TL;DR
- Cyber Essentials and Cyber Essentials Plus are the UK government's foundational cyber-hygiene certifications, owned by NCSC and administered by IASME.
- Cyber Essentials is self-assessed; Cyber Essentials Plus adds independent technical testing.
- Five control areas: firewalls, secure configuration, user access control, malware protection, security update management.
- Mandatory for many MOD contracts and most central-government contracts that handle sensitive information.
What Cyber Essentials Is#
Cyber Essentials is the UK's foundational cyber-hygiene scheme, launched by the government in 2014 and now owned by the National Cyber Security Centre (NCSC). It is administered on NCSC's behalf by IASME Consortium and delivered through a network of accredited certification bodies.
There are two variants. Cyber Essentials (the base level) is a self-assessment certification — the applicant answers a question set and IASME or its certification body reviews the answers. Cyber Essentials Plus adds independent technical testing of the controls.
The Five Control Areas#
| # | Control area | What it covers |
|---|---|---|
| 1 | Firewalls | Boundary firewalls and internet gateways correctly configured to control inbound and outbound traffic. |
| 2 | Secure configuration | Systems hardened — default credentials changed, unnecessary services removed, supported versions only. |
| 3 | User access control | Accounts assigned on least-privilege basis, admin accounts separate, MFA on internet-facing services. |
| 4 | Malware protection | Anti-malware on every device, or sandboxing / application allow-listing as alternatives. |
| 5 | Security update management | Critical and high-severity patches applied within 14 days; unsupported software removed. |
Cyber Essentials vs Cyber Essentials Plus#
The difference is the testing methodology, not the controls themselves:
- Cyber Essentials — applicant completes a question set; a certification body reviews and certifies if controls are present. No independent testing.
- Cyber Essentials Plus — adds external vulnerability scanning, authenticated scanning of a sample of devices, simulated phishing of users (in some versions), and validation that the controls actually work as described.
Certification is annual — both variants require renewal every 12 months.
Who Needs It#
Cyber Essentials Plus is required by:
- Most MOD contracts via DEFCON 658.
- Contracts with central government that handle 'sensitive' information.
- G-Cloud listings (Cyber Essentials minimum; CE Plus widely expected).
- Many NHS supply-chain contracts.
- Many local-authority and emergency-services contracts.
- Insurance schemes — many UK cyber-insurance policies require it as a precondition.
Scope#
Cyber Essentials scope can be a defined sub-set of the organisation (a particular business unit, a particular site, a particular ISMS scope) or the whole organisation. The scoping decision matters — a narrow scope is cheaper and faster but limits the contracts that will accept it.
Choose 'whole organisation' scope unless you have a genuine reason not to. A scope-limited certificate frequently fails to satisfy government buyers who expect the whole supplier to be certified, not just one team.
Relationship to Other Frameworks#
- Cyber Essentials Plus covers a slice of NCSC Cloud Security Principles 9, 10, 11, and 12.
- It does not by itself satisfy ISO 27001 — but is a useful baseline as an ISMS scope progresses.
- It is broadly equivalent in concept to the US CIS Controls Implementation Group 1.
- Many GDPR Article 32 reviews use it as the 'baseline IT hygiene' evidence.
Where Yobitel Sits#
Yobitel holds whole-organisation Cyber Essentials Plus certification, renewed annually. The certificate is available on request via the security portal and is referenced in G-Cloud and NCSC-principles evidence.
References
- Cyber Essentials — NCSC · NCSC
- IASME — Cyber Essentials administration · IASME Consortium
- DEFCON 658 — Cyber · MOD