Cyber Essentials Requirements

Cyber Essentials is the UK Government-backed cybersecurity certification scheme designed to help organizations protect themselves against common cyber attacks. The scheme provides a clear statement of the basic security controls organizations should have in place.

Understanding Cyber Essentials

Cyber Essentials represents a baseline security certification supported by the UK Government. The scheme addresses fundamental cybersecurity controls that protect against the most common attack vectors. Organizations can choose between self-assessment Cyber Essentials or independently verified Cyber Essentials Plus.

Government contracts involving handling of certain information require Cyber Essentials certification. The certification provides cost-effective security validation accessible to organizations of all sizes. Annual recertification maintains current compliance status.

The Five Technical Controls

Cyber Essentials focuses on five essential security control areas that together address common attack vectors.

Firewalls require boundary protection through network firewalls or host-based firewalls on individual devices. Configuration must follow default-deny principles where traffic is blocked unless explicitly permitted. Administrative interfaces require protection from unauthorized access.

Secure configuration ensures systems are configured to minimize security risks. Default accounts and unnecessary user accounts must be removed or disabled. Default passwords must be changed before deployment. Auto-run features should be disabled. Unnecessary software must be removed from systems.

User access control requires accounts to operate with minimum necessary privileges. Administrative accounts should be used only for administrative tasks, not daily work. Strong password policies must be implemented and enforced.

Malware protection requires anti-malware software on devices capable of running such software. Signature updates must remain current. Application whitelisting or sandboxing provides additional protection layers.

Patch management requires critical and high-severity patches to be applied within fourteen days of release. Only supported software versions may be used. Automatic updates should be enabled where practical.

Certification Process

Organizations complete the self-assessment questionnaire honestly and thoroughly. Senior management signs a declaration confirming accuracy of responses. Upon successful assessment, certification is granted with one-year validity. Annual reassessment maintains certified status.