Cyber Essentials is the official UK cyber security standard, but what is it, and do you need it?
Cyber security is becoming an increasingly difficult area to manage for small businesses. It's also increasingly hard for customers to know whom they can trust with their data. That's where the UK government's Cyber Essentials standard comes in.
What is Cyber Essentials?
The Cyber Essentials certification is a scheme designed to help organisations of all sizes protect themselves from a range of cyber threats and demonstrate their compliance.
Achieving Cyber Essentials certification not only demonstrates your commitment to cyber security but is also becoming an increasing requirement of insurers for coverage or lower premiums. Furthermore, it is becoming a mandatory requirement for certain contracts, especially those with the government.
To further encourage companies to obtain the certification, it includes £25,000 of cyber insurance that covers costs such as data recovery, crisis communications, and legal advice following a cyber incident
Beyond these practical benefits, obtaining Cyber Essentials certification enhances your business's reputation and instils confidence in your customers and partners. It shows that your organisation takes cyber security seriously, which can be a significant competitive advantage.
Cyber Essentials vs Cyber Essentials Plus: What’s the Difference?
Cyber Essentials offers two levels of certification: Cyber Essentials and Cyber Essentials Plus. But what is the difference between the two? Fundamentally, it comes down to the evidence required to obtain the plus certification.
Core Areas of Cyber Essentials
Cyber Essentials focuses on certain core areas. By ensuring compliance with these core areas, you can demonstrate that a solid foundation is in place to protect your systems and data.
The core areas of Cyber Essentials are:
- Firewalls and Internet Gateways: Firewalls protect your network and devices from external internet traffic. Whether you use a dedicated hardware firewall to protect your network or a software firewall on your devices, you increase your security if they're configured correctly. Proper configuration is essential to block unauthorised access and services, safeguarding your systems from external threats. Cyber Essentials requires that these be in place.
- Secure Configuration: Ensuring that your devices and software are securely configured is vital. This involves removing or disabling unnecessary accounts, services, and features that could be exploited by attackers. You must also ensure that devices and services are protected with suitable biometric protection, security keys, or long passwords and multi-factor authentication.
- User Access Control: Limiting access to data and services based on user roles is fundamental to Cyber Essentials. This involves ensuring that users can only access files, folders, and data that they need for their roles, and nothing else.
- Account separation: The creation of separate day-to-day accounts and admin accounts in systems is now required. What this means is that a day-to-day account should not be able to add or remove users from a platform or adjust user permissions. These kinds of activities should be restricted to separate admin accounts to limit the potential damage if a primary account is compromised.
- Patch Management: Keeping all software and firmware up to date is necessary to protect against vulnerabilities. Applying security updates within 14 days of release and having a formal patch management process in place are key steps.
- Malware Protection: Cyber Essentials requires that all devices be protected using endpoint protection that is active and up-to-date. It also advocates application allow-listing to protect against malicious software installation.
- Mobile Device Management (MDM): If mobile devices are used to access data, they need to be included within the scope of an assessment. To comply, they need to be encrypted, be capable of having data remotely wiped, and receive regular updates.
2025 Changes to Cyber Essentials
The Cyber Essentials scheme is continually evolving to address new and emerging threats. In 2025, several key enhancements were introduced, including:
- Passwordless authentication: Passwordless authentication has become the norm for accessing devices and services (that's using biometrics that are linked to your device instead of using a password). Cyber Essentials has been updated this year to include it as a valid method of authentication.
- Software and Vulnerability Management: There is a broader scope for vulnerability remediation, an emphasis on passwordless authentication and modern access methods, and enhanced requirements for remote working setups.
- Additional changes: The definition of 'home working' was expanded to read 'home and remote working', and there was some alignment with other international standards like NIST.
How to Achieve and Maintain Certification
Achieving Cyber Essentials certification can be done in several ways.
Achieving certification
- Self-service - you can undertake the process yourself by visiting the IASME Consortium or the National Cyber Security Centre (NCSC) websites.
- Third-party services - you can use third-party services to obtain your certification. These services have online forms with additional guidance and information to help you navigate the completion of the Cyber Essentials form. They will usually also provide the review of the form, highlighting areas where you need further work to achieve compliance.
- Work with your IT Partner - The best option is often to contact IT Foundations or your Managed Service Provider (MSP) for assistance. We have extensive knowledge of your systems and can take much of the burden off your shoulders. Our automated systems can greatly speed up the collection of data required for the certification, which ultimately makes going through your MSP a cost-effective solution for achieving Cyber Essentials.
Maintaining certification
It's one thing to get the certificate and forget about it for another year, but compliance is very much the name of the game today. Especially when it comes to making sure that the included cyber insurance remains valid and will pay out if you need to make a claim.
Subscribing to a service that ensures you stay compliant with the certification requirements is highly recommended. This proactive approach not only helps you maintain your certification but also ensures your business is always protected against the latest cyber threats.
There are services available that can monitor for compliance via device-based agents and alert you if you have deviations from the standard. We recommend speaking to your MSP to explore the options for compliance that are available to you (or call us!).
Renew your Cyber Essentials annually
It's important to note that Cyber Essentials certification is valid for only one year. Because the requirements are continually updated to ensure they remain relevant and promote best practices, you need to renew it annually.
Next steps...
If you are considering getting Cyber Essentials for your business, get in touch with us today to explore the options available to you and learn how we can assist you.