturity ladder below (a CyberSigma planning aid, not an NCSC construct) helps track readiness.

Maturity stageDescriptionIndicative indicators
Ad hocControls inconsistent or undocumentedDefault passwords exist; patching irregular; no MFA
DefinedControls documented across the estateBuild baselines exist; patch SLA defined; MFA partially deployed
ManagedControls consistently applied and monitored14-day patch SLA met; MFA on all cloud; admin separation enforced
VerifiedCyber Essentials self-assessment achievedCertificate held; annual recert scheduled
AssuredCyber Essentials Plus achieved and sustainedIndependent testing passed; continuous monitoring in place

Assessment and Audit Approach

The formal route to certification follows a defined sequence. For Cyber Essentials Plus, the technical audit must occur within three months of the underlying Cyber Essentials certification.

  1. Select an IASME-accredited Certification Body and register on the assessment platform.
  2. Confirm scope (whole organisation or a defined sub-set) and the applicable question-set version.
  3. Complete the self-assessment question set accurately across all five control themes and cross-cutting requirements.
  4. Obtain board-level (senior/company director) sign-off attesting the answers are true.
  5. Submit for marking; the Certification Body reviews answers and may request clarification or evidence.
  6. Remediate any non-conformities identified during marking and resubmit if required.
  7. On a pass, receive the Cyber Essentials certificate (valid 12 months).
  8. For Plus: schedule the independent audit within three months; the assessor selects a representative sample of devices.
  9. The assessor performs authenticated vulnerability scans, tests malware protection, and runs email/web-based attack simulations against sample devices.
  10. Any critical/high-severity vulnerabilities or control failures found must be remediated within the defined window to pass.
  11. On a pass, receive the Cyber Essentials Plus certificate; plan annual recertification for both levels.

Evidence Request List

Prepare the following categorised evidence in advance. For Cyber Essentials Plus, the assessor will also generate live evidence during testing.

  • Scope and asset: asset inventory, cloud-service inventory, network diagram, scope statement, sub-set segregation evidence (if applicable).
  • Firewalls: firewall/router inventory, rule base export, default-password change records, remote-management/MFA evidence, host firewall status reports.
  • Secure configuration: build/hardening baselines, installed-software inventory, GPO/MDM policy exports, screen-lock and auto-run configuration, account lists.
  • Security update management: OS/application version inventory mapped to vendor lifecycle, patch-deployment reports with dates, licence/support records, firmware update logs.
  • User access control: JML procedure, unique-account directory export, admin-account list and separation policy, MFA configuration per cloud service, access-review records, leaver de-provisioning tickets.
  • Malware protection: anti-malware deployment and definition-update reports, application allow-list configuration, tamper-protection settings, mobile/MDM app-control policy.
  • Governance: board sign-off attestation, policies (remote working, BYOD, password/authentication), previous certificate (for recertification/Plus).

Roles and Responsibilities

RoleResponsibility
Board / Company DirectorSponsors the programme and signs off the self-assessment attestation as true
IT / Infrastructure LeadOwns firewalls, secure configuration, patching and network scope
Security Lead / CISOCoordinates control implementation, evidence and gap remediation
System / Cloud AdministratorsConfigure MFA, harden cloud tenants, maintain admin account separation
Service Desk / IAM TeamExecutes joiner-mover-leaver process and access reviews
Endpoint / MDM AdministratorDeploys malware protection, device lock, updates and BYOD controls
Certification Body AssessorMarks the self-assessment and performs the Plus technical audit (external)
Compliance / Project LeadManages scope, timelines, evidence collation and recertification

KPIs to Track

  • Percentage of in-scope devices with critical/high patches applied within 14 days.
  • Percentage of cloud services and administrator accounts with MFA enforced (target 100%).
  • Number of unsupported/end-of-life software instances in scope (target zero, or fully segregated).
  • Percentage of devices with malware protection active and up to date.
  • Number of open inbound firewall rules without documented justification (target zero).
  • Mean time to disable a leaver's accounts after departure.
  • Percentage of devices with default/guessable passwords remaining (target zero).
  • Percentage of user accounts operating under least privilege (no unnecessary admin rights).
  • Number of non-conformities raised at last assessment and time to close them.
  • Days remaining until certificate expiry / recertification readiness status.

Readiness Checklist

  • Complete asset and cloud-service inventory produced and scope defined and agreed.
  • All internet connections protected by a correctly configured boundary firewall.
  • Default administrative passwords changed on all firewalls, routers and devices.
  • Host-based firewalls enabled on home/remote-working devices.
  • Unnecessary accounts, software and services removed or disabled.
  • Device lock (screen lock with re-authentication) enforced on all devices.
  • All operating systems and applications supported and licensed (no end-of-life in scope).
  • Critical and high-severity updates applied within 14 days across the estate.
  • MFA enabled on all cloud services and all administrator accounts.
  • Administrative accounts separated from standard accounts and not used for web/email.
  • Least-privilege access enforced with a working joiner-mover-leaver process.
  • Malware protection deployed, active, tamper-protected and up to date on all in-scope devices.
  • BYOD and remote-working policies documented and technically enforced.
  • Board-level sign-off obtained for the self-assessment attestation.
  • Certification Body engaged and (for Plus) technical audit scheduled within three months.

Common Gaps

  • Incorrect or over-narrow scoping — attempting to exclude servers, business units or cloud services that are genuinely in scope.
  • MFA not enabled on all cloud services and administrator accounts (a frequent Plus failure).
  • Unsupported/end-of-life operating systems or applications still connected to the network.
  • Critical patches not applied within the 14-day window; no evidence of patch dates.
  • Default or shared credentials remaining on devices, network equipment or applications.
  • Administrator accounts used for everyday tasks such as email and web browsing.
  • Home and BYOD devices overlooked, with no host firewall or malware protection.
  • Malware protection disabled or without tamper protection, allowing users to switch it off.
  • Inbound firewall rules left open without documentation or business justification.
  • Leaver accounts not disabled promptly, and no periodic access review.
  • Treating cloud providers' certifications as covering all controls, ignoring the organisation's share of responsibility.
  • Board sign-off obtained without the signatory understanding the truthfulness of answers.

Cyber Essentials Mapped to Other Frameworks

Cyber Essentials provides a technical baseline that maps cleanly onto broader frameworks. It is not a substitute for a management system but is an excellent foundation and can accelerate wider compliance.

Cyber Essentials themeISO/IEC 27001:2022 (Annex A)NIST CSF 2.0PCI DSS v4.0CIS Controls v8
Firewalls8.20 Network security; 8.22 Segregation of networksPROTECT (PR.AA / PR.IR)Req 1 Network security controlsControl 4, Control 13
Secure Configuration8.9 Configuration managementPROTECT (PR.PS)Req 2 Secure configurationsControl 4, Control 12
Security Update Management8.8 Management of technical vulnerabilitiesIDENTIFY / PROTECT (ID.RA, PR.PS)Req 6 Develop and maintain secure systemsControl 7
User Access Control8.2 / 8.3 / 5.15-5.18 Access control & identityPROTECT (PR.AA)Req 7 & 8 Access control and identification/authenticationControl 5, Control 6
Malware Protection8.7 Protection against malwareDETECT / PROTECT (DE.CM, PR.PS)Req 5 Protect against malicious softwareControl 10
Cross-cutting (MFA, BYOD, cloud)5.14, 8.1, 5.23 Cloud servicesPROTECT / GOVERNReq 8.4/8.5 MFA; Req 12 policiesControl 6, Control 15
How CyberSigma Helps
CyberSigma guides organisations end to end through Cyber Essentials and Cyber Essentials Plus. Our CERT-In empanelled and QSA-qualified team runs a rapid gap assessment against the current question set, defines a defensible scope, and delivers hands-on remediation — enabling MFA across cloud services, hardening builds, establishing a 14-day patch SLA, and separating administrative accounts. We prepare all evidence, coach your board on the attestation, liaise with your Certification Body, and support the Plus technical audit through to a first-time pass. Beyond certification, we embed continuous patch, access-review and configuration monitoring so recertification is routine, and we map your Cyber Essentials controls onto ISO 27001, NIST CSF, PCI DSS and CIS to unlock broader compliance value. Contact CyberSigma to build a costed, time-boxed path to certification.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is Cyber Essentials mandatory?
It is voluntary in general but often required to bid for certain UK government contracts, especially those handling personal or sensitive information.
Official documents

Need help with Cyber Essentials?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.