Cyber Essentials: What Is It?

Cyber Essentials (CE) is a government-backed cybersecurity certification scheme that sets out a baseline of cybersecurity suitable for all organisations. The scheme’s five security controls can prevent “around 80% of cyber attacks”. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.

Who is the Cyber Essentials scheme applicable to?

  • Organisations that use Internet-connected systems
  • Organisations that use Internet-connected end-user devices such as computers, mobile phones, printers, tablets, servers and laptops

Five key controls required for both levels of the scheme:

  • Secure Configuration
  • Boundary firewalls and Internet gateways
  • Access controls and administrative privilege management
  • Patch management
  • Malware protection

With Cyber Essentials you can:

  • focus on your core business objectives, knowing that you’re protected from the vast majority of common cyber attacks
  • drive business efficiency, save money and improve productivity through the streamlining of processes
  • reduce your insurance premiums
  • increase your resistance to cyber threats
  • demonstrate to clients, insurers, investors and other interested parties that you have taken the precautions necessary to reduce cyber risks
  • bid for UK Government contracts that involve the handling of personal and sensitive information.

Assessment methodologies for Cyber Essentials and Cyber Essentials Plus:

  • A verified self-assessment questionnaire
  • An external vulnerability scan of Internet-facing networks and applications to verify that there are no known vulnerabilities present
  • This extra scan provides an independently verified view of the organisation’s security posture
  • Includes all the assessments for the Cyber Essentials level plus an additional internal scan and on-site assessment to test:
  • the security and anti-malware configuration of each device type
  • patch levels and system configuration
  • whether the organisation’s systems are resistant to malicious email attachments and web-downloadable binaries.

The background of the Cyber Essentials scheme

The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the government instigated a call for evidence on a preferred cybersecurity standard. In November 2013, it concluded that no individual standard met its specific requirements, so it developed the Cyber Essentials scheme.

  • Cyber Essentials delivers the basic controls that all organisations should implement to mitigate the risk from common Internet-based threats.
  • The scheme provides a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken essential precautions to secure against the majority of cyber risks.
  • A recent report by the government UK cyber security: the role of insurance in managing and mitigating the risk revealed plans to include Cyber Essentials certification in insurers’ risk assessments for SMEs.
  • Cyber Essentials enables companies to successfully tender for government contracts. View the UK Government’s procurement policy notice here.

The Cyber Essentials scheme is increasingly popular within the private sector; more than 1,200 organisations have adopted the scheme to date. Insurance firms have recognised that Cyber Essentials certification is a valuable indicator of a mature approach to cybersecurity and, according to a government report, Cyber Essentials certification can also contribute to the reduction of risk.