Table of Contents
Do not index
Do not index
If you’re running a business in the UK, especially one that works with Government/public sector contracts or holds customer data, chances are you’ve heard about Cyber Essentials. Maybe you’ve been told by a client or a shareholder that you need it, maybe you’re trying to understand whether it’s worth the time and energy, or maybe you’re trying to understand what on earth cyber is and what makes it so essential? If cyber security isn’t your area of expertise, it can be incredibly challenging to know where to start.
This guide is here to help. We’ll walk you through what Cyber Essentials actually is, what it covers, and how to get certified, all without getting overwhelmed in the process.
What is Cyber Essentials?
Let’s start with the simple stuff. Cyber Essentials is a UK Government-backed certification scheme that is designed to help businesses protect themselves against some of the most common cyber threats. It was developed by the National Cyber Security Centre (NCSC) to set a baseline level of cybersecurity that all businesses should aim to meet, regardless of size or sector.
You can think of Cyber Essentials as a practical checklist for improving your security. It’s not about ticking endless boxes or writing reports, it about getting five key areas of your business up to scratch so you’re protected against the most common types of attacks.
What Does Cyber Essentials Cover?
Cyber Essentials is focused on five core technical controls that are proven to stop the vast majority of common cyber attack. These aren’t complex, enterprise-level solutions, they’re basic security measures that every business should have in place. Here’s a closer look at each of the five controls
- Firewalls and Internet Gateways
This control is about keeping threats out by security the boundary between your organisation’s network and the internet. A firewall acts like a security guard for your internet connection, filtering traffic and blocking suspicious or malicious connections.
For Cyber Essentials, you need to make sure that all devices (especially if any of your employees work remotely or travel on a regular basis) are protected by these firewalls. This includes built-in firewalls on laptops and additional controls on home routers or office networks. You’ll also need to confirm that default administrator passwords are changed, and only the services you actually use are exposed to the internet.
- Secure Configuration
Out-of-the-box-settings are convenient, but often insecure. Devices and software usually come with default usernames, open ports, or unnecessary applications running in the background, all of which can become entry points for attackers and are common root causes of successful cyber attacks.
Secure configuration means changing default settings to reduce risk. This may involve disabling services you don’t use, removing trial software, ensuring screens lock automatically, or configuring devices to encrypt data. It also includes using standard builds/settings for new devices so that they are set up securely by default.
- User Access Control
Not everyone in your business needs access to everything. This control is focused around making sure that employees only get the privileges they need, and nothing more.
Cyber Essentials requires you to apply the principle of “least privilege.” This means that users should only be given the permissions they require to do their assigned role and nothing else. For example, the marketing team probably doesn’t need full access to your IT infrastructure. Employees that require administrative permissions or similar should also have a way to request these permissions on a timed basis, and you should have a way to manage user accounts, revoke access when someone leaves, and regularly review which employees have access to what.
- Malware Protection
Malicious software (or malware for short) includes viruses, ransomware, spyware, and more. It can steal data, lock up systems, or quietly spy on your operations.
To comply with Cyber Essentials you will need to have some kind of malware protection in place. This could be traditional antivirus software, or a more modern approaches like application allow-listing (where only approved software is allowed to run on a device.) The key is that devices are actively protected, and that users can’t unknowingly install or run harmful programs.
- Patch Managements (aka Security Updates)
Software isn’t perfect. Vulnerabilities are discovered and exploited by attackers all the time, and vendors regularly release security updates (patches) to fix them. If you’re not applying these updates quickly, you’re leaving the door open to attackers who know how to exploit known flaws.
Cyber Essentials requires that all operating systems (Windows, MacOS etc.), applications, and firmware be kept up to date at all times. Critical updates should be installed within 14 days, and there should also be a clear progress for regularly checking/monitoring for updates and applying them. This means going beyond the traditional method of hoping an employee will click ‘Restart Now’ on a regular basis.
Together, these five controls form the foundation of a secure IT setup. They won’t make your business immune to every attack, but they will help protect you from the most common threats, like phishing-related malware, remote attacks on misconfigured services, or exploitation of outdated software.
How Does Certification Work?
There are two levels of Cyber Essentials:
Cyber Essentials is a self-assessed certification. You answer a series of questions about how your businesses manages its security in the five controls above, and your answers are then submitted to the assessing body of your choice. These answered are then examined, and you only receive certification if your answers meet the requirements.
Cyber Essentials Plus includes a technical audit by a third-party assessor to verify that your answers your provided are truthful, and that those security protections are both in place and functioning as intended.
For most businesses, especially those just getting started with cyber security as a whole, starting with the lower level is often enough to meet customer or client expectations. Importantly, holding a valid Cyber Essentials certification is a requirement for working with the UK Government/public sector.
How Can You Prepare?
Preparing for Cyber Essentials doesn’t have to be stressful, but it does involve looking carefully at your IT setup. You’ll need to make sure:
- All staff devices are properly secured (laptops, desktops, phones)
- Software is up to date and supported
- Admin rights are only given to those who need them
- Strong passwords and multi-factor authentication are in use
- Any unused services or accounts are disabled.
It’s also important that you have basic policies in place that outline things such as how employees are expected to handle data, or what the procedure is for applying updates.
If that sounds like a lot to manage, you’re not alone. Many businesses struggle to translate these requirements into practical steps, especially if they don’t have access to a dedicated IT or compliance team.
Fortunately, this is where OneClickComply can help!
How OneClickComply Can Help
OneClickComply is designed to take the pain out of Cyber Essentials compliance. Instead of trying to manually track and complete everything yourself (or hiring expensive consultants) or platform automates the entire process from start to finish.
Here’s how it works:
- Automated Control Implementation
The platform connects directly to services like Microsoft 365 and AWS, scanning your environment to determine what settings need to be adjusted to meet the standard, then providing a list of tasks. These tasks can be completed using our “Fix this for me” approach, which automatically changes the required setting or control to match the standard.
- Auto-Generated Policies
You’ll also need a few policies in place to meet the standard effectively. OneClickComply creates them for you using our AutoComplete policy generator, matching its contents to your implemented settings and systems. No more copying-pasting from templates or trying to guess what’s relevant.
- Built-in Questionnaire Automation
The Cyber Essentials self-assessment questionnaire can be confusing. Our platform takes you through each step of the questionnaire, answering any technical questions, then generating a document at the end that can then be submitted to the assessor of your choice. This keeps everything within one platform and simplifies the entire process.
- Continuous Monitoring
Once you’re certified, OneClickComply keeps watch over your environment to make sure you stay compliant. If something drifts out of place, such as a new device being enrolled without proper settings, the platform will alert you and allow you to fix the issue in as little as a click.
Think of the platform like a compliance expert, technical engineer, and project manager, all rolled into one simple, easy-to-use area.
Final Thoughts
Cyber Essentials might seem intimidating at first, especially if cyber security isn’t something within your remit. But it’s a highly achievable, practical certification that can make a real difference to your business’s security and reputation.
With the right tools and guidance, getting certified doesn’t have to be time-consuming or expensive. And with OneClickComply, it can even be quite simple.
If you’re thinking about getting Cyber Essentials for the first time, or even if you’re looking to renew your certification, there’s no better time to get started.
