Cyber Essentials is a UK government-backed certification scheme designed to help organisations guard against the most common cyber threats. The scheme is self-assessed and focuses on implementing fundamental technical measures to improve an organisation’s cyber security posture. To gain certification, organisations complete a self-assessment questionnaire, which is then independently reviewed by a certification body to confirm compliance with the Cyber Essentials requirements.

This certification is often a practical entry point for businesses aiming to strengthen their digital defences, fulfil contract obligations or offer greater assurance to clients and partners.

What Does the Cyber Essentials Self-Assessment Involve?

The assessment covers five core areas of technical control. Each is important for reducing the risk of common cyber attacks:

Network Boundary Defences (Firewalls)

You must demonstrate that your routers and firewalls are properly configured. This includes tasks like replacing default passwords, limiting access to necessary traffic only and ensuring devices are secure and up to date.

Secure Setup of Devices and Systems

This section checks that your IT infrastructure is set up following security best practices. You’ll be expected to disable unused features, enable security settings and manage user accounts securely.

Managing User Access

Access to sensitive systems and data should be limited to those who need it. You’ll need to show that user roles are appropriately restricted, passwords are strong, admin rights are controlled, and there are processes for removing accounts when no longer required.

Protection from Malware

You must confirm that suitable anti-malware software or equivalent measures are in place to defend against viruses, ransomware and other forms of malicious code.

Applying Security Updates Promptly

The assessment checks that all operating systems, applications and devices are consistently patched with the latest security updates to prevent exploitation of known vulnerabilities.

Accessing the Latest Cyber Essentials Questionnaire

As of 2025, version 15 of the questionnaire, codenamed “Willow” is the most current version. While the process is designed to be completed independently, responses must be honest, comprehensive and approved by a senior member of the organisation. Doing so not only helps with certification but also highlights areas where your cyber security strategy can be improved.

What is Cyber Essentials Plus?

Cyber Essentials Plus builds on the basic certification by adding an independent, hands-on technical assessment. A certified auditor carries out a series of tests to validate the accuracy of your self-assessment and confirm your defences are functioning effectively.

Key components of the Cyber Essentials Plus audit include:

External Vulnerability Scan

A remote test is conducted to simulate a low-skill cyber attacker targeting your internet-facing systems. This includes scanning for exposed services and open firewall ports.

Patching Verification

Using authenticated scanning tools, the auditor checks whether your systems have any missing security patches or updates. This applies to both operating systems and installed software.

Anti-Malware Review

Auditors confirm that devices, servers, and cloud infrastructure have effective malware protection installed and operating.

Multi-Factor Authentication (MFA) Checks

Cloud services must be protected by MFA, particularly for admin and user accounts. The audit ensures this is correctly configured.

Account Privilege Separation

The auditor verifies that ordinary users do not have administrative privileges, ensuring proper role segregation across devices and systems.

Cyber Essentials Plus offers more confidence because your cyber defences are verified by a third-party professional. It’s especially beneficial for organisations that handle sensitive data or operate in heavily regulated sectors like finance, healthcare or education.

Why Achieving Cyber Essentials Certification Is Important

Regardless of whether you pursue the standard certification or opt for the Plus version, both bring considerable advantages:

Defence Against Common Threats

The controls focus on blocking the techniques most frequently used by cyber attackers, such as phishing, malware infections, and weak remote access points.

Showcase Your Cyber Security Commitment

Certification communicates to stakeholders, partners and customers that your organisation takes security seriously and is proactively managing risk.

Support Regulatory Compliance

Cyber Essentials is often required for working with government departments in the UK and aligns well with other regulatory frameworks like GDPR or the Department for Education’s digital standards.

Strengthen Your Response Capabilities

Completing the assessment helps organisations better understand their security gaps, which in turn enhances incident readiness and resilience.

Enhanced Insurance Opportunities

Some insurance providers offer reduced premiums or improved terms for organisations that hold Cyber Essentials certification, recognising the lowered risk profile.

Choosing Between Cyber Essentials and Cyber Essentials Plus

If you’re just beginning to formalise your cyber security processes, Cyber Essentials provides a solid, affordable foundation. It proves you’re meeting key security standards and is a great stepping stone.

For those looking to add credibility or meet stricter regulatory or contractual obligations, Cyber Essentials Plus is ideal. It offers independent validation that your defences are not only in place but effective under real-world conditions.

Ready to Get Certified?

Whether you’re preparing for your first certification or upgrading to Cyber Essentials Plus, we’re here to help. Working with experienced partners, we guide organisations through every stage from readiness assessments and remediation to audit support. Reach out today