Cyber Essentials: A Complete Guide To What it is, the steps to accreditation and the benefits 

CyberKainos. Reading time: 8 minutes

Cyber Essentials:

Jurisdiction: UK            Applicable industries: Any        Difficulty to obtain: Low / medium

Status: Voluntary         Applicable businesses: Any       Renewal: Annual

Cyber Essentials is a security accreditation program developed by the National Cyber Security Centre and backed by the UK government. Its objective is to help organisations protect themselves against common online threats. The program has been a great success and around 200,000 businesses have become certified.

There are two levels: ‘Cyber Essentials’ and ‘Cyber Essentials Plus’. Both use the same control framework and self-assessment questionnaire, while ‘Plus’ adds an external technical audit. This audit checks that these controls are in place. 

This audit includes a scan for internal and external vulnerabilities. It also looks closely at a random selection of user devices. Additionally, it checks all internet gateways and servers that internet users can access. The Assessor will test a random sample of these systems.

Although there is no legal obligation to comply, Cyber Essentials provides organisations regardless of their size or type, with a practical framework for optimising their security controls and enhances their protection against common cyber threats. 

At CyberKainos, our opinion is that all businesses should strive to attain the Cyber Essentials certification. It is well established, cost effective, and, most importantly, is proven to enhance protection against cyber threats. 92% fewer insurance claims are made by organisations with Cyber Essentials controls in place.

‍If you are currently researching Cyber Essentials, about to start your accreditation journey, or need help with your renewal, this guide will cover all the essential information you need, including:

•  The Cyber Essentials five key control areas

•  The benefits of achieving certification

•  The steps to complete the certification process 

The five key controls

Control 1 : Secure Configuration

Endpoints and network devices are rarely secure in their out-of-the-box configurations. They often contain weak points such as administrative accounts with predetermined passwords or pre-enabled and unnecessary user accounts, applications, or services.

Remove or disable unnecessary software and services

• Uninstall unused applications and turn off services that are not required for business operations.

Change default settings and passwords

• Replace all default usernames and passwords with strong, unique credentials.

Restrict user accounts / privileges and authenticate where necessary

• Apply the principle of least privilege by ensuring users have only the access they need for their roles. Authenticate users before allowing Internet-based access to commercially or personally sensitive data.

Disable auto-run and auto-play features

• Prevent software from automatically running from USB drives or other external media sources to reduce malware risks.

Regularly review configurations

• Check and update system settings to ensure they remain secure and compliant.

Control 2 : Malware Protection

Prevent malware injection through bad email links, websites, or removable hardware. Effective malware protection reduces risk of data loss and ransomware.

Use anti-malware software

• Install anti-malware software and keep it up to date to stay effective against new threats. You should update signature files at least daily either through automated updates or with a centrally managed deployment.

Use application white-listing

• Only allow approved applications to run, blocking all others by default. An authorised individual must actively approve such applications before deploying them to devices and the organisation must maintain a current list of approved applications. Users must not be able to install an application that is unsigned or has an invalid signature.

Implement sandboxing

• Run applications and code of unknown origin in isolated environments to prevent it accessing other resources.

Restrict user permissions

• Ensure users have appropriate access rights based on their roles to prevent unauthorised software installation and to limit lateral movement in the event of a breach.

Control 3 : User Access Control

Administrative user accounts are used to make considerable changes to IT systems. If a malicious party can compromise an administrative account, an attack can be accelerated significantly, making it harder to contain.

Assign user accounts individually

• Have a defined user account creation and approval process. Ensure every employee has a unique, identifiable user account. Avoid shared accounts.

Use the principle of least privilege

• Give users only the access rights they need for their jobs. Make sure to authenticate them before allowing access to applications or devices. Use unique credentials for this process.

Control administrator accounts

• Have separate accounts for administrative tasks and standard work. Activities such as emailing and web browsing can expose administrative privileges. Only authorised users should receive admin rights.

Review user access regularly

• Check user accounts regularly, especially after role changes or when employees leave, and remove or adjust access as needed.

Use strong authentication

• Protect all accounts with strong, unique passwords. Where possible, implement multi-factor authentication (MFA), especially for admin accounts and remote access.

Control 4 : Firewalls

Protect every device that is connected to the Internet with a physical or software firewall. Ensure network traffic is monitored, while unauthenticated or unknown traffic is blocked by default.

Use boundary firewalls

• Install and maintain a firewall at the networks boundary to filter traffic between your network and the Internet, preventing attackers from gaining unauthorised access to systems.

Configure firewalls securely

• To only allow traffic necessary for business needs. The firewall should block all other inbound and unnecessary outbound connections.

Change default passwords

• Replace all default administrative passwords associated with the firewall with strong, unique ones.

Restrict administrative access

• Prevent access to the firewalls administrative interface from the Internet and protect it with either a second authentication factor, such as a one-time token, or an IP whitelist that limits access to a small range of trusted addresses, ideally from inside the network.

Enable personal firewalls

• Ensure personal firewalls are active on all devices, especially mobile or remote ones that connect from outside an office or are used on untrusted networks such as public Wi-Fi.

Document firewall rules

• Ensure inbound firewall rules are approved and documented by an authorised individual. Keep records of your firewall configuration and any changes made.

Control 5 : Security Update Management

Your licenced software will almost certainly include regular updates (know as patches) to address security issues and bug fixes. Addressing these before a malicious party can exploit them is essential.

Keep all software up to date

• Make sure all software used by the organisation is licensed. Install the latest security updates for all operating systems, applications, and firmware as soon as they are released.

Enable automatic updates where possible

• Configure systems to install these updates automatically, reducing delays and the chances of missing crucial patches to ensure ongoing protection.

Patch quickly

• Apply critical security patches within 14 days of their release. This is especially true for patches that fix remote vulnerabilities.

Remove unsupported software

Uninstall or replace any software or operating systems that the vendor no longer supports. They will no longer receive security updates.

Benefits of Achieving Cyber Essentials

The obvious reason for achieving the Cyber Essentials is to reduce the risk of a security incident impacting business continuity. However, there are other benefits to consider:

• Lower cyber insurance premiums: This is especially relevant for organisations who include their entire IT infrastructure in the scope of their Cyber Essentials Assessment. Being able to demonstrate effective security controls, and greater security maturity can lead to lower cyber insurance premiums. If you need help with these conversations, our CyberKainos vCISO’s possess a great deal of experience in helping organisations in this area.

 

• Make ongoing regulatory compliance easier: The five key controls are not exclusive to Cyber Essentials. ISO 27001 and GDPR are two other examples of other information security standards in the UK, and you can re-use the work done here to help achieve these standards too. To make life simpler, our Aegis platform will do this automatically, and provide a checklist to what still needs to be performed.

 

• Win more business and reduce lead times: Businesses understandably want to partner with suppliers who can demonstrate good cybersecurity practices to reduce their risks of inheriting third party issues. Our Aegis platform makes it easy to share your credentials in this space with your customers, along with any other compliance frameworks you have met to speed up the due-diligence process. It is also worth noting that for government contract bids, a valid Cyber Essentials certificate is often a necessity in order to be considered for the project.

8 Steps to Achieve Cyber Essentials

i) Download the Cyber Essentials self-assessment questionnaire (SAQ)

The SAQ is the cornerstone of your Cyber Essentials application. It outlines the programs requirements, and the information and evidence you will need to provide. It can be downloaded from the IASME website. 

We suggest that you review this document carefully. If you haven’t done so already, talk to your IT and security teams before starting Stage 2.

ii) Confirm your scope 

While you can partially scope a Cyber Essentials assessment to cover a subset of the organisation, such as a location or business unit, or even selected elements of your IT infrastructure such as your cloud services, we strongly recommend you include your whole organisation.

This is because if you are taking the time to complete this exercise, it makes sense to cover as much as you can. Cyber Essentials is a key requirement for obtaining or reducing your cyber insurance, and insurers are unlikely to accept an assessment that has left large parts of an estate untouched.

This doesn’t mean every element or device needs to be included. Devices that cannot connect to the Internet or are owned by third parties (such as contractors)‍ are considered out of scope.

Once you confirm your scope, you need to outline it in the SAQ. You should also create a detailed asset inventory that shows your IT infrastructure. Again, Aegis can help save huge amounts of time here by creating this list with minimal manual input.

iii) Review Your Capabilities and Collect Evidence 

While Cyber Essentials is a self-assed certification, evidence demonstrating the effectiveness of your controls, and that they are aligned with the framework’s requirements still needs to be collected and documented.

‍The most important aspect of evidence collection is centralisation. If evidence consisting of screen shots, policy documents, and logs are scattered across email chains, documents, shared folders, searching through them will be time-consuming, and invariably crucial documents will get missed.

Aegis clients benefit from AI driven automation that not only collects the required evidence automatically from multiple sources, saving security teams up to 50% of their time in the process, but also stores it centrally on one shared platform for simple internal or external review.

iv) Submit Your Application

You can submit your completed questionnaire to an accredited Certification Body or directly to the UK government portal for Cyber Essentials.

At this point you will need to pay the certification fee (which varies depending on the organisations size, and scheme level). You can find pricing details on the iasme website

v) Undergo your External Assessment (Cyber Essentials Plus only)

The accredited certification body you have submitted your SAQ to will conduct vulnerability scans and internal testing on your systems and they will advise on their findings, usually after a few weeks.

vi) Address Any Issues Found (if applicable)

If the external audit identifies any vulnerabilities or gaps you will need to fix these promptly. In some cases you may also need to resubmit your evidence or undergo a follow-up assessment.

vii) Receive your Certification

Once approved, you will receive your official Cyber Essentials certificate.

Don’t forget to include the Cyber Essential logo on your website, bid documents, presentations, and other client facing materials.

viii) Maintain and Renew Certification

A Cyber Essentials certification is valid for 12 months from the date on the certificate. It can be renewed by updating your assessment and submitting any required supporting documentation.

During the year, make sure you regularly review and maintain your security controls as this will make your renewal much easier. For Aegis clients, this will be automated for you and any urgent tasks will be flagged automatically.