In April 2023, the NCSC and its Cyber Essentials delivery partner IASME updated the technical requirements for Cyber Essentials. This update was part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.

Cyber Essentials is a UK Government backed scheme through IASME and CREST to help more cyber secure organisations and businesses promote the fact by the use of a Cyber Essentials badge. The scheme works on two levels:

Level 1 comprises of five basic controls:

• Secure configuration
• Boundary firewalls and internet gateways
• User access and administration management
• Malware protection
• Patch management

Level 2 (Cyber Essentials Plus) which is mandatory for UK Government and MOD suppliers, then a more rigorous assessment is required in addition to Level 1, including internal and external vulnerability assessments. The suppliers and contracts affected are likely to be from the following sectors: IT managed or outsourced services, commercial services, financial services, legal services, HR services and business services. This will not be mandatory for suppliers through G-Cloud or the Digital Services Framework.

If your organisation is hoping to gain certification to the UK Government’s Cyber Essentials Scheme (Level 1 or 2) and needs help and guidance through the process, speak to us. We have been taking clients through successful security certifications for many years and at the same time, mentoring them in how to self-support through their future re-certification.

If my organisation is already certified to ISO27001, do we still need to undertake Cyber Essentials?

If your business or organisation is already certified to ISO27001 then you will probably have most of the requirements for Cyber Essentials certification. However, you will still be required to go through Cyber Essentials if you are a UK Government supplier.