5 Steps to Get Cyber Essentials Certified

August 15, 2022

No cybersecurity strategy can guarantee protection against cyberthreats lurking in today’s technology landscape. However, your organisation can implement best practices that could nip the most common cyberthreats in the bud. Certain security standards worldwide include a list of such best practices. One such standard is the Cyber Essentials certification program — introduced and backed by the UK government.

Earning a Cyber Essentials and Cyber Essentials Plus certification can help your organisation:

  • Develop a strong cybersecurity posture
  • Demonstrate a strong commitment towards cybersecurity
  • Bid for UK government contracts that involve handling sensitive and personal information

The nonprofit organization that manages Cyber Essentials recommends a five-step process your organisation can undertake to get Cyber Essentials certified.


Get the best tool to prepare for your Cyber Essentials certification while managing compliance with all your other IT requirements — including UK GDPR. Take a look at Compliance Manager GRC today!


Step 1: Define your business network scope

The process for both Cyber Essentials and Cyber Essentials Plus certification involves an assessment of your organisation’s network. While the former requires you to complete an online self-assessment questionnaire, which is then verified by a qualified assessor, the latter needs both the self-assessment and a third-party technical assessment.

Either way, you must ensure that the assessment and certification cover your entire IT infrastructure that is used to perform your organisation’s business operations — or a well-defined and separately managed subset. You must clearly define the scope in terms of the business unit managing it, the network boundary and physical location. Lastly, it’s imperative that the scope be agreed upon between the Applicant (your organisation) and the Certification Body before the start of the assessment.

The requirements apply to all the devices and software within the boundary of the scope if they:

  • can accept incoming network connections from untrusted internet-connected hosts; or
  • can establish user-initiated outbound connections to devices via the internet; or
  • control the flow of data between any of the above devices and the internet.

Please note that a scope that does not include end-user devices is unacceptable.

Step 2: Familiarise yourself with the requirements

Acing an assessment begins with familiarising yourself with the five controls suggested by the Cyber Essentials framework:

  1. Firewalls and internet gateways: You must configure and use a firewall to protect all your devices — especially those that connect to public or other suspicious and unreliable Wi-Fi networks.
  2. Secure configuration: Your organisation is expected to only use software, accounts and apps that are a necessity to your organisation’s functioning. This prevents any vulnerabilities that can be created due to improper installation and configuration of unnecessary devices or applications.
  3. Access control: You should control access to your data through user accounts, give administrator privileges to only those that need them, and lastly, monitor the usage of data by those accounts.
  4. Malware protection: The framework mandates the implementation of at least one of the three techniques to defend against malware — whitelisting, sandboxing and installation of antimalware software.
  5. Patch management: You must make sure that all your devices are patched on a regular basis.

In addition to understanding the requirements, you must be aware of these eight sections of the questionnaire to complete it correctly:

  • Your company
  • Scope of assessment
  • Insurance
  • Boundary firewalls and internet gateways
  • Secure configuration
  • Security update management
  • User access control
  • Malware protection

Step 3: Go online and pick a certification body

You may find it difficult to understand the self-assessment questions if you don’t have a technical IT background or if your organisation has a complex structure. In such a scenario, you can reach out to a certification body on the website of the Information Assurance for Small and Medium Enterprises (IASME) Consortium.


Compliance Manager GRC can help you prepare for Cyber Essentials certification with a built-in template that has all the requirements. Perform a rapid baseline assessment in less than an hour and produce a project plan to close the gaps. Request a demo now!


Step 4: Get your basic certification

You can either go through the assessment and certification process on your own or get some help from a certification body. The certification body can:

  • Accommodate pure DIY with just fee for your certificate
  • Provide consulting at a reasonable cost
  • Perform requirements for Cyber Essentials Plus certification

You can do it yourself if:

  • You can define the scope of your assessment
  • You own and operate the IT infrastructure
  • You are familiar with the controls
  • You want to renew your certification (after 12 months) and your scope hasn’t changed

Alternatively, you must get some help if:

  • You have a more complex IT infrastructure
  • You have questions about your scope
  • Your network is distributed
  • You will need assistance to fully define the five key controls

Step 5: Leverage your certification

The Cyber Essentials framework isn’t “essential” for your organisation unless you want to bid for certain government contracts or private sector tenders. Having said that, if you haven’t implemented another security framework and if you are unsure about how to embed cybersecurity into your business, then this certification is a good starting point — when done properly.

Once you’ve earned the certification, you’ll also get the right to use the Cyber Essentials Certified logo on your website, promotional materials, letterhead and email signatures. You can leverage this opportunity to show any client or business partner how your organisation prioritises cybersecurity in today’s threat-laden business environment.

Simplify Cyber Essentials with Compliance Manager GRC

Compliance Manager GRC simplifies everything for IT professionals juggling Cyber Essentials alongside numerous external and internal procedures and processes.

Whether you are preparing for the self-assessment attestation for the annual Cyber Essentials certification or performing a third-party Cyber Essentials Plus audit, Compliance Manager GRC makes the entire process “painless.” Furthermore, you can renew your Cyber Essentials and Cyber Essentials Plus certifications in a few simple steps without any hassle.

Book a demo of Compliance Manager GRC today.