This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

United Kingdom

Select your regional store:


The Cyber Essentials Scheme

The Cyber Essentials scheme (CES) is a UK Government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats. Launched on 5 June 2014, it provides a set of five controls that organisations should implement to achieve a baseline of cyber security, and against which they can be certified.

Compliance with the scheme is mandatory for suppliers bidding for government contracts that involve the handling of sensitive and personal information, and the provision of certain ICT products and services. It is also increasingly being adopted in the private sector, with hundreds of organisations certified to the scheme to date.


How to achieve Cyber Essentials certification

As a CREST member and CREST-accredited certification body for the Cyber Essentials scheme, we recommend the following options:

  1. If you are completely new to the Cyber Essentials scheme, then consider buying Cyber Essentials – A Pocket Guide.
  2. If you need help meeting the scheme’s requirements, IT Governance can assist you in preparing for certification at a pace and for budget that suits you, and following your preferred project approach.

    View our solutions to certification >>
  3. If you are certification-ready, use our online portal, CyberComply, to submit the self-assessment questionnaire and schedule the external vulnerability scans. Prices start from just £300+VAT.

    Get started now >>

Introduction to the Cyber Essentials scheme

The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the government instigated a call for evidence on a preferred cyber security standard. In November 2013 it concluded that no individual standard met its specific requirements, so it developed the Cyber Essentials scheme.

  • “It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security.”
  • “It offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.”

The scheme is backed by major industry players including BAE Systems, Lockheed Martin, Barclays and Hewlett-Packard. The Information Commissioner has stated that he “supports the Cyber Essentials Scheme and encourages all businesses to be assessed against it”.

A recent report by HM Government in conjunction with insurance broker Marsh, entitled UK cyber security: the role of insurance in managing and mitigating the risk, revealed plans to include Cyber Essentials certification in insurers’ risk assessments for SMEs.

The Cyber Essentials scheme concentrates on five key controls

  1. Secure configuration
    Implementing security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities.
  2. Boundary firewalls and Internet gateways
    Providing a basic level of protection where an organisation connects to the Internet.
  3. Access control and administrative privilege management
    Protecting user accounts and helping prevent misuse of privileged accounts.
  4. Patch management
    Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks.
  5. Malware protection
    Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for malware removal, which will protect your computer, your privacy and your important documents from attack.

Cyber Essentials vs Cyber Essentials Plus

There are two levels against which organisations can be certified:

  • Cyber Essentials – relies on a verified self-assessment, including an external verification by an accredited certification body.
  • Cyber Essentials Plus – relies on more rigorous assessments by an accredited certification body, in addition to the requirements of Cyber Essentials./li>

Once an organisation has successfully passed an assessment against either level of the scheme’s requirements it will be awarded the relevant Cyber Essentials award, or ‘badge’.

Hundreds of organisations have been certified to Cyber Essentials already. As a CREST-accredited certification body for the Cyber Essentials scheme, IT Governance has awarded certification to companies of different types and sizes. These include Vodafone, Airbus Defence and Space Ltd, Action for Children and ELEXON.

See a list of organisations certified by IT Governance here >>>

Do you know whether you meet the requirements of the Cyber Essentials scheme?

Find out by completing our quick online checklist >>

Solutions for CES certification

IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.

View the three solutions to certification >>

live chat support software