Cyber Essentials

Cyber Essentials is a simple but effective, Government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.

Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They're the digital equivalent of a thief trying your front door to see if it's unlocked.

Sec-Ops is a CREST certification body offering both Cyber Essentials, and Cyber Essential PLUS certifications.

Cyber Essentials is the entry-level certification, consisting of a self-assessed questionnaire and an external vulnerability scan of your internet facing infrastructure.

Cyber Essentials PLUS is recommended for business that want to display a higher level of security assurance. The test involves all the same elements as Cyber Essentials, however, there are additional, more comprehensive internal tests that will generally require an assessor to come to your offices.

What's involved?

The Cyber Essentials scheme covers five key control areas that will undergo assessment:

Applies to: Boundary firewalls; desktop computers; laptop computers; routers; servers.

Objective: Ensure that only safe and necessary network services can be accessed from the Internet.


Every device that is in scope must be protected by a correctly configured firewall (or equivalent network device). For all firewalls (or equivalent network devices), the organisation must routinely:

  • Change any default administrative password to an alternative that is difficult to guess using best practices - or disable remote administrative access entirely
  • Prevent access to the administrative interface from the Internet, unless there is a clear and documented business need and the interface is protected by one of the following controls:
    • A second authentication factor, such as a one-time token
    • An IP whitelist that limits access to a small range of trusted addresses
  • Block unauthenticated inbound connections by default
  • Ensure inbound firewall rules are approved and documented by an authorised individual; the business need must be included in the documentation
  • Remove or disable permissive firewall rules quickly, when they are no longer needed. Use a host-based firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots.

Applies to: Email, web, and application servers; desktop computers; laptop computers; tablets; mobile phones; firewalls; routers.

Objective: Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.

Computers and network devices requirements

The organisation must routinely:

  • Remove and disable unnecessary user accounts
  • Change any default or guessable account passwords to something non-obvious
  • Remove or disable unnecessary software
  • Disable any auto-run feature which allows file execution without user authorisation
  • Authenticate users before allowing Internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation

Password-based authentication requirements

  • Protect against brute-force password guessing, by using at least one of the following methods: limit attempts, or the number of guesses allowed in a specified time
  • Set a minimum password length of at least 8 characters but not set a maximum password length
  • Change passwords promptly when the organisation knows or suspects they have been compromised
  • Have a password policy that informs users of industry best practice

Applies to: Email, web and application servers; desktop computers; laptop computers; tablets; mobile phones.

Objective: Ensure user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks required for the user to perform their role.


The organisation must be in control of its user accounts and the access privileges granted to each user account. It must also understand how user accounts authenticate and control the strength of that authentication.

  • Have a user account creation and approval process
  • Authenticate users before granting access to applications or devices, using unique credentials
  • Remove or disable user accounts when no longer required
  • Implement two-factor authentication, where available
  • Use administrative accounts to perform administrative activities only
  • Remove or disable special access privileges when no longer required

Applies to: Desktop computers; laptop computers; tablets; mobile phones.

Objective: Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.


The organisation must implement one of the three mechanisms listed below.

Anti-malware software
  • The software must be kept up to date, with signature files updated at least daily.
  • The software must be configured to scan files automatically upon access. This includes when files are downloaded and opened, and when they are accessed from a network folder.
  • The software must scan web pages automatically when they are accessed through a web browser
  • The software must prevent connections to malicious websites on the Internet.
Application whitelisting
  • Only approved applications, restricted by code signing, can execute on devices. The organisation must: actively approve such applications before deploying them to devices and maintain a current list of approved applications
  • Users must not be able to install any application that is unsigned or has an invalid signature.
Application sandboxing
  • All code of unknown origin must be run within a ‘sandbox’ that prevents access to other resources unless permission is explicitly granted by the user

Applies to: Web, email and application servers; desktop computers; laptop computers; tablets; mobile phones; firewalls; routers.

Objective: Ensure that devices and software are not vulnerable to known security issues for which fixes are available.


The organisation must keep all its software up to date. Software must be:

  • Licensed and supported
  • Removed from devices when no longer supported
  • Patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’

If your vendor uses different terms to the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values:

  • Attack vector: network only
  • Attack complexity: low only
  • Privileges required: none only
  • User interaction: none only
  • Exploit code maturity: functional or high
  • Report confidence: confirmed or high

So what?

The adoption of standards and certification for cyber-security can enable your organisation, and all stakeholders, to have greater confidence in your ability to measure and reduce basic cyber risks, as it demonstrates that you have been independently assessed.

If you are involved in any government procurement process then you are likely to need Cyber Essentials as a minimum, you can find out more on this here. However, if you are not, this scheme and Cyber Essentials PLUS can help prevent attacks on your IT systems from outside or inside your company and could give your stakeholders peace of mind.