What is Cyber Essentials? A Simple Guide for UK Small Businesses
Cyber Essentials is a UK government-backed certification that shows your business takes cybersecurity seriously. Here is what it covers, who needs it, and how to prepare.
What is Cyber Essentials?
Cyber Essentials is a cybersecurity certification scheme backed by the UK government. It was created to help businesses of all sizes protect themselves against the most common online threats — and to demonstrate that protection to customers, partners, and regulators.
The scheme was developed by the National Cyber Security Centre (NCSC) and is delivered through accredited certification bodies. Businesses that achieve the certification can display the Cyber Essentials badge, signalling to anyone they work with that basic security controls are in place.
There are two levels of certification:
Cyber Essentials — a self-assessment questionnaire reviewed by a certifying body. You answer questions about your security controls and a qualified assessor verifies your answers.
Cyber Essentials Plus — a more rigorous version that includes independent technical testing of your systems by an external assessor.
Who needs Cyber Essentials?
Cyber Essentials is mandatory for any business that wants to bid for UK central government contracts involving the handling of sensitive information or personal data. If you work with the public sector, it is increasingly a requirement rather than an option.
Beyond government contracts, Cyber Essentials is increasingly expected by:
- Large enterprises as a supply chain security requirement
- Insurance providers when assessing cyber liability cover
- NHS suppliers and healthcare sector partners
- Financial services firms assessing third party risk
Even if none of these apply to your business directly, achieving Cyber Essentials demonstrates a commitment to security that builds trust with clients. For a small business competing against larger competitors, it can be a meaningful differentiator.
The five Cyber Essentials controls
Cyber Essentials focuses on five fundamental security controls that address the most common attack vectors:
CE1 — Firewalls: Your internet-facing services should be protected by a properly configured firewall. Unnecessary ports and services should not be exposed to the internet.
CE2 — Secure Configuration: Devices and software should be configured securely. Default passwords should be changed, unnecessary software removed, and security features enabled.
CE3 — Access Control: User accounts should have only the access they need. Administrative privileges should be tightly controlled and protected with strong authentication.
CE4 — Malware Protection: Appropriate protection against malware should be in place, including anti-malware software and controls that prevent malicious code from executing.
CE5 — Patch Management: Software and devices should be kept up to date. Known vulnerabilities should be patched within 14 days of a patch becoming available.
These five controls, properly implemented, protect against the majority of common cyber attacks targeting UK businesses.
How does Cyber Essentials relate to your website?
Your public-facing website and domain are part of your Cyber Essentials scope. Issues that affect your CE assessment include:
- Unnecessary open ports on web servers (CE1)
- Missing security headers on your website (CE2)
- Default credentials on web applications (CE2)
- Outdated software with known vulnerabilities (CE5)
- Email security misconfigurations — SPF, DMARC, DKIM (CE2)
Many businesses are surprised to find that their website has gaps that would affect a Cyber Essentials assessment. An external vulnerability scan before your assessment tells you exactly where those gaps are.
How to prepare for Cyber Essentials
Step 1 — Understand your scope. Identify all the devices, software, and internet-facing services that fall within your assessment scope. For most small businesses this includes computers, mobile devices, cloud services, and your website.
Step 2 — Scan your external attack surface. Before your assessment, find out what an attacker — or an assessor — would see when they look at your domain. Open ports, missing security headers, and email authentication gaps are all relevant to CE1 and CE2.
Step 3 — Address the findings. Work through any issues identified, prioritising those mapped to the five CE controls. Most findings for a small business website can be resolved by your web developer or IT provider.
Step 4 — Complete the self-assessment. Work through the official questionnaire honestly. The questions cover each of the five controls in detail.
Step 5 — Submit for certification. Choose an accredited certification body, submit your completed questionnaire, and await their review.
Check your Cyber Essentials readiness for free
Olimpio maps every finding from your domain scan to the relevant Cyber Essentials control — CE1 through CE5. You can see at a glance which controls have gaps and exactly what needs to be fixed before your assessment.