In 2012, HM Government launched the 10 Steps to Cyber Security guide to encourage organisations to consider their cyber security measures, and to ascertain whether organisations thought they were managing their cyber risks sufficiently. The guide was extremely well received, and raised awareness within company boards and amongst senior executives. Business leaders were encouraged to take ownership of their cyber risks and to build them into their overall corporate risk management regime.

Whilst the initiative gained good traction, HM Government’s analysis of continuing cyber attacks, and feedback from the cyber security industry at large, was that a number of security controls were still not being implemented effectively. This posed a concern for HM Government. With a remit to tackle cyber crime and a desire to make UK one of the most secure places in the world to do business in cyberspace, it was clear to HM Government that further initiatives were required.

The adoption of an organisational standard for cyber security was therefore seen as the next step on from the 10 Steps to Cyber Security guide. The rationale behind this was that it would enable organisations and their customers and partners, to have greater confidence in their ability to measure and reduce basic cyber risks, as they would be independently assessed, where necessary.

HM Government, together with industry, instigated a call for evidence on a preferred organisational standard in cyber security. Concluding in November 2013, the feedback received was that none of the existing standards for cyber security met the requirements, and that industry was prepared to help HM Government develop something more appropriate. The new requirements have now been embedded in the Cyber Essentials scheme.

The Cyber Essentials scheme is a cyber security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.

The scheme focuses on the following five essential mitigation strategies within the context of the 10 Steps to Cyber Security guide.

  • Boundary Firewalls and Internet Gateways
  • Secure Configuration
  • Access Control
  • Malware Protection
  • Patch Management

It provides organisations with clear guidance on implementation as well as offering independent certification for those who want it.

Whilst providing a basic but essential level of protection, the Cyber Essentials scheme enables organisations that believe they are practicing robust cyber security to benefit by making this a unique selling point thereby enabling business. Upon certification, they can then demonstrate to their customers that their data is adequately protected and that they take cyber security seriously.

The first stage in the certification process is to decide which level to certify against – Cyber Essentials or Cyber Essentials Plus

  • Cyber Essentials – organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body
  • Cyber Essentials Plus – tests of an organisation’s systems are carried out by an external Certifying Body

Both Cyber Essentials and Cyber Essentials Plus include a questionnaire which relates to security controls and the secure configuration of an organisation’s computing resources. CREST Certifying Bodies also conduct a remote technical assessment at Cyber Essentials aimed at validating elements of the questionnaire.To find out more about how we can help your business achieve Cyber Essentials Accreditation, please email