Tristarnex← All articles
ComplianceCyber Essentials18 Mar 2026 · 6 min read

Cyber Essentials:
What It Covers and How to Get It

Cyber Essentials is a UK government-backed certification scheme that helps organisations protect against the most common cyber threats. It covers five fundamental security controls and is required for organisations bidding on certain UK government contracts.

The five Cyber Essentials controls

01

Firewalls

Boundary firewalls and internet gateways must be configured to prevent unauthorised access. All unnecessary inbound connections should be blocked by default. This applies to both hardware firewalls and software-based firewalls on individual devices.

02

Secure configuration

Devices and software must be configured securely. Default passwords must be changed, unnecessary software and services must be removed, and auto-run features that execute code automatically must be disabled.

03

User access control

User accounts must be limited to the minimum access necessary. Standard user accounts should be used for day-to-day activity, with administrative accounts used only when required and only by authorised personnel.

04

Malware protection

Protection against malware must be in place on all applicable devices. This can be achieved through anti-malware software, application whitelisting, or sandboxing. Anti-malware signatures must be kept up to date.

05

Patch management

Software and firmware must be kept up to date. High and critical severity patches must be applied within 14 days of release. Unsupported software that cannot be patched must be removed or isolated.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials

Self-assessment questionnaire verified by a certification body. You answer questions about your controls and a certifier reviews your responses. Suitable for most SMBs and required for many government contracts.

Typical cost: ~£300–£500

Cyber Essentials Plus

Independent technical verification of the same five controls. An assessor tests your systems directly — scanning for vulnerabilities, testing malware protection, and verifying patch levels. Required for higher-value government contracts.

Typical cost: ~£1,500–£3,000

Who needs Cyber Essentials?

Cyber Essentials certification is mandatory for organisations bidding on UK central government contracts that involve handling personal information or provide certain ICT products and services. It is also a requirement for many NHS, MOD, and local authority suppliers.

Beyond contractual requirements, Cyber Essentials is a practical baseline for any UK business. The NCSC estimates that the five controls would protect against approximately 80% of common cyberattacks. For small and medium businesses, it represents the minimum viable security posture.

How to prepare for Cyber Essentials

The most common reasons organisations fail their assessment:

  • Unsupported or end-of-life software that cannot be patched (Windows 7, old versions of Office, unpatched network devices)
  • Overly permissive firewall rules or cloud security group configurations
  • Default credentials on network devices, printers, or IoT devices
  • Administrator accounts used for day-to-day activity
  • Missing or outdated anti-malware on mobile devices and laptops

Tristarnex conducts Cyber Essentials gap assessments before your formal assessment — identifying exactly what needs to be remediated to pass first time.

Preparing for Cyber Essentials?

We conduct gap assessments against all five controls and help you remediate before your formal assessment — so you pass first time.

Book a free briefing →
← All articlesOur security assessment service →