Cyber Essentials is a UK government-backed cybersecurity certification scheme developed by the National Cyber Security Centre (NCSC). It helps organizations protect themselves against the most common cyberattacks and demonstrates a baseline level of cybersecurity to customers, partners and government procurement bodies.
Cyber Essentials is mandatory for UK government suppliers handling personal data or delivering certain technical products and services. It is increasingly required in private sector supply chains.
Cyber Essentials vs. Cyber Essentials Plus
- Cyber Essentials — A self-assessment questionnaire verified by an external certifying body. Covers the five technical controls.
- Cyber Essentials Plus — Includes everything in Cyber Essentials, plus hands-on technical verification by an independent assessor who tests your controls are actually working.
The Five Cyber Essentials Technical Controls
1. Firewalls
All internet-connected devices must be protected by a properly configured firewall. This includes boundary firewalls for networks and personal firewalls for individual devices. Default firewall rules must be reviewed and unnecessary inbound connections blocked.
2. Secure Configuration
Devices and software must be configured securely. Default passwords must be changed, unnecessary software removed, and auto-run disabled. Administrative accounts should not be used for general work tasks.
3. Access Control
User accounts must be managed carefully. Every account should have only the permissions needed for the user’s role (principle of least privilege). Privileged accounts must use strong passwords and ideally multi-factor authentication.
4. Malware Protection
Devices must be protected against malware through anti-malware software, application allow-listing or sandboxing. Web and email filtering should be enabled to reduce exposure to malicious content.
5. Patch Management
Operating systems, software and firmware must be kept up to date. High-risk and critical patches must be applied within 14 days. Software that is no longer supported by its vendor must be removed or isolated.
How a SmartKali Audit Helps You Pass Cyber Essentials
A SmartKali Cyber Essentials Readiness Assessment reviews your environment against all five technical controls before your formal certification audit, identifying gaps that would cause a failure:
- Firewall rule review — identifying unnecessary open ports and weak default configurations
- Secure configuration audit — reviewing OS hardening, default credentials and service exposure
- Access control review — mapping user accounts, privileges and MFA implementation
- Patch level verification — identifying out-of-date software and end-of-life systems
- Full report with remediation steps before your CE submission
UK GDPR and Cyber Essentials
While Cyber Essentials does not directly satisfy UK GDPR Article 32 technical measures, achieving certification demonstrates that your organization has implemented baseline security controls — which is positively considered by the ICO (Information Commissioner’s Office) in the event of a data breach investigation.