Cyber Essentials – Technical Description


The Cyber Essentials scheme has been developed by the UK Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. Government believes that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does do is define a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.

Cyber Essentials and Cyber Essentials plus are the same standard, CE+ offers the additional protection of a vulnerability test whilst CE is by verified self-assessment only.

The Cyber Essentials Scheme focuses on Internet-originated attacks against an organisation’s IT system. Many organisations will have particular additional services, e.g. web applications, that will require additional and specific controls beyond those provided by Cyber Essentials. Cyber Essentials concentrates on five key controls. These are:

1. Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.

2. Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation

3. Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.

4. Malware protection – ensuring that virus and malware protection is installed and is it up to date

5. Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.

The Cyber Assurance Framework provides organisations with a staged approach towards embedding mature and sustainable information risk management from common Internet based threats as well as the broader risks they might face. Each stage adds confidence and it is for organisations to decide which they choose based on their risk appetite, their customers’ expectations and cost considerations.

You can search for a QG Management Standards approved Certification Body here



Stage 1 – Cyber Essentials: verified self-assessment

Certification at this stage provides a basic level of confidence that the controls have been implemented correctly, and relies on the organisation having the skills to respond appropriately to the questionnaire.

The scope must be declared at this stage. The scope should be defined in terms of network boundaries, location and management control.

The organisation identifies the enterprise IT systems it believes are at risk from Internet based threat actors with low levels of technical capability and implements the Cyber Essentials requirements for basic technical cyber protection. The organisation declares its compliance with the Cyber Essentials requirements so that it can be verified by a Certification Body.

The declaration is signed by the Chief Executive Officer or equivalent endorsing its accuracy.

The declaration is sent to a Certification Body for verification. If the Certification Body has sufficient confidence that the controls have been effectively implemented a certificate is awarded by QG Management Standards.



Stage 2 – Cyber Essentials Plus: independently tested

Cyber Essentials is an integral part of Cyber Essentials Plus, however you do not to have applied to a certification body for Cyber Essentials certification but you do need to have the controls and systems in place that are defined in Cyber Essentials.

This stage tests whether the controls implemented are sufficient to protect the organisation against Internet based threat actors with low levels of technical capability.

The stage will be based on vulnerability testing of the system(s) in scope from inside and outside the system.

The stage 2 assessment can either directly test that individual controls have been implemented correctly or recreate various attack scenarios to determine whether they can achieve a compromise with widely available capabilities Cyber Essentials Plus encompasses the same control themes as Cyber Essentials. Cyber Essentials Plus offers a higher level of assurance through the use of an independent testing regime.

Certification at either Cyber Essentials or Cyber Essentials Plus should be seen as a snapshot of the organisation’s ability to mitigate the risks from the given Internet based threats at the time of assessment. It does not indicate how sustainable this will be.

If you would like further information on who the best certification body is for your business, call QG Management Standards on 01228 631681 or email

Organisations will need to recertify once a year, or more frequently as necessary to meet specific procurement or customer requirements.


QG Business Solutions Ltd

Westwinds, Lambley Bank,
Scotby, Carlisle

t 01228 631681