Cybersecurity is one of the most rapidly changing aspects of modern IT. With new threats emerging every day, keeping up with the latest security measures and ensuring your approach to online security is consistent and sufficient is essential.
With this in mind, the UK government’s Cyber Essentials scheme allows companies to keep track of their efforts, ensure they are protected, and give you peace of mind that your security measures are keeping you safe. It provides a clear baseline of requirements for IT infrastructure to help you guard against the most common internet-based cyber threats.
As a Cyber Essentials Plus certified company and Managed Service Provider (MSP), Microbyte is ideally placed to help you get certified, achieve the higher level of assurance and keep your systems safe.
Here’s what you need to know to get started with Cyber Essentials.
What is Cyber Essentials certification?
Cyber Essentials is an effective, Government backed certification scheme that will help businesses of all sizes protect against common cyber threats. The scheme includes a range of questions to help prompt a greater understanding of your current security measures and highlights where a company may need to improve its information security.
The scheme has two levels:
Cyber Essentials: This self-assessment certification protects businesses against the most common cyber-attacks, minimising vulnerability and giving you confidence that you are safe from cybercriminals. The controls and Cyber Essentials checklist covered in this certification can discourage cyber-attacks and comes with official NCSC approval for 12 months. You will need to complete a self-assessment questionnaire (SAQ) which is verified by a Cyber Essentials delivery partner IASME.
Cyber Essentials Plus: This additional certification includes the same Cyber Essentials checklist as the basic Cyber Essentials assessment to protect against common cyber security threats. In addition, the Cyber Essentials Plus certification consists of a manual, technical inspection, and verification by an independent assessor. The Cyber Essentials Plus offers a higher level of assurance by validating that the controls are in place.
Both schemes are officially verified by the IASME Consortium (IASME). However, you should work with a professional IT support company to help you develop the correct processes to ensure that you pass and stay safe.
Cyber Essentials Checklist and Scope
The Cyber Essentials checklist outlines five core cyber security controls to help businesses protect against common cyber attacks and meet the certification requirements. These controls are vital in maintaining a strong security posture and achieving Cyber Essentials or Cyber Essentials Plus certification:
Before starting, it is crucial to define the scope. This covers your entire Cyber Essentials boundaries, including firewalls, networks and devices. Under the new “Willow” update (v3.2), this now explicitly includes “Home and Remote Working” environments, meaning home routers and personal devices (BYOD) accessing organisational data must be considered.
1. Firewalls and Internet Gateways
Properly configured firewall rules help block unauthorised access and protect your network. Ensure all devices are protected, and inbound traffic is tightly managed to meet the Cyber Essentials requirements. You must change default administrative passwords on all boundary devices to strong, unique credentials.
2. Secure Configuration
Devices and software often come with default settings that pose security issues. Best practices for secure configuration include disabling unnecessary features (bloatware), securing the administrative interface, and enforcing strong passwords to prevent unauthorised access. This also applies to cloud services, ensuring your tenancy is securely configured.
3. Security Update Management
Keeping software up to date is crucial to protect against known vulnerabilities. Implementing a technical control process ensures that updates and vulnerability fixes are installed promptly, meeting certification requirements. Under the “Willow” standard, all high-risk or critical vulnerabilities (CVSS v3 score ≥ 7.0) must be fixed within 14 days of release.
4. User Access Control
Limit access to your systems based on job roles and the principle of least privilege. Regularly review permissions and enforce Multi-Factor Authentication (MFA) for all high-level access, such as admin accounts, and for all users accessing cloud services to protect sensitive data. Separate user accounts must be used for administrative tasks; admins should not use privileged accounts for email or web browsing.
5. Malware Protection
Deploy antivirus software and anti-malware software to all devices, including mobile devices. Ensure these systems are regularly updated and configured to scan files and block connections to malicious websites. Alternatively, you can use application allow-listing to ensure only approved applications can execute.
By implementing the Cyber Essentials controls, businesses can meet Cyber Essentials certification requirements, reduce the risk of cyberattacks, and demonstrate compliance to clients and stakeholders. These controls of Cyber Essentials provide a solid foundation for securing your IT environment.
Benefits of being Cyber Essentials certified
Achieving a Cyber Essentials certification can have a range of benefits for your business, employees, and your customers. Security is everyone’s responsibility, and having the appropriate cyber protection is the first step toward a successful future.
Just a few of the benefits of receiving an official Cyber Essentials certification include:
- Protect against approximately 80% of cyber attacks
- Tender for government contracts (often a requirement for requirements for IT infrastructure)
- Free cyber insurance (for UK organisations with <£20m turnover)
- Increase customer and supply chain confidence.
- Listed on the NCSC database of NCSC assured cyber advisors to verify your certification
As more businesses understand the benefits and importance of highlighting their commitment to cyber security, the need for Cyber Essentials certification is growing. Many companies, especially those working with the government, require Cyber Essential certification, meaning that you may be losing out on business without it.
Furthermore, since cyberattacks are continually developing and changing, the more businesses with adequate security, the harder criminals have to work to develop more sophisticated attacks. This means that by protecting your business, you’re helping protect others.
How to Get a Cyber Essentials Certification
Achieving Cyber Essentials or Cyber Essentials Plus certification involves a clear process to improve your information security and meet the standards of the National Cyber Security Centre (NCSC).
Step 1: Self-Assessment
Start by completing the Cyber Essentials SAQ (Self-Assessment Questionnaire), which reviews your security systems in areas like firewall rules, software updates, and user access control. This step helps identify any gaps and is required for certification. You can use a readiness tool to prepare before submitting.
Step 2: Implement Security Measures
Next, address any weaknesses by updating security solutions, such as securing IP addresses, improving antivirus software, and limiting access to critical systems. These basic security measures ensure you meet certification requirements and are compliant.
Step 3: External Audit (For Cyber Essentials Plus)
For Cyber Essentials Plus, an audit by certification bodies will test your systems, including an external vulnerability scan and an internal authenticated scan. An assessor will verify your controls in place using a test specification document. Any issues identified must be resolved to complete the certification.
Step 4: Achieve Certification
Once the SAQ or audit is passed, you’ll receive your Cyber Essentials certificate, valid for 12 months. This certification demonstrates your business follows cyber security guidance.
Ongoing Compliance
Annual re-certification ensures your cyber security remains up to date with evolving threats. Using an NCSC assured cyber advisor can help streamline this process.
The 2025 “Willow” Update: What You Need to Know
In April 2025, the Cyber Essentials scheme introduced the “Willow” update (v3.2), bringing significant changes to the question set. This update reflects the modern hybrid working landscape and new identity management technologies.
Key changes include:
- Vulnerability Fixes: The term “patching” has been replaced with “vulnerability fixes,” acknowledging that registry edits and configuration changes are valid ways to secure systems.
- Passwordless Authentication: The standard now explicitly supports passwordless methods like biometrics (TouchID, FaceID) and FIDO2 security keys, reducing reliance on complex passwords.
- Software Definition: The scope of “software” has expanded to include firmware on routers and firewalls, meaning an unmaintained network kit is a compliance failure.
- Board Responsibility: There is now a greater emphasis on board-level sign-off for the SAQ, ensuring senior leadership takes responsibility for cyber risk.
Get Your Cyber Essentials Certification Today
As a Cyber Essentials Plus certified IT support company, we can help you certify to Cyber Essentials. Our team of experts keeps up to date with the latest security threats and can talk you through any gaps in your protection.
As well as helping you achieve your certification, we can discuss further measures to ensure your protection is effective. We can offer tailored advice and guidance to help you feel confident that your business and digital assets are safe now and in the future.
To start your certification process, complete the form above and we will be in touch.
FAQ
What is the difference between Cyber Essentials and Cyber Essentials Plus?
The key difference between Cyber Essentials and Cyber Essentials Plus is the level of verification. Cyber Essentials involves a self-assessment questionnaire (SAQ) where you review your own security controls to ensure they meet the necessary standards. In contrast, Cyber Essentials Plus requires an additional assessment on behalf of certification bodies to ensure your systems meet higher security standards through external testing, such as vulnerability scans.
How can Cyber Essentials certification help small and medium businesses?
Cyber Essentials certification provides small and medium businesses with a robust security framework to protect against common cyber threats. By implementing the Cyber Essentials controls, businesses can improve their security posture and meet business needs, such as qualifying for government contracts and boosting customer confidence.
How long does it take to complete the Cyber Essentials Plus process?
The Cyber Essentials Plus process typically takes around three months to complete, depending on the size of the business and its current security measures. This timeline includes conducting the self-assessment (SAQ), addressing any gaps, and completing the required Cyber Essentials Plus audit to ensure all necessary controls are in place.
Why is the 14-day patching rule so important?
To meet the requirements for IT infrastructure, any vulnerability with a CVSS score of 7.0 or higher (“Critical” or “High”) must be fixed within 14 days of the vendor releasing the update. This is the most common failure point in assessments, requiring robust patch management processes.
Does Cyber Essentials cover cloud services?
Yes. All cloud services (SaaS, IaaS, PaaS) such as Microsoft 365, Google Workspace, and Azure are in scope. You are responsible for ensuring these services are securely configured and that all user accounts are protected with MFA.
