Cyber Essentials overview and requirements

Cyber Essentials is a common security requirement for organisations, enabling them to prove their commitment to cyber security. In this article, we outline exactly what Cyber Essentials is, why organisations should attain it and how you go about getting certified.

What is Cyber Essentials?

Cyber Essentials is a government backed scheme designed to help organisations protect themselves against common cyber-attacks. There are two levels to Cyber Essentials:

  • Cyber Essentials – This outlines baseline security controls that you must meet to get certified and requires you to complete a self-assessment.
  • Cyber Essentials Plus – This is the higher level of certification and requires the same security controls as Cyber Essentials, but with external technical verification instead of self-assessment.

Why should you get Cyber Essentials certified?

There are a few key benefits to becoming Cyber Essential certified. These are:

  • Enhance your security posture – By meeting the requirements of Cyber Essentials, you will protect your organisation against 80% of common cyber attacks, which will greatly reduce your cyber risk. It provides a clear framework to work towards, simplifying where to begin and where to focus on making improvements.
  • Attract new clients and reassure existing clients – Attaining certification is a simple way to show that cyber security is a priority for your organisation, and that you have measures in place to protect yourself. This will give existing customers peace of mind that you are a trusted organisation – especially if you hold their data – and help attract new customers who are likely to check for Cyber Essentials certification as part of their due-diligence.
  • It’s a common requirement for contracts – Cyber Essentials is required in order to win most government contracts. However, it’s also becoming a more common requirement to win work in the private sector.

What are the requirements for Cyber Essentials?

To gain certification, you must provide evidence that you meet specific Cyber Essentials requirements, which are grouped under five technical controls. These are:

  • Firewalls – Make sure that only secure and necessary network services can be accessed from the internet.
  • Secure configuration – Ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfil their role
  • Security update management – Ensure that devices and software are not vulnerable to known security issues for which fixes are available.
  • User access control – Ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks the user needs to carry out their role.
  • Malware protection – To restrict execution of known malware and untrusted software, from causing damage or accessing data.

The National Cyber Security Centre (NCSC) clearly outlines the five technical controls and the exact requirements underneath each one. This can be found here:

Using Microsoft technologies to meet the requirements

In a separate article, we have outlined how you can use Microsoft technologies (and a selection of complementary products) to meet the Cyber Essentials requirements. As most organisations use Microsoft technologies – such as Microsoft 365 for productivity, or Azure for cloud computing – it is a logical platform to use to implement the technical requirements. You can read more on this here.


Cyber Essentials is a low-cost and simple way to enhance your security, reduce your risk and assure new and existing clients. We highly recommend all organisations attain Cyber Essentials, no matter their size or industry. A great way to start considering Cyber Essentials is through a Cyber Essentials Readiness Assessment.

If you would like Cyber Essentials support, or guidance on your wider cyber security, please reach out to us and we would be happy to help.