Cyber Essentials Compliance: Step-by-Step Guide

The UK’s Cyber Essentials give small and mid-sized organisations a handy list of essential cybersecurity controls. Learn more about the compliance scheme and the requirements for Cyber Essentials certification in our Cyber Essentials breakdown!

What Is Cyber Essentials?

Cyber Essentials is the name of government-backed cybersecurity scheme in the UK designed to help small and medium enterprises (SMEs) achieve the basics of cybersecurity. The scheme is a voluntary cybersecurity program that can be certified through self-assessment or an independent technical audit (Cyber Essentials Plus).

The Cyber Essentials scheme covers five fundamental areas of information security:

  • 1

    Firewalls & network connections

  • 2

    Secure device configuration

  • 3

    Applying security updates

  • 4

    Managing user access

  • 5

    Malware protection

Is Cyber Essentials Mandatory?

Cyber essentials is a voluntary program intended to help guide the cybersecurity efforts of smaller organisations. Businesses can choose to get certified under the Cyber Essentials scheme to reassure customers and business partners of their trustworthiness. In addition, Cyber Essentials certification is mandatory for some government contracts.

What Does the Certification Process for Cyber Essentials Look Like?

There are two forms of certification under the Cyber Essentials scheme.

The regular certification process follows a self-assessment questionnaire and costs between 300 to 500 pounds plus taxes. You submit your responses, sign a declaration confirming they are truthful and an assessor evaluates your submission. However, there is no independent verification.

Advanced certification, also known as Cyber Essentials Plus, requires a technical audit by an independent certification body. Pricing depends on the scope of your organization and is available on request. Cyber Essentials Plus needs to be completed within three months of your last self-assessment.

UK organisations with less than ยฃ20m annual turnover may be eligible to receive free cyber liability insurance as part of their certification.

Cyber Essentials Assessment Scope

The assessment scope defines which parts of your IT infrastructure are included in the certification process. Ideally, the scope of your assessment should cover your entire IT. However, in some cases it may be necessary to exclude certain devices that cannot meet the Cyber Essentials requirements.

For example: Medical instruments such as ultrasound machines may depend on legacy software to operate. These devices therefore do not meet the requirement to remove unsupported applications.

In cases like these, organizations can exclude certain parts of their IT from certification by defining them as out-of-scope. However, this also means that these parts of your infrastructure need to be separated from in-scope devices through security controls such as firewalls.

Cyber Essentials vs. NIS UK vs. 10 Steps to Cybersecurity

Cyber Essentials is far from the only compliance scheme or IT security regulation in the UK. Here’s what you need to know about these different programs:

  • Cyber Essentials is aimed at small and medium enterprises (SMEs) and covers 5 basic areas of cybersecurity. Businesses can certify under this scheme, but certification is optional except for government contracts.

  • 10 Steps to Cyber Security offers voluntary guidance for medium to large organisations. It goes into more detail and addresses topics like logging, supply chain security and incident management.

  • The NIS Regulations (Network and Information Systems) lay out mandatory security requirements for operators of essential services and certain digital service providers. This framework is originally based on the EU’s NIS directive and includes exemptions for small businesses.

Cyber Essentials Requirements

In order to comply with the Cyber Essentials scheme, organizations need to address five core topics of cybersecurity: firewalls, secure configuration, security updates, access management and malware protection. You can find the full list of requirements here.

In addition to these technical controls, organizations also need to engage in effective asset management to ensure accurate and up-to-date information on the data they process and the devices that are part of their network. Asset management is an important factor in all security efforts. Official guidance from the NCSC is available here.

1

Firewalls

Goal: Every device within the assessment scope must be protected through a correctly configured firewall.

Steps to achieve compliance:

  • Block unauthorised connections by default

  • Document and approve firewall rules, remove unnecessary rules once no longer needed

  • Restrict access to the administrative interface (secure password, no remote/internet access)

  • For your own network: Use a boundary firewall and/or enable software firewalls on end devices

  • For devices in untrusted networks: Enable software firewalls on each end device

  • For cloud services: Set data flow policies as necessary to restrict connections

2

Secure Configuration

Goal: Ensure proper configuration of computers and devices to reduce vulnerabilities and limit functionality to only necessary tasks.

Steps to achieve compliance:

  • Manage computer and device settings proactively

  • Change default passwords

  • Remove and disable unnecessary user accounts (guest accounts or superfluous admin accounts)

  • Remove or disable unnecessary software

  • Disable auto-run feature for file execution

  • Require user authentication before accessing business data or services

  • Use appropriate device locking controls (PIN, password, biometric) for on-premises users

  • Prevent brute-force attacks through wait times or account locks after unsuccessful attempts

3

Security Update Management

Goal: Prevent exploitation of known security issues by applying fixes in a timely fashion.

Steps to achieve compliance:

  • Ensure that all software on in-scope devices is licensed, supported and kept up-to-date

  • Enable automatic updates where available

  • Apply updates within 14 days for high-risk issues (CVSS 7 or higher) or if no rating is available

  • Remove software if it becomes unsupported (or remove device in question from scope)

4

User Access Control

Goal: Ensure that user accounts are only assigned to authorised individuals and only provide access to resources necessary for a person’s job.

Steps to achieve compliance:

  • Follow a clear process for creating and approving user accounts

  • Remove or disable accounts that are no longer in use (e.g. when a user leaves the org)

  • Remove or disable access privileges that are no longer needed (e.g. when a member of staff changes roles)

  • Require separate accounts for administrative activities vs. day-to-day operations

  • Use secure authentication and activate MFA where available (mandatory for cloud services)

  • Enforce password policies to ensure password quality

  • Encourage secure passwords through user education, password managers and disabling password expiration

  • Protect against brute-force attacks by throttling the rate of attempts or locking accounts

5

Malware Protection

Goal: Prevent the execution of malware and untrusted software on in-scope devices through anti-malware solutions or application whitelisting.

Steps to achieve compliance:

  • Ensure that all devices are equipped with anti-malware software, which is kept up-to-date and operated in line with vendor recommendations

  • Prevent execution of malicious code and block connections to malicious websites

  • Alternatively: Use application allow listing to limit execution of software to only approved applications, restricted by code signing

Cyber Essentials Compliance: A Question of Scale

As you can see, the Cyber Essentials scheme breaks cybersecurity down into a few simple steps organisations should follow to maintain a basic level of security. How difficult it is to put these recommendations into action depends on the size of your organization.

For a microenterprise with only a handful of employees, it’s entirely feasible to manage firewalls, patches, security settings, user accounts and antivirus software by hand. For a mid-sized corporation dealing with hundreds of users and devices, automated solutions are essential to ensuring compliance.

Automated security solutions can help you manage device settings, apply updates and ensure that accounts and permissions are removed when people leave your organization. In doing so, they save a lot of valuable time for your tech staff and make your IT environment a lot more efficient on top of being more secure.

tenfold: No-Code Access Management for the Mid-Market

Identity and access management is the discipline of cybersecurity that helps organizations deal with user accounts and IT privileges. Originally developed for large enterprises with complex and heterogeneous networks, IAM has since become a must-have for any business that wants to manage a few hundred IT users.

The problem? IAM solutions continue to be developed with massive corporations in mind. Their overwhelming complexity and need for custom programming make them impossible to use in medium-sized organizations โ€“ ones that lack the sort of IT budget and department you’d need to operate such a cumbersome platform.

tenfold makes identity and access management easy. Our no-code IAM solution comes with out-of-the-box support for standard IT systems like Active Directory and Microsoft 365. This way, it can be set up quickly and with minimal effort. Meanwhile, you still benefit from the same powerful IAM features, allowing you to cover the user access control requirements of the Cyber Essentials with ease.

Whether it’s creating new accounts or automatically revoking permissions when they are no longer needed โ€“ tenfold makes access control a breeze. Watch our demo video to learn more about our platform or download our best practice white paper below.

White paper

Access Governance Best Practices for Microsoft Environments

Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.

About the Author: Joe Kรถller

Joe Kรถller is tenfoldโ€™s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.