Cyber Essentials is a UK government-backed scheme designed to ensure organisations adhere to essential security standards. Overseen by the National Cyber Security Centre and managed by IASME, certification must be renewed annually following a thorough assessment. Since its inception in 2014, the scheme has evolved significantly, notably in 2022, to address the growing use of cloud services, multi-factor authentication, and emerging cyber threats.
Certification Levels
Cyber Essentials offers two levels of certification, with identical technical requirements:
Cyber Essentials | Involves submitting a self-assessment questionnaire reviewed by an assessor. If responses are insufficient, you have two working days to amend them, otherwise, a re-submission and additional fee are required. Payment for the assessment is mandatory before submission.
Cyber Essentials Plus | Includes an external assessor validating your systems to ensure compliance. Similar to ISO 27001, the assessment can be scoped to specific parts of your business.
IASME offers downloadable questionnaires (available as PDF or XLS) on their website. This allows you to prepare your responses before submitting them via a web portal. Once completed, a board member must electronically sign off the answers before submission. If updates are required, re-signing by a board member is necessary.
Download the Self-Assessment Questions | IASME Cyber Essentials Questions
Get Ready for Cyber Essentials | Preparation Tool
Key Requirements
The assessment covers several crucial areas:
- Boundary Firewalls and Internet Gateways
- Secure Configuration
- Device Locking
- Security Update Management
- User Access Control
- Administrative Accounts
- Password-Based Authentication
- Malware Protection
Additionally, you'll answer questions about your organisation and the scope of the assessment, which can be for the entire organisation or specific parts.
Tips for a Successful Assessment
Preparation | Thoroughly review the questionnaire and compile lists of software and devices. Ensure all items meet the requirements. Quick turnarounds for updates can be stressful, so pre-registering devices in Intune can simplify data production.
Authentication | Implement MFA everywhere possible. Cyber Essentials mandates at least 8-character passwords and common password blocking if MFA isn’t feasible. Entra ID’s MFA capabilities, combined with good configuration and conditional access policies, can achieve compliance with minimal user impact. Integrate SaaS applications with Entra ID to meet the same standards, and apply integration to on-premises applications supporting SAML.
Updates | Ensure policies enforce timely OS and application updates. Unsupported software should be removed, and operating systems should be within vendor support. Intune can assist in generating reports and applying updated policies.
Using M365 and Entra | Utilise the security tools included in M365 and Entra (MFA, conditional access, Defender, Intune) to apply policies and generate reports, making compliance straightforward.
Summary of Requirements
Below is a summary of the key questions and details from the current questionnaire. Always refer to the official Cyber Essentials specification to confirm requirements and ensure your systems are compliant.
- Device Inventory | List all devices in scope, including OS and versions.
- Cloud Services | List your cloud services.
- Firewalls and Gateways | Verify firewall presence, password management, and security measures for devices outside the network.
- Secure Configuration | Ensure unnecessary software and accounts are removed or disabled, default passwords changed, and external application authentication managed.
- Device Locking | Implement screen locks and secure unlocking methods.
- Security Update Management | Confirm OS and software are supported and updated regularly, with critical patches applied within 14 days.
- User Access Control | Document account processes, manage permissions and handle leaver accounts effectively.
- Administrative Accounts | Separate admin and day-to-day accounts, block admin accounts from routine tasks, and review admin access.
- Password-Based Authentication | Protect against brute force attacks, enforce strong password policies, and apply MFA where possible.
- Malware Protection | Install malware protection on all devices and limit the installation of unsigned apps.
By following these guidelines and leveraging the provided tools, your organisation can achieve Cyber Essentials certification and enhance its cyber security posture.
Get in Touch for Expert Guidance
Achieving Cyber Essentials certification is a critical step in safeguarding your organisation against cyber threats. If you need help navigating the certification process, especially within your Microsoft 365 environment, we're here to assist. Our experts can provide tailored guidance to ensure your systems meet the required standards efficiently and effectively.
Don't leave your cyber security to chance—contact our team to learn about how we can support you in securing your business and achieving your Cyber Essentials certification.