Cyber Essentials is a UK government-backed cybersecurity certification that covers five technical security controls. It was developed by the National Cyber Security Centre (NCSC) and is administered by the IASME Consortium. For organisations that handle sensitive data , holding a current Cyber Essentials certificate is a mandatory requirement for contract award.
The certification has two levels. Cyber Essentials is a self-assessment: your organisation answers a questionnaire, a certifying body reviews the responses, and a certificate is issued if the requirements are met. Cyber Essentials Plus uses the same five controls but adds an independent technical verification, where an assessor tests your systems directly rather than relying on your self-reported answers.
What Are the Five Cyber Essentials Controls?
The controls evaluates organisations against five technical categories. Each one addresses a specific attack surface that the NCSC has identified as responsible for the majority of common cyber attacks.
- Firewalls. Your internet-facing systems must be protected by a correctly configured firewall or equivalent boundary device. This applies to both physical infrastructure and cloud environments.
- Secure configuration. Devices and software must be configured to reduce vulnerabilities. Default passwords must be changed, unnecessary services and software must be disabled, and the attack surface must be limited to what the organisation requires.
- User access control. User accounts must have only the access required for their role. Administrative privileges must be restricted and reviewed. Multi-factor authentication is required for cloud services and remote access.
- Malware protection. Devices must be protected against malicious software. This can be satisfied through anti-malware software, application allowlisting, or sandboxing, depending on the device type and operating environment.
- Security update management. Software and operating systems must be kept up to date. High-severity patches must be applied within 14 days of release. Software that is no longer supported by the vendor and cannot receive security updates must be removed from scope or replaced.
Who Needs Cyber Essentials?
Cyber Essentials is mandatory for organisations bidding for UK central government contracts that involve handling personal data or providing certain technical products and services. It is also required across the Ministry of Defence supply chain and is increasingly specified by NHS organisations and other public sector bodies as a condition of supplier approval.
Beyond the public sector, Cyber Essentials is becoming a baseline requirement in regulated private sector industries. Legal firms, financial services companies, and defence contractors increasingly require it from their own supply chains as part of vendor risk management.
If Cyber Essentials has appeared in a request for proposal (RFP), been requested by a prime contractor, or been listed as a condition of renewing an existing contract, the requirement is active. A missing or lapsed certificate can result in a contract award being withheld or a supplier approval being rejected outright. The question at that point is not whether to pursue it but how quickly.
What Is the Difference Between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment. Your organisation completes a questionnaire describing how you have implemented the five controls, and a certifying body reviews those answers. The certificate is issued based on what you report.
Cyber Essentials Plus requires an assessor to verify the same controls through hands-on testing. This typically includes an internal vulnerability scan, testing of sample devices, and verification that the controls operate as described rather than as reported. Cyber Essentials Plus carries more weight in procurement because the certification reflects what an independent examiner found, not what the organisation said about itself.
A current Cyber Essentials certificate is required before a Cyber Essentials Plus assessment can begin. If your organisation needs Plus, you need to plan for both stages. The next post in this series explains how to determine which level your contract requires and how to plan for both stages efficiently.
How Long Does a Cyber Essentials Certificate Last?
Cyber Essentials certificates are valid for 12 months. Renewal requires a new assessment. Organisations whose certificates lapse lose the right to certify compliance with any contract requirements tied to Cyber Essentials, which can affect active contracts as well as new bids.
The annual renewal cycle is where many organisations run into problems. Controls that were in place at the time of the original assessment drift over the course of the year. Cloud services are added. Devices are replaced or removed. Staff changes affect access provisioning. A renewal that is approached as a repeat of the original assessment rather than a fresh review of the current state frequently surfaces gaps that were not present before.
Ready to confirm where you stand before your next assessment?
Carbide advisors work with organisations preparing for their first Cyber Essentials assessment and those approaching annual renewal. A readiness conversation will tell you which of your cloud services fall within your scope boundary, whether your controls are in the right state, and what needs to close before an assessor reviews them. Talk to our team today.
Share
