Understanding Cyber Essentials

Written by Joseph Poppy on 04/10/2019

What is Cyber Essentials?

Over 80% of UK businesses are vulnerable to easily avoidable security threats. To help solve this security challenge, Cyber Essentials and Cyber Essentials Plus are Government-backed certification standards that are aimed at delivering an essential security baseline for every organisation. They describe key technical controls that need to be in place in order to defend against the most common cyber threats. By becoming Cyber Essentials certified your organisation can display the logo on your website and marketing materials, improving trust with your customers. Plus, many Government contracts will only consider applications from Cyber Essentials certified companies.

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Both Cyber Essentials and Cyber Essentials Plus demonstrate that your organisation is taking cyber security seriously and has the five technical controls in place. Cyber Essentials is a self-assessment questionnaire, verified by a certifying body (such as Bulletproof). If you have 2 or fewer major non-conformances, you pass. Cyber Essentials Plus offers everything that Cyber Essentials provides, plus internal and external vulnerability scans and a workstation assessment. Cyber Essentials Plus can be thought of as an independent verification of everything that was claimed in Cyber Essentials. This extra level of scrutiny means your Cyber Essentials Plus badge will hold more weight with potential customers.

Whilst Cyber Essentials Plus is the more expensive of the two, it is held in higher regard and much of the work is done by the certifying body. If you feel a bit overwhelmed and don’t know where to start, don’t worry – most companies have a range of support options to help you through the process.

Which Cyber Essentials package is best for your business?

Get a free assessment today!

Learn more

Benefits of Cyber Essentials for your business

By becoming Cyber Essentials compliant, businesses can demonstrate to their customers that they take security seriously and have the basics in place to protect their data. Think of it as a fundamental security baseline that can be universally applied to pretty much every organisation. This gives reassurance to customers, potential customers and suppliers, and also gives your organisation a clearer picture of your level of cyber security.

You can also win new business with Cyber Essentials certification. Central Government contracts need suppliers to be Cyber Essentials certified, most MoD contracts demand Cyber Essentials Plus. As of 2021, the NHS also requires supplier to be Cyber Essential certified. Though Cyber Essentials is not mandatory, it is incredibly valuable. It’s not a particularly costly procedure, so the benefits far outweigh the initial investment.


Display a Cyber Essentials badge on your website and attract more clients.

Cyber Essentials checklist

Cyber Essentials can be thought of as a checklist of sorts. Just like a pilot will go through and test various things before take-off, a business should check they have the right technical controls in place before they start storing and processing customer data. There are five technical controls that underpin the Cyber Essentials framework, which between them form the basis of secure computing. They are:

  • Firewalls & routers
  • Security configuration
  • User access control
  • Malware protection
  • Software updates
Cyber Essentials Checklist
Thinking of Cyber Essentials as a list helps you focus on the 5 main technical controls.

By assessing and ensuring your business is maintaining these five controls to a good standard, you can request Cyber Essentials certification from a certifying body. This will allow you to proudly display a Cyber Essentials badge on your website and attract more clients.

The process each company will go through follows the same path as illustrated below:

Cyber Essentials certification process

Cyber Essentials: the five technical controls

1. Firewall & routers

To achieve Cyber Essentials or Cyber Essentials Plus you need to have a firewall. More than that, you need to be using it correctly. It needs to be applied across your entire network and protect every device in your IT estate, not just your desktops or laptops. Mobile devices should certainly have a correctly configured firewall in place as these could be regularly connecting to public Wi-Fi, which as you well know, can be murky territory.

How your firewall is configured may depend on what activity you expect throughout the network on a normal day, so it is worth spending time to get this right. Of course, change all administrative passwords and block any unauthenticated inbound connections by default. That’ll be a good start.

2. Security configuration

This one’s easy. Make sure all devices and software are configured to have the best security settings. Remove bloatware, change default passwords (don’t use Admin/Admin or P@ssword01 for that matter, as hackers sussed that ages ago). It’s also recommended that businesses start incorporating PINs or 2FA to increase security even further. If you really fancy it you can start using laser biometric scanners, but that’s up to you. Whilst these are by no means hacker proof (what is?), they do offer an extra layer of security.

Cyber Essentials Access Control
Just because you work for the bank, doesn’t mean you need vault access.

3. Access control

Whilst the main aim of all this is to stop a hacker getting in, you’ll also want to limit what they can do if they manage to slip past your defences. If a burglar makes it through your locked door only to find they’re faced with several more secure doors, and the only thing they can steal is that ugly lamp Aunt Margery bought you, then they’re likely to give up and go home. The only thing you risk losing is that lamp which is no good to anybody.

Lamps aside, making sure users only have access to what they need to fulfil their role is best practice. Chaz the intern doesn’t need access to payroll folders. Cut down on the number of administrator accounts too. This will lower the risk of a high-privilege account getting compromised and allow you to easily keep track of who has access to what.

4. Malware protection

Trojans, worms, ransomware, toads – you want to avoid these, even the one I made up. Malware is everywhere and is forever adapting. Hackers are tenacious and want to get into your network. They can work their way in using various methods. Up-to-date anti-virus software from reputable providers is, like most things in Cyber Essentials, a basic protection that there’s no reason not to do.

Technical controls against malware are all very well and good, in fact they’re vital, but the best form of malware protection isn’t technical at all: it’s your staff. Specifically, it’s educating your staff. Teach them to spot the tell-tale signs of phishing, never open attachments or click links from unknown senders, steer clear of using USBs or other removable devices and, this should go without saying, don’t visit dodgy websites. This one weird trick will dramatically increase your security posture.

5. Software updates

To us technology enthusiasts this seems obvious, but your average user (and even some IT professionals) need the importance of this bringing home. Keeping software updated is an absolute must. Patches are usually released to fix a security vulnerabilities, so install them and install them regularly. Instruct your staff in no uncertain terms that, if their computers say ‘do not shut down’ until the updates are installed, that they definitely should not shut down. As we revealed in our 2019 annual report, out-of-date or unpatched software is one of the most frequently discovered flaws found by our penetration testers.

An update schedule is vital for continuously plugging holes in your company’s security. This is often harder to do in smaller companies that may not have the dedicated resources to test and oversee these rollouts but, regardless of size, all companies should be doing so.

An update schedule is vital for continuously plugging holes in your company’s security.
How to get started in Cyber Essentials
The questionnaire acts as a security audit.

How to get started?

To get Cyber Essentials certified, you start by contacting an approved certification body, such as Bulletproof. We’ll set you up on the official Cyber Essentials portal and, depending on the level of support you’ve bought, help you through the process of completing the questionnaire. It’s as simple as that to get going.


What's changed in the new version?

Experienced followers of cyber security standards will be aware that in April 2020, the Cyber Essentials scheme changed. Previously, the base level of Cyber Essentials certification required an internal vulnerability scan. Moving this to the Plus certification lowers the barrier to entry, meaning more companies can more easily improve their baseline security with Cyber Essentials certification.

Another change is that previously there were 5 accreditation bodies, meaning there was slight variations in the application of the ‘standard’. Now it’s controlled by IASME, meaning that the standard is, finally, standard. IASME ratifies Certification Bodies (like Bulletproof) to use Qualified Assessors (our consultants) to certify customers as compliant with Cyber Essentials.

More companies can more easily improve their baseline security with Cyber Essentials certification.

What are you waiting for?

Cyber Essentials and Cyber Essentials Plus are great schemes for ensuring you have strong security foundations to build upon. Not only will it generate trust between you and your clients, it’ll give you a top-level understanding of your security posture and the common threats you need to be defending against. The best way to beat the hackers is to get the basics right.

Bulletproof’s friendly compliance officers are Qualified Assessors for Cyber Essentials, and have already helped many customers achieve Cyber Essentials and Cyber Essentials Plus. So, now you know what it is and how they can benefit you, get in touch and we’ll get you certified.


Backup Systems Ltd. Logo

Bulletproof demonstrated their expertise from day one, and thanks to their insight we passed Cyber Essentials first time. With our 10-year history of keeping customer data secure, the Cyber Essentials scheme adds further confidence and value to Backup Systems offerings.


Christopher Blewitt  IT Support Technician, Backup Systems Ltd


You may also enjoy:

Bulletproof’s consultants are experts in all things compliance, from Cyber Essentials to PCI DSS. If you liked this article, why not have a read of some others?


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.