USA
Select regional store:

Essential Cyber Security - The UK Cyber Essentials Scheme

What is the Cyber Essentials scheme?

Cyber Essentials is a UK government cybersecurity assurance scheme. It is based on the government’s "10 Steps to Cyber Security" program and administered by the NCSC (National Cyber Security Centre).

The Cyber Essentials scheme has two objectives:

  • To set out 5 basic cybersecurity controls that can protect organisations from “around 80% of common internet cyber attacks”; and
  • To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.

There are 2 levels of Cyber Essentials certification:

  • Cyber Essentials
  • Cyber Essentials Plus

IT Governance is a CREST-accredited certification body for the Cyber Essentials scheme, but from 1 April 2020 will be accredited by IASME, in line with changes to the Cyber Essentials scheme implemented by the NCSC. You can learn more about these changes below.

Get certification quickly and easily with our fixed-price packages.

What are the five key security controls?

Secure configuration

Confirm that computers and network devices are properly configured in order to reduce the level of inherent vulnerabilities.

Find out more about secure configuration >>


Secure your Internet connection

Confirm that only safe and essential network services can be accessed from the Internet.

Find out more about boundary firewalls and Internet gateways >>


Access control

Confirm that user accounts are assigned to authorised individuals only.

Find out more about access control >>


Patch management

Confirm that devices and software are not vulnerable to known security issues for which fixes are available.

Find out more about patch management >>


Malware protection

Restrict the execution of known malware and untrusted software.

Find out more about malware protection >>

Cyber Essentials Assurance Framework

It is worth noting that Cyber Essentials certification is a UK government scheme, however implementing the above 5 security controls can still help organization across the world prevent cyber attacks. 

There are two levels of certification under the Assurance Framework: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials Certification

Cyber Essentials includes an SAQ (self-assessment questionnaire) and an external vulnerability scan. The certification process has been designed to be lightweight and easy to follow.


Cyber Essentials is right for you if:

  1. You’re looking for base-level security certification to demonstrate that you have key controls in place.

Get started

Cyber Essentials Plus Certification

Cyber Essentials Plus certification includes an additional internal scan and an on-site assessment.


Cyber Essentials Plus is right for you if:

  1. Your employees work from remote locations, or
  2. Third parties have access to your premises or IT.

Get started

Why is Cyber Essentials so useful?

Since the GDPR (General Data Protection Regulation) came into effect, all organizations that process personal data must implement appropriate technical and organizational measures to ensure its security or risk administrative fines of up to €20 million ($22 million) or 4% of annual global turnover – whichever is greater.

Implementing the Cyber Essentials controls is recognized as one of many ways of demonstrating that organizations are taking action to mitigate the risks they face, especially if those risks are of a low level.

Larger organizations, those with more complex environments or lower risk appetites or those that face a higher level of risks, including targeted attacks, would do well to adopt a more mature level of cybersecurity, such as an ISMS (information security management system) that complies with the international standard ISO 27001.

Read more about the benefits of Cyber Essentials >>

“Cyber Essentials certification does a lot to target low hanging fruit, but it doesn’t cover all low hanging fruit attackers go after. Combining Cyber Essentials with phishing staff awareness training can reduce an organisation’s attack surface.

Enable your most important asset, your employee, to be more effective in securing your organisation to minimise the risk of a successful attack.”

- Geraint Williams, Chief Information Security Officer, GRC International Group

Validate your security status with CREST certification

IT Governance is a CREST-accredited Cyber Essentials certification body. CREST certification gives you an added advantage:

  • Qualified technical experts

    Technical reviewers are selected based on certain qualifications criteria and must adhere to certain codes of conduct

  • Pre-certification validation

    Your Self-Assessment Questionnaire will always be validated by a technical reviewer before your certificate is issued

  • Full vulnerability scan

    Get independent verification of your security status with an external vulnerability scan of all internet-facing applications and networks. Read more.

  • Cyber Essentials Plus

    Only CREST-accredited certification bodies can undertake the testing required for Cyber Essentials Plus

In 2020, the NCSC (National Cyber Security Centre) will implement some changes to the Cyber Essentials scheme to prepare it for the future. The current five Cyber Essentials accreditation bodies will be replaced by one. From 1 April 2020, The IASME Consortium will operate as the sole accreditation body for the scheme.

In support of this change, IT Governance will become an IASME-accredited certification body from April next year. We will continue providing the high level of cost-effective ongoing service our clients expect from us and will ensure the transition to the new arrangements is seamless. In the meantime, and in line with current arrangements supported by the NCSC, our clients will continue to be certified under CREST, and all existing and new certifications will continue to be valid and in line with current requirements.

This website uses cookies. View our cookie policy