Understanding Cyber Essentials

Written by Joseph Poppy on 04/10/2019

What is Cyber Essentials?

Cyber Essentials and Cyber Essentials Plus are Government-backed schemes which highlight key technical controls that need to be in place in order to defend against the most common cyber threats. By becoming Cyber Essentials certified your organisation can display the logo on your website and marketing materials, improving trust with your customers. Many Government contracts will only consider applications from Cyber Essentials certified companies.

80% of UK businesses are vulnerable to avoidable security threats. The Cyber Essentials and Cyber Essentials Plus schemes are designed to follow a simple process, so every single company can benefit from being certified. The path to certification includes:

  • External vulnerability scan
  • Shared service assessment
  • Simple questionnaire
  • Internal vulnerability scan (Plus only)
  • Workstation assessment (Plus only)

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Both Cyber Essentials and Cyber Essentials Plus demonstrate that your organisation is taking cyber security seriously and has the five technical controls in place. Cyber Essentials Plus offers everything that Cyber Essentials provides, except the five controls must be independently assessed by a certification body. This extra level of scrutiny means your Cyber Essentials Plus badge will hold more weight with potential customers. Your controls will have been verified by security experts.

The certifying body will run a vulnerability scan against all in-scope items, check through policies and procedures, inspect access control and even conduct a build review on a standard image or two. This will involve ensuring your anti-virus software and firewalls detect known malicious signatures, by loading a fake piece of software or sending an email with a fake virus.

Whilst Cyber Essentials Plus is the more expensive of the two, it is held in higher regard and much of the work is done by the certifying body. Again, if you feel a bit overwhelmed and don’t know where to start, it’s worth engaging with such companies beforehand to see if they can help you pass first time.

Which Cyber Essentials package is best for your business?

Get a free assessment today!

Learn more

Benefits of Cyber Essentials for your business

By becoming Cyber Essentials compliant, businesses can demonstrate to their customers that they take security seriously and have the basics in place to protect their data. Think of it as a fundamental security baseline that can be universally applied to pretty much every organisation.

With that in mind, you could almost say becoming Cyber Essentials certified is essential... I’m not proud of that. But how do businesses go about obtaining it? And what does it involve? All good questions and I’m glad you asked them.


Does my business need to be Cyber Essentials certified?

Cyber Essentials is not mandatory but is incredibly valuable. Businesses benefit from improved trust from their customers and the ability to bid for certain government contracts. It is not a particularly costly procedure, so the benefits far outweigh the initial investment.

Display a Cyber Essentials badge on your website and attract more clients.

Cyber Essentials checklist

Cyber Essentials can be thought of as a checklist of sorts. Just like a pilot will go through and test various things before take-off, a business should check they have the right technical controls in place before they start storing and processing customer data. There are five technical controls that underpin the Cyber Essentials framework, which between them form the basis of secure computing. They are:

  • Firewalls
  • Security configuration
  • User access control
  • Malware protection
  • Patch management
Cyber Essentials Checklist
Thinking of Cyber Essentials as a list helps you focus on the 5 main technical controls.

By assessing and ensuring your business is maintaining these five controls to a good standard, you can request Cyber Essentials certification from a certifying body. This will allow you to proudly display a Cyber Essentials badge on your website and attract more clients.

The process each company will go through follows the same path as illustrated below:

Cyber Essentials certification process

Cyber Essentials: the five technical controls

1. Firewall

To achieve Cyber Essentials or Cyber Essentials Plus you need to have a firewall. More than that, you need to be using it correctly. It needs to be applied across your entire network and protect every device in your IT estate, not just your desktops or laptops. Mobile devices should certainly have a correctly configured firewall in place as these could be regularly connecting to public Wi-Fi, which as you well know, can be murky territory.

How your firewall is configured may depend on what activity you expect throughout the network on a normal day, so it is worth spending time to get this right. Of course, change all administrative passwords and block any unauthenticated inbound connections by default. That’ll be a good start.

2. Security configuration

This one’s easy. Make sure all devices and software are configured to have the best security settings. Remove bloatware, change default passwords (don’t use Admin/Admin or P@ssword01 for that matter, as hackers sussed that ages ago). It’s also recommended that businesses start incorporating PINs or 2FA to increase security even further. If you really fancy it you can start using laser biometric scanners, but that’s up to you. Whilst these are by no means hacker proof (what is?), they do offer an extra layer of security.

Cyber Essentials Access Control
Just because you work for the bank, doesn’t mean you need vault access.

3. Access control

Whilst the main aim of all this is to stop a hacker getting in, you’ll also want to limit what they can do if they manage to slip past your defences. If a burglar makes it through your locked door only to find they’re faced with several more secure doors, and the only thing they can steal is that ugly lamp Aunt Margery bought you, then they’re likely to give up and go home. The only thing you risk losing is that lamp which is no good to anybody.

Lamps aside, making sure users only have access to what they need to fulfil their role is best practice. Chaz the intern doesn’t need access to payroll folders. Cut down on the number of administrator accounts too. This will lower the risk of a high-privilege account getting compromised and allow you to easily keep track of who has access to what.

4. Malware protection

Trojans, worms, ransomware, toads – you want to avoid these, even the one I made up. Malware is everywhere and is forever adapting. Hackers are tenacious and want to get into your network. They can work their way in using various methods. Up-to-date anti-virus software from reputable providers is, like most things in Cyber Essentials, a basic protection that there’s no reason not to do.

Technical controls against malware are all very well and good, in fact they’re vital, but the best form of malware protection isn’t technical at all: it’s your staff. Specifically, it’s educating your staff. Teach them to spot the tell-tale signs of phishing, never open attachments or click links from unknown senders, steer clear of using USBs or other removable devices and, this should go without saying, don’t visit dodgy websites. This one weird trick will dramatically increase your security posture.

5. Patch management

To us technology enthusiasts this seems obvious, but your average user (and even some IT professionals) need the importance of this bringing home. Keeping software updated is an absolute must. Patches are usually released to fix a security vulnerabilities, so install them and install them regularly. Instruct your staff in no uncertain terms that, if their computers say ‘do not shut down’ until the updates are installed, that they definitely should not shut down. As we revealed in our 2019 annual report, out-of-date or unpatched software is one of the most frequently discovered flaws found by our penetration testers.

An update schedule is vital for continuously plugging holes in your company’s security. This is often harder to do in smaller companies that may not have the dedicated resources to test and oversee these rollouts but, regardless of size, all companies should be doing so.

An update schedule is vital for continuously plugging holes in your company’s security.
How to get started in Cyber Essentials
A security audit is the first step to becoming Cyber Essentials certified.

How to get started?

To get Cyber Essentials certified you’ll have to start by conducting a security audit. Find out what you have in place across the business and get a top-level view of your security posture. You should probably document your findings too, as it’s always a good idea to have all this info on hand. The purpose of this is to understand your current defences and identify any at-risk areas, making planning how you’ll go about obtaining Cyber Essentials certification easier.

You’ll also have to run (or procure) a vulnerability scan. This will determine whether there are any flaws, misconfigurations or outdated components within your network, allowing you to patch them accordingly. Whilst regularly running these types of scans is recommended anyway, stamping out any known vulnerabilities is vital to obtaining Cyber Essentials.


Cyber Essentials Questionnaire

Once you think you’re in a pretty good position, it’s time to apply. To become Cyber Essentials certified you’ll have to fill out a questionnaire, which is where the real fun begins. No-one can be upset when filling out a questionnaire.

The questionnaire contains 52 questions relating to the five technical controls and how they are managed within your organisation. The answers to these multiple-choice questions will determine whether your chosen certification body will grant you Cyber Essentials. If you used your time wisely and conducted a proper audit and vulnerability scan, certification should be a doddle.

Download Bulletproof’s Cyber Essentials questionnaire here.

Questions could range from ‘Are users prevented from installing any other applications?’ to ‘has out-of-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet?’. They are all quite straightforward.

If you used your time wisely and conducted a proper audit and vulnerability scan, certification should be a doddle.

Cyber Essentials certification

You’ll have to get in contact an accredited certification body (like Bulletproof), so they can assess your questionnaire and confirm your findings. They will then provide you with your certificate. Alternatively, you can engage such a body to help you through the process from the very beginning to ensure you pass first time. This is often a much wiser strategy from a cost-benefit point of view.

Just to stop (or possibly add to) confusion around terminology here: there are currently five accreditation bodies: APMGInternational, CREST, IASME Consortium, IRM Information and QG. Each accreditation body has a list of associated certification bodies who have the authority to assess organisations and award them certification (like Bulletproof). For example, CREST is an accreditor and Bulletproof is an accredited certifying body.

Cyber Essentials Certification
Once you complete your questionnaire, you’ll need to get in contact with an accredited certification body.

What are you waiting for?

Cyber Essentials and Cyber Essentials Plus are great schemes for ensuring you have strong security foundations to build upon. Not only will it generate trust between you and your clients, it’ll give you a top-level understanding of your security posture and the common threats you need to be defending against. The best way to beat the hackers is to get the basics right.

Bulletproof’s friendly compliance officers have already helped many customers achieve Cyber Essentials and Cyber Essentials Plus, and they all agree it’s a quick and easy process. So, now you know what it is and how they can benefit you, get in touch and we’ll get you certified. There, that was a long old sell.


Backup Systems Ltd. Logo

Bulletproof demonstrated their expertise from day one, and thanks to their insight we passed Cyber Essentials first time. With our 10-year history of keeping customer data secure, the Cyber Essentials scheme adds further confidence and value to Backup Systems offerings.


Christopher Blewitt  IT Support Technician, Backup Systems Ltd


You may also enjoy:

Bulletproof’s consultants are experts in all things compliance, from Cyber Essentials to PCI DSS. If you liked this article, why not have a read of some others?


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.