Cyber Essentials FAQs

Cyber Essentials – key changes:

• Remote working: The term “home working” has been updated to “home and remote working”, acknowledging a wider range of untrusted environments such as cafés, hotels and public spaces.
• Passwordless authentication: The certification now supports passwordless authentication methods, including biometric systems, security keys, one-time codes, QR codes and push notifications.
• Vulnerability management: The section on security updates now includes configuration and registry changes, not just software patches.
• Least privilege access: Emphasis on least privilege access ensures employees have only the necessary permissions to perform their tasks.

Cyber Essentials Plus – key changes:

• Scope and subset verification: Assessors will need to verify by technical means that the scope of the Cyber Essentials Plus testing matches the scope in the self-assessment certificate. Assessors must verify by technical means that networks and systems assessed for Cyber Essentials Plus are accurate and match those stated by the applicant in the Cyber Essentials self-assessment questionnaire. If the scope is not the whole organisation, the assessor must verify by technical means that the subsets have been segregated effectively. This may involve inspecting firewall or router ACLs (access control lists), or performing network scans between VLANs, subnets or zones to ensure proper segmentation.
• Vulnerability fixes: All vulnerabilities discovered that are rated critical or high (7.0–10.0) on the CVSSv3 scoring standard must be fixed if there is a fix available. This includes configuration changes, registry keys, scripts, or any other mechanism that is offered by the vendor or other resources to fix the known vulnerability. Note that IT Governance has always used this approach, but other certification bodies may have only looked for patches and updates, not the full range of possible fixes.
• Sampling requirements: Assessors are required to carry out random sampling, selecting a representative sample from all the in-scope devices. For example, if 70 Windows 11 Professional devices are in scope, the assessor must decide which devices should be selected to make up the sample to give a fair representation of the entire scope. The April 2025 update requires the assessor to select the sample no earlier than 72 hours before carrying out the test. If a machine selected for sampling is not available, the assessor will need to select a different machine.

Cyber Essentials is the UK government’s basic standard for cyber security, suitable for organisations of all sizes. This cost-effective and annually renewable certification aligns with five key technical controls to combat common Internet-based threats.

• Protection against cyber attacks: Implementing five basic security controls helps protect against approximately 80% of common cyber attacks. Department for Science, Innovation & Technologies Cyber Essentials impact evaluation October 2024.
• Business opportunities: Certification can help attract new business and satisfy public-sector and government contract requirements.
• Supply chain assurance: Independent verification of your security posture provides assurance to larger organisations managing third-party risks.
• Cyber liability insurance: UK organisations with a turnover under £20 million and a certification scope covering the whole organisation can opt-in for cyber liability insurance.

Organisations must complete the IASME SAQ (self-assessment questionnaire), verified and signed off by a board member or equivalent signatory. The SAQ is then independently verified by a licensed certification body.

Cyber Essentials Plus includes a technical audit of the systems in scope, a remote or on-site assessment, internal vulnerability scans, and an external vulnerability scan conducted by the certification body.

Only certification bodies trained and licensed by IASME can undertake assessments and issue certificates. IT Governance assessors are not only IASME trained and licensed but also bring a wealth of experience and expertise.

For Cyber Essentials, certification can be achieved within a day or two, depending on your current security setup and speed of action. We are usually able to offer same-day assessment.

Cyber Essentials Plus clients will need additional time for the internal and external tests to be completed.

Your Cyber Essentials application will be managed through our Cyber Security Portal (CS Portal).

1. Consultancy support: If you purchased a support package, we will email you access details.
2. Account setup: Your Cyber Essentials package will be fulfilled on your CS Portal account.
3. Login and details confirmation: Log in to the CS Portal to start your application and confirm your details.
4. Scope definition and SAQ completion: Define your scope and complete the SAQ.
5. Board approval: Ensure all answers are approved at board level or equivalent.
6. Assessment and feedback: Our assessors will mark your assessment and provide feedback.

If you pass:

• Download your Cyber Essentials certificate, feedback report and insurance (where applicable) from BlockMark, a secure platform for managing and verifying digital certifications.
• Your certification is valid for 12 months.

If you fail or receive a ‘More Information’:

• Review the feedback from your assessor.
• If you have consultancy support, our experts can help address non-compliant areas.
• Resubmit your updated SAQ and signed declaration within two working days.

For  Cyber Essentials Plus, additional tests are required on in-scope devices and networks. This testing must be completed within three months of achieving your basic Cyber Essentials certification.

You must complete your application within six months of purchase date.

Access to branding guidance for your Cyber Essentials certification is available through BlockMark. This includes instructions on how to display the certification badge on websites, promotional materials, letterheads and email signatures.

All Cyber Essentials certificates issued under the IASME scheme have a 12-month expiry date. Recertifying annually demonstrates that your cyber security controls remain up to date and effective against common cyber attacks.

Cyber Essentials and Cyber Essentials Plus certifications are annual subscription products that auto-renew according to our terms and conditions. If you do not have an annual subscription, you will need to purchase a new package to get started.

If you do not recertify, you will no longer be certified under the Cyber Essentials scheme. This means you cannot apply for contracts requiring a valid certificate, and you will be removed from the IASME directory of certified organisations after 12 months.

Self-assessment and certification for Cyber Essentials.

This service is for organisations with a good understanding of the five security controls and that are comfortable preparing for certification without additional consultancy support.

Our Cyber Essentials packages include the cost of your certification, as set out by IASME. Additional charges are for extra services delivered. You will be allocated your own dedicated cyber security consultant and general guidance will be provided.

Please ensure you select the correct package for your organisation size. Prices quoted are available for purchase online through the website only. 

If you need help with any aspect of the application process, we recommend purchasing one of the following support products:

• Get A Little Help: Includes two hours’ consultancy/technical support.
• Get A Lot Of Help: Includes one full day of consultancy/technical support.
• Remote Consultancy Support: Available by the hour via our CS Portal, email or Microsoft Teams.

The scope should be clearly defined in terms of the organisation or business unit, network boundary, and physical location(s). The name on the certificate must be consistent with the scope. For advice on defining the scope, purchase our Remote Consultancy Support.

Organisations applying for Cyber Essentials Plus must test all in-scope public-facing IP addresses. An IP address is a unique number assigned to a device when it connects to the Internet. Any external assets that an applicant organisation uses, that are hosted or managed by the organisation, are in scope for an external vulnerability scan. For advice on determining the number of IP addresses to test, purchase our Remote Consultancy Support.

Our Cyber Essentials Plus packages include an external vulnerability scan covering up to 20 IP addresses. If you need to test more than 20 IP addresses, you can purchase additional IP addresses for scanning.

Cyber Essentials Plus involves a technical audit of the systems that are in scope for Cyber Essentials.

Internal vulnerability scan:

• End-user devices (EUDs) such as desktops and laptops used for accessing the organisation’s data.
• Internal servers, hypervisors, thin clients, AWS IaaS instances, Azure virtual desktops, virtual desktop interfaces, session hosts and virtual machines.

End-user device testing:

• End-user devices (EUDs) such as desktops, tablets, laptops and smartphones used for accessing the organisation’s data.
• Servers on which standard (that is, non-administrator) users can obtain an interactive desktop environment.

The assessor will randomly sample devices for internal vulnerability scanning and end-user device testing. The number of devices required for testing is defined by the type of operating systems, version and editions in use.

The table below can be used to determine the representative sample size for each build type:

If we need to test more than ten devices, you can purchase our Cyber Essentials Plus Certification – Additional Device Testing.

Yes. While ISO 27001 provides a comprehensive level of assurance, Cyber Essentials offers several complementary benefits:

• Pathway to ISO 27001: Cyber Essentials helps organisations establish a strong foundation with its five basic security controls, setting the stage for achieving ISO 27001 certification.
• Technical audit: Cyber Essentials Plus includes a hands-on technical audit of your infrastructure, ensuring that your security controls and posture are robust.
• Contract requirements: Many private and government organisations, including the Ministry of Defence, require Cyber Essentials and Cyber Essentials Plus certifications for their suppliers.

  By obtaining both Cyber Essentials and ISO 27001 certifications, your organisation can benefit from a comprehensive and robust cyber security framework.