The Cyber Essentials Scheme

Cyber Essentials is a scheme launched by the Government in June 2014 in order to define a basic cyber security standard for UK organisations and provide them, customers and partners with confidence in their ability to measure and reduce basic risks. It identifies the security controls that you must have in place within your IT system(s) in order to do so, as well as providing a standard against which you can be independently certified.

Cyber Essentials is designed to be particularly relevant to SMEs whose IT systems comprise common off the shelf components rather than customised, complex systems, and where IT exists to enable business processes rather than providing a deliverable service in its own right.

Certification is intended to provide a tick in the box for your customers and partners to indicate that you have the basics in place to minimise and mitigate cyber risks, providing them with a degree of assurance of your integrity in this area. It is planned that it will also be a prerequisite to supplying the government with goods or services.

Cyber Essentials certification

Initially, there are two levels of certification: Cyber Essentials (stage 1) and Cyber Essentials Plus (stage 2), with further levels planned. Completion of stage 1 is prerequisite to stage 2.

Stage 1

You state your organisation’s compliance with Cyber Essentials requirements by responding to a questionnaire covering the requirements for basic technical protection from cyberattacks. The completed questionnaire is sent for review to a recognised body which also undertakes an external vulnerability assessment, testing that individual controls on your internet-facing network perimeter have been implemented correctly, and that there are no obvious vulnerabilities.

Stage 2

You may also choose to undergo a more thorough assessment from a certifying body. This assessment is based on an internal security assessment of your end-user devices. Once again this directly tests that you have implemented individual controls correctly and recreates various attack scenarios to determine whether your system can be compromised using basic capabilities.

The five technical controls

1.  Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.

2.  Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.

3.  Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.

4 . Malware protection – ensuring that virus and malware protection is installed and is it up to date.

5 . Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.

More information

You can obtain more information about the Cyber Essentials scheme and certification here.


In partnership with

Jargon Buster

A Glossary of terms used in this article:

Access control

Controlling who has access to what information.


Software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Short for ‘malicious software’.


A software update, often related to improving security.