Cyber Essentials: The Fastest Route to Provable Cyber Hygiene
Cyber Essentials is the UK government-backed scheme that shows customers, insurers, and public-sector buyers that you have the basics of cyber security in place. For many UK government contracts — and a growing number of private tenders — it is no longer optional.
The good news: Cyber Essentials is deliberately practical. It is built around five technical controls that stop the most common internet-borne attacks. ShieldIQ helps SMEs assess themselves against all five in around ten minutes, close the gaps, and produce the documentation a certification body expects.
Start your free Cyber Essentials assessment →
What Is Cyber Essentials?
Cyber Essentials is a certification scheme created by the UK's National Cyber Security Centre (NCSC) and administered by IASME. It defines a baseline set of controls that protect organisations against the overwhelming majority of common cyber attacks — phishing, password guessing, and the exploitation of unpatched software.
There are two levels:
- Cyber Essentials — a verified self-assessment. You answer a structured questionnaire about your controls and an assessor reviews it.
- Cyber Essentials Plus — everything in Cyber Essentials, plus a hands-on technical audit (vulnerability scans and tests) carried out by a certification body.
Certification lasts twelve months and is increasingly required for UK public-sector contracts that involve handling personal information or providing certain ICT services.
The Five Technical Controls
Cyber Essentials compliance is structured around five control themes. ShieldIQ assesses your posture against each and produces a prioritised remediation plan.
Firewalls
Boundary and host-based firewalls must be configured to control inbound and outbound traffic, with default passwords changed and unnecessary services blocked.
Secure Configuration
Devices and software must be set up to reduce vulnerabilities — removing unused accounts and software, disabling auto-run, and applying sensible defaults rather than out-of-the-box ones.
Security Update Management
Operating systems and applications must be supported, licensed, and patched promptly — high-risk and critical updates applied within 14 days of release.
User Access Control
Accounts must be assigned to named individuals, with administrative privileges restricted, granted only when needed, and reviewed regularly.
Malware Protection
Devices must be protected from malware using anti-malware software, application allow-listing, or sandboxing — kept up to date and active.
What Cyber Essentials Actually Requires
Most SMEs already do *some* of this — the challenge is evidencing it consistently across every in-scope device and being able to answer the assessor's questions with confidence.
Assessors typically look for:
- A clear, accurate scope — which devices, networks, and cloud services are covered
- Documented configuration standards for laptops, servers, mobile devices, and firewalls
- A patching policy with evidence that critical updates are applied within the required window
- Access control records — named accounts, separated admin privileges, leaver processes
- Malware protection that is enabled and current across the estate
ShieldIQ turns these into a structured, repeatable assessment so re-certification next year is a review, not a scramble.
How ShieldIQ Helps You Achieve Cyber Essentials
Guided assessment. Answer plain-English questions across all five controls; ShieldIQ's AI scores each area and flags exactly where you fall short.
Policy templates. Editable policies for acceptable use, access control, patching, and malware protection — the documentation an assessor expects.
Actions board. Every gap becomes a prioritised, assignable task with an owner and due date, so remediation actually happens.
Asset inventory. Keep an accurate record of in-scope devices — the foundation of a defensible Cyber Essentials scope.
Evidence store. Hold your configuration standards, patch records, and screenshots in one place for the assessment and for re-certification.
Start free — no card required →
Cyber Essentials and Other Frameworks
Cyber Essentials is an excellent first step — and the controls map cleanly onto the bigger frameworks ShieldIQ supports:
- NIST CSF compliance — the five controls align with NIST's Protect function
- ISO 27001 compliance — Cyber Essentials covers a subset of ISO 27001's technical controls
- NIS2 compliance — basic cyber hygiene underpins NIS2's security measures
- GDPR compliance — strong access control and patching support GDPR's security obligations
Frequently Asked Questions
How long does Cyber Essentials take to achieve?
Many SMEs can complete the self-assessment in a few days once their controls are in order. ShieldIQ's assessment takes around ten minutes and shows you immediately which gaps to close before you apply for certification.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent, hands-on technical audit — vulnerability scans and tests on a sample of your devices. Plus offers stronger assurance and is sometimes specified in contracts.
Do I need Cyber Essentials if I already have ISO 27001?
They serve different purposes. ISO 27001 certifies your management system; Cyber Essentials verifies a specific set of technical controls and is often named explicitly in UK procurement. Many organisations hold both. The work you do for one accelerates the other.
Does Cyber Essentials apply to cloud services?
Yes. Cloud services that your organisation uses are in scope, and the responsibility for the five controls is shared between you and your cloud provider. ShieldIQ helps you document where that boundary sits.
Start your free Cyber Essentials assessment — no card required →