United Kingdom
Select regional store:

Essential Cyber Security - The Cyber Essentials Scheme

What is the Cyber Essentials scheme?

Cyber Essentials is a UK government assurance scheme. It is based on the government’s "10 Steps to Cyber Security" programme and administered by the NCSC (National Cyber Security Centre).

The Cyber Essentials scheme has two objectives:

  • To set out 5 basic cyber security controls that can protect organisations from “around 80% of common internet cyber attacks”; and
  • To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.

There are 2 levels of Cyber Essentials certification:

  • Cyber Essentials
  • Cyber Essentials Plus

IT Governance is a CREST-accredited certification body for the Cyber Essentials scheme, but from 1 April 2020 will be accredited by IASME, in line with changes to the Cyber Essentials scheme implemented by the NCSC. You can learn more about these changes below.

Get certification quickly and easily with our fixed-price packages.

Speak to a Cyber Essentials expert

Call us now on 01474556685, or request a call back using the form below for advice and guidance on our Cyber Essentials products and services. Our experts are ready and waiting with practical advice.

Contact us

What are the five key security controls?

Cyber Essential Secure configuration

Secure configuration

Confirm that computers and network devices are properly configured in order to reduce the level of inherent vulnerabilities.

Find out more about secure configuration >>

Cyber Essential Secure Internet connection

Secure your Internet connection

Confirm that only safe and essential network services can be accessed from the Internet.

Find out more about boundary firewalls and Internet gateways >>

Cyber Essentials Access Control

Access control

Confirm that user accounts are assigned to authorised individuals only.

Find out more about access control >>

Cyber Essentials Patch Management

Patch management

Confirm that devices and software are not vulnerable to known security issues for which fixes are available.

Find out more about patch management >>

Cyber Essentials Malware Protection

Malware protection

Restrict the execution of known malware and untrusted software.

Find out more about malware protection >>

Cyber Essentials Assurance Framework

There are two levels of certification under the Assurance Framework: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials Certification

Cyber Essentials includes an SAQ (self-assessment questionnaire) and an external vulnerability scan. The certification process has been designed to be lightweight and easy to follow.

Cyber Essentials is right for you if:

  1. You’re looking for base-level security certification to demonstrate that you have key controls in place.

Get started

Cyber Essentials Plus Certification

Cyber Essentials Plus certification includes an additional internal scan and an on-site assessment.

Cyber Essentials Plus is right for you if:

  1. Your employees work from remote locations, or
  2. Third parties have access to your premises or IT.

Get started

Go one step further in protecting your organisation with phishing staff awareness training

Phishing Staff Awareness E-learning Course


Human error is a leading cause of data breaches. To reduce your risk of a successful cyber attack we recommend implementing phishing staff awareness training. Educate your workforce to identify malicious phishing scams and empower them to take the right steps to secure your organisation.

Why combine Cyber Essentials with phishing staff awareness training?

Your staff are your front line of defence, which is why cyber security training is a must. Once a malicious email has slipped through your technological defences, it’s down to your staff to make the right choice: either delete it or open the email and inadvertently cause a data breach.

While Cyber Essentials is a great starting point to improve overall cyber security, taking our recommended extra step to train your staff will strengthen your security defences, keeping your organisation and data safe.

Find out more

“Cyber Essentials certification does a lot to target low hanging fruit, but it doesn’t cover all low hanging fruit attackers go after. Combining Cyber Essentials with phishing staff awareness training can reduce an organisation’s attack surface.

Enable your most important asset, your employee, to be more effective in securing your organisation to minimise the risk of a successful attack.”

- Geraint Williams, Chief Information Security Officer, GRC International Group

Validate your security status with CREST certification

IT Governance is a CREST-accredited Cyber Essentials certification body. CREST certification gives you an added advantage:

  • Qualified technical experts

    Technical reviewers are selected based on certain qualifications criteria and must adhere to certain codes of conduct

  • Pre-certification validation

    Your Self-Assessment Questionnaire will always be validated by a technical reviewer before your certificate is issued

  • Full vulnerability scan

    Get independent verification of your security status with an external vulnerability scan of all internet-facing applications and networks. Read more.

  • Cyber Essentials Plus

    Only CREST-accredited certification bodies can undertake the testing required for Cyber Essentials Plus

In 2020, the NCSC (National Cyber Security Centre) will implement some changes to the Cyber Essentials scheme to prepare it for the future. The current five Cyber Essentials accreditation bodies will be replaced by one. From 1 April 2020, The IASME Consortium will operate as the sole accreditation body for the scheme.

In support of this change, IT Governance will become an IASME-accredited certification body from April next year. We will continue providing the high level of cost-effective ongoing service our clients expect from us and will ensure the transition to the new arrangements is seamless. In the meantime, and in line with current arrangements supported by the NCSC, our clients will continue to be certified under CREST, and all existing and new certifications will continue to be valid and in line with current requirements.

Why is Cyber Essentials so useful?

There are significant advantages to becoming Cyber Essentials certified.

The government's Cyber Security Breaches Survey 2018 found that 56% of businesses hold personal data electronically. Of these, 47% experienced breaches or attacks in the last 12 months.

Since the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 came into effect, all organisations that process personal data must implement appropriate technical and organisational measures to ensure its security or risk administrative fines of up to €20 million or 4% of annual global turnover – whichever is greater.

Implementing the Cyber Essentials controls is recognised by the ICO (Information Commissioner’s Office) as one of many ways of demonstrating that organisations are taking action to mitigate the risks they face, especially if those risks are of a low level.

Larger organisations, those with more complex environments or lower risk appetites or those that face a higher level of risks, including targeted attacks, would do well to adopt a more mature level of cyber security, such as an ISMS (information security management system) that complies with the international standard ISO 27001.

Find out more about the relationship between Cyber Essentials and ISO 27001 >>

Certification to the scheme isn’t just useful for legal compliance. A Cyber Essentials badge helps win and maintain contracts – Zurich’s SME Risk Index found that a quarter (25%) of medium-sized organisations reported having being asked by prospective customers about the cyber security measures they had in place.

Read more about the benefits of Cyber Essentials >>

Cyber Essentials adoption 

Industries, especially public bodies or those organisations wishing to connect to public networks, are increasingly adopting Cyber Essentials to verify that basic cyber security controls are in place and functioning properly.  

All suppliers bidding for government contracts that involve the handling of sensitive and personal information and provision of certain technical products and services are required to be compliant with the scheme’s controls.

For example: 

  • In healthcare, Cyber Essentials Plus certification satisfies multiple conditions of the DSP (Data Security and Protection) Toolkit, which NHS industry partners have been required to comply with& since April 2018. Cyber Essentials Plus can help speed up the connectivity and supply process by fulfilling and prepopulating compliance statements within the DSP Toolkit portal. 
  • For all MoD (Ministry of Defence) advertised requirements, suppliers are required to have a Cyber Essentials certificate that must be renewed annually. This requirement must be flowed down the supply chain.

Free guide: Cyber Essentials: A guide to the scheme

For further information about the business benefits of achieving certification and to find out how Cyber Essentials can help guard you against cyber threats, download our free Cyber Essentials guide.

  • Learn about the five controls and the specific requirements of the scheme.
  • Discover what is and is not in scope.
  • Learn how to become CREST-certified.
  • Find solutions that meet your requirements.

Download now

Shop our bestselling Cyber Essentials solutions

We have all the tools and resources needed to achieve CREST-accredited certification at both levels of the Cyber Essentials scheme.
This website uses cookies. View our cookie policy