Cyber Essentials is a UK Government-backed certification that helps organisations protect themselves against the most common cyber threats. It focuses on a clear, practical baseline of security controls that reduce the likelihood of successful attacks such as phishing-led compromise, malware infections, and opportunistic hacking.
For many small and medium-sized businesses, Cyber Essentials is one of the most cost-effective ways to demonstrate good security hygiene to customers, insurers, and supply-chain partners.
What Cyber Essentials covers (the 5 controls)
Cyber Essentials is built around five technical control areas:
- Firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
These controls are designed to be achievable for most organisations without needing a large internal security team.
What you get from Cyber Essentials
Cyber Essentials helps you:
- Reduce risk by implementing proven baseline controls
- Build trust with customers by demonstrating a recognised standard
- Support procurement where Cyber Essentials is required (common in public sector and supply chains)
- Improve consistency across devices, users, and locations
Who Cyber Essentials is for
Cyber Essentials is a strong fit if you:
- Are an SME that wants a practical security baseline
- Handle customer data and need to show due diligence
- Work in regulated or risk-sensitive industries (finance, legal, healthcare, education)
- Want a stepping stone toward broader standards like ISO 27001
How the certification works
Cyber Essentials (standard) is completed through a self-assessment questionnaire. You confirm that your organisation meets the requirements for the five control areas.
If you need independent verification, you can progress to Cyber Essentials Plus, which includes hands-on technical testing.
Common gaps that cause problems
In practice, most issues come from a few repeat areas:
- Too many admin accounts or users with local admin rights
- Inconsistent patching, especially on laptops and remote devices
- Unsupported software (end-of-life operating systems or applications)
- Security tools not fully deployed (endpoint protection missing on some devices)
- Weak baseline configuration (screen locks, unnecessary services, insecure defaults)
Fixing these usually improves day-to-day stability as well as security.
Cyber Essentials preparation checklist (practical)
Use this as a straightforward plan to get ready.
1) Define your scope
- List all company-managed devices (laptops, desktops, servers)
- Confirm where users work (office, home, hybrid)
- Identify core services in use (e.g., Microsoft 365, email, VPN)
2) Tighten access control
- Remove unnecessary local admin rights
- Use separate admin accounts where needed
- Enable MFA for admin accounts as a priority
- Review shared accounts and remove them where possible
3) Standardise secure configuration
- Apply a consistent baseline for endpoints
- Enforce screen lock and inactivity timeouts
- Disable or remove unnecessary software and services
- Ensure secure browser and email client settings are applied
4) Get patch management under control
- Enable automatic updates for operating systems
- Patch key applications (browsers, Office apps, PDF readers)
- Monitor patch status and resolve exceptions quickly
5) Confirm malware protection
- Ensure endpoint protection is installed on all in-scope devices
- Verify real-time protection is enabled
- Confirm alerts are monitored and acted on
6) Review firewall and network exposure
- Ensure host firewalls are enabled
- Restrict inbound access to only what’s required
- Review remote access methods and remove insecure options
What evidence you should have ready
Even though Cyber Essentials is self-assessed, it helps to have clear internal evidence:
- Device inventory (what’s in scope)
- Confirmation of patching approach and update status
- Endpoint protection coverage report
- Notes on admin access and MFA enforcement
- Summary of firewall posture and remote access controls
Cyber Essentials vs Cyber Essentials Plus
- Cyber Essentials: self-assessment, faster, lower cost, ideal baseline
- Cyber Essentials Plus: includes independent technical testing for stronger assurance
If customers are asking for proof, or you want higher confidence internally, Plus is often the better long-term option.
Next steps
If you tell me:
- Approx. number of users/devices
- Whether you use Microsoft 365
- Any remote working / BYOD
Related Services
Explore related solutions to strengthen your IT and security strategy: