Overview of the Cyber Essentials Certification Scheme

The Cyber Essentials certification scheme is backed by the UK government. Its aim is that the certification will help organisations of any size stay protected against a range of common cyber-attacks.  The Cyber Essentials certification scheme has been recognised as a minimum baseline standard for Cyber Security within the UK.

It allows organisations to showcase their certification to potential clients to demonstrate their commitment to cybersecurity by being trustworthy and secure. The certification must be renewed every year in line with the assessment requirements to ensure that this minimum level of protection is maintained.

To gain the cyber essentials certification, you will need to use an IASME certification body. IASME became the UK Government’s sole Cyber Essentials partner in 2020, following the need for a more streamlined customer experience and set methodology. IASME focuses on small and medium enterprises (SMEs), assessing and certifying them against the cyber essentials scheme and their governance standard.  IASME was founded on the principle that basic cyber security should be an essential requirement for all organisation and their supply chains and that there should be no barrier to the smallest of organisation.

IASME has listed the following reasons as benefits of the Cyber Essentials Certification:

  • Reassures customers and clients that you take cybersecurity seriously
  • Be listed on the IASME directory of organisations that have been awarded Cyber Essentials
  • Attract new business by demonstrating you have cyber security measures in place
  • A clear picture of your organisation’s cyber security level.


How many levels of certification does the Cyber Essentials scheme offer?

Levels of certification

The Cyber Essentials Scheme offers two different levels of certification Cyber Essentials and Cyber Essentials Plus, both of which need to be reviewed on an annual basis to ensure the level of protection is maintained.

So, what is the difference between the two?

Cyber Essentials: this level of certification is the foundation level that enables an organisation to have a statement of basic controls and infrastructure in place to mitigate risk from common threats. To be accredited to this level it will involve an online self-assessment questionnaire, in which a declaration must be signed to confirm that the answers you have provided are true. This questionnaire then gets marked by an independent assessor.

Cyber Essentials Plus: this level of certification is the highest level which involves more rigorous testing against your organisation’s systems. Your organisation will be required to fill out the self-assessment questionnaire like the foundation level but with the same controls, your organisation will receive a technical audit on your IT systems confirming that the five controls you have answered questions on are in fact in place and are working.  The audit will include vulnerability tests that will highlight if your organisation is protected against basic hacking and phishing attacks.


Do I need to do Cyber Essentials before Cyber Essentials Plus?

Technically speaking the answer would be yes. This is concerning the order in which tasks need to be completed to obtain the certification. IASME now states that before the technical audit can be carried out you must complete your online questionnaire first. Therefore, you may have seen advice to say you should obtain Cyber Essentials first and then go for the Plus.

However, that is just regarding the order in which tasks need to be completed. If your organisation is thinking about certifying you can choose whether to do Cyber Essentials or Cyber Essentials Plus right from the beginning. The difference is what we highlighted above regarding the technical audit.

If you do decide you want to do the basic Cyber Essentials first and then upgrade to plus this is also an option. You can go from Cyber Essentials to plus within three months of completing your questionnaire to ensure the data provided is correct against the technical audit that is going to be carried out.

If you decide to do Cyber Essentials Plus after three months it would be advised to wait until your renewal date and certify for it then, but in the meantime, you can become familiar with the controls your organisation has in place to ensure you can certify against the audit.

If you need Cyber Essentials Plus a lot sooner than your renewal date and it is after the three months of completing your Cyber Essentials basic, you will have to go through the process again of completing the questionnaire and then have the audit.


What are the Five Controls that are included within the Cyber Essentials scheme?

Cyber Essentials Controls

 The certification process focuses on testing the following five technical controls of your organisation’s IT infrastructure:

  • Firewalls – ensuring you have a security filter between the internet and your network and on your device
  • Secure Configuration – setting up your organisation’s computers in a secure way to minimise the ways in which a cybercriminal can find a way to access it
  • User Access Control – having control over who uses the computer and what they are allowed to do when using it.
  • Malware Protection – identifying and removing viruses and other malicious software before it causes harm
  • Security Update Management – this is a preventative measure, it’s designed to ensure that cybercriminals don’t use the mistakes they find in software to get into your system.

To pass the certification for Cyber Essentials you must ensure that your organisation meets all the requirements above.  This is what the assessor will certify against when reviewing your questionnaire.


Additions to the scope

Additions to Cyber Essentials Scope

The Cyber Essentials scheme was first launched on the 5th of June in 2014. The requirements created for the certification during its first launch were very much in line with office-based working.

But since the pandemic occurred it urged The National Cyber Security Centre and IASME to review what was within the scope of the certification due to homeworking and the popularity for it to continue.

The scope was reviewed, and the following additions were added to the scope in January 2022:


  • Homeworking devices
  • All cloud services are in scope
  • Multi-factor authentication
  • Thin clients when connected to organisational information
  • Servers including virtual servers on a subset
  • Smartphones and tablets connected to a corporate network
  • Device locking
  • Password and MFA requirements
  • Account separation
  • An organisation must include end-user devices
  • High and critical updates applied within 14 days
  • Unsupported software should be removed

To read in more detail about these additions to the scope click here.

The Cyber Essentials Plus Audit has also had some changes, two additional tests have been added:

  1. Test to confirm account separation between user and administration accounts
  2. Test to confirm MFA is required for access to cloud services.

The certification now also provides guidance on backing up your data. Although this isn’t a technical requirement, it is highly recommended that organisations implement an appropriate backup solution.


How to get certified

How to get Cyber Essentials Certified

Getting Cyber Essentials certified just takes a few easy steps:

  • Chose which level of certification you’d like to purchase – Cyber Essentials or Cyber Essentials Plus
  • Contact the team at iSTORM®️ regarding your chosen level of certification
  • Complete your self-assessment questionnaire and upload it for review by iSTORM®️ (certification body)
  • Once completed you will be contacted to arrange your technical audit if you opted for the Plus, if not, and your questionnaire is approved, IASME Consortium will post your certificate.

Once you have become Cyber Essentials certified you will receive the correct Cyber Essentials branding in line with your certification level to use on all your collateral to demonstrate your commitment to Cyber Security.



About iSTORM®️

About iSTORM®️

Here at iSTORM, we know how important it is to our customers that we can demonstrate our own security, which is why we are certified to Cyber Essentials Plus.

We have a team of expert consultants that can help your organisation through all aspects of the certification process, including conducting an initial gap analysis, providing support with application, and awarding certification.

For more information about how we can help you certify, visit our page here.

To start your certification journey contact us today.

For more information on Cyber Essentials visit the IASME website here.