Last year the UK government revealed a planned £2.6 billion investment as part of their 2022-2030 cyber security strategy. However, the government’s Cyber Essentials Certification shows they’ve been paying attention to cyber security for the last decade. This scheme is designed to grant businesses a base level of protection that will shield them from 80% of common cyber-attacks.

The aim is to give organisations improved defences against online threats, while also providing evidence that their brand is committed to cyber security. We’ve written up this blog so you can see how to achieve Cyber Essentials certification and decide if it’s appropriate for your business.


What is Cyber Essentials?

Cyber Essentials is a UK government certification scheme set up in 2014 to help organisations achieve a base level of cyber security. Certificates are granted based on audits and maintained through annual assessment. Cyber Essentials in overseen by the National Cyber Security Centre and delivered by the IASME Consortium.

Cyber Essentials certification is obtained by completing a self-assessment questionnaire provided by the National Cyber Security Centre(NCSC). Cyber Essentials outlines five control areas that businesses should focus on to protect themselves from common cyber-attacks. These are:

  • Use of a firewall to secure internet connection – a firewall acts as a ‘buffer’ for any device connected to the internet. This applies to all of a business’ routers, servers, tablets, laptops and desktops.
  • Use of secure settings for devices and software – oftentimes, a device’s manufacturer settings won’t be the most optimal for security purposes. Settings should include a level of authorisation and limit access to network services.
  • Control over data accessibility – employee accessibility shouldn’t extend beyond the minimum needed to perform their job. This helps limit the potential damage in the event a staff account becomes compromised. Where extra permissions must be given to certain team members, it should be considered carefully.
  • Virus and malware protection – content or software purposefully designed to cause harm to a device, software and/or network. Employees should follow best practice or have antivirus software installed to minimise the risk of virus infection.
  • Regular updating of devices and software – keeping operating systems up to date not only improves efficiency and employee satisfaction, it also helps shore up security vulnerabilities. As updates are provided by manufacturers, this incurs very little cost on the business.

Cyber Essentials Plus

Along with Cyber Essentials, there’s another level of certification – Cyber Essentials Plus. This covers all the above areas, with some extra considerations to strengthen a business’ level of security. Getting Cyber Essentials plus certification requires a technical audit to prove the business’s cyber security measures are effective. As part of this, the certification body will conduct an on-site or remote assessment, as well as internal and external vulnerability scans.

Looking for more cyber security certifications for businesses? Read about ISO 27001.


The Benefits of Cyber Essentials Certification for Businesses

Cyber Essentials functions as both an incentive and a reward for businesses. If the cyber security measures of your business meet Cyber Essentials standards, it can benefit in the following ways:

Proof of Cyber Security Standards

Any organisation that’s issued a Cyber Essentials certificate gets listed on the National Cyber Security Centre’s database. This, along with features on the IASME website, shows commitment towards data protection. Consumers are more likely to feel comfortable giving their personal information to businesses with a government-accredited level of cyber security. As a result, Cyber Essentials certification helps build trust within a target audience. This can both bring in new customers and retain existing ones, as the latter feels they’re being taken care of.

Opportunities for UK Government and MOD work

Cyber Essentials Plus is mandatory for businesses looking to acquire government contracts. As such, getting Cyber Essentials Plus certification can open the door to financially beneficial agreements. The Ministry of Defence looks for Cyber Essentials certification at all stages in the supply chain when giving contracts. This means suppliers should also consider the scheme if they’re looking for this kind of work. Being chosen for government contracts has another bonus in demonstrating a business’s industry expertise.

Increased level of protection against online threats

The five areas of cyber security addressed by Cyber Essentials give businesses low-cost solutions. By achieving the certification you’ll be protected from common cyber-attacks like ransomware, malware, network hacks and phishing attacks. A review of Cyber Essentials found two-thirds of businesses surveyed experienced a greater ability to respond to cyber-attacks.


How do I gain Cyber Essentials Certification?

To obtain Cyber Essentials certification, a business’ level of cyber security must be assessed as meeting the requirements of the scheme. The organisation must show they’re addressing each of the five control areas. Here’s a simple checklist for your business:

  • A firewall must be present on all devices connected to the internet. This can either be as a physical boundary firewall or as firewall software.
  • Employee devices must have custom settings to limit functionality. Device and software settings should reflect employees’ regular tasks and responsibilities.
  • A level of data accessibility is enforced within the business. This will usually mean only senior members of staff can access sensitive data.
  • Have one of the following anti-malware measures in place – antivirus software installed on business devices, only download from manufacture-approved vendors.
  • All software on business devices is up to date.

Recent updates to Cyber Essentials

The April 2023 update to the Cyber Essentials certification were the most significant in the history of the scheme. The update increases the scope of the scheme in line with broader industry developments. Based on feedback from applicants and assessors, clarifications relate to employee devices, firmware, third party devices, unlocking settings, malware protection. There have also been quality-of-life changes to make the certification process easier to complete.

Seek professional cyber security support

To guarantee success with valuable certifications like Cyber Essentials, engage with experts and speak to the team at CyberWhite. With our nvast experience of successful certifications, we know exactly what goes into protecting your business from common online threats. Our team won’t just provide the basic cyber security needed for Cyber Essentials certification though. With CyberWhite, you can achieve the cyber security standards of Cyber Essentials Plus and beyond.


IASME has said they will gradually be releasing guidance documents for businesses looking to get Cyber Essentials certification. Why wait though? Get started today with a security check courtesy of CyberWhite.