The Cyber Essentials scheme was created by both the UK Government and the industry to help design a basic set of requirements that all businesses could apply with limited experience of cyber security. Businesses that work to apply those requirements can then publicly demonstrate their commitment to cyber security via the certification.

The process of achieving this certification has been designed to be as easy as possible to achieve while ensuring that best practices are in place as well as affordable. It has been proven to show that companies that have the certification can mitigate up to 80% of known cyber threats.

How does it work?

The scheme is based upon a set of five security controls which, when correctly deployed, will provide you with a level of protection from the most common cyber security threats. These controls apply to a defined scope, which could be part or all of your company, depending upon your needs.

By ensuring that your boundary firewalls are configured to only allow authorised inbound and outbound traffic, will help to effectively protect your business against cyber threats.

By ensuring that security controls have been agreed upon and put in place when installing computers and mobile/network devices, will help ensure that configurations in default settings are reduced.

Making sure that user accounts are configured with the level of access that is needed will help reduce network-wide threats. Using least privilege access should be applied to all accounts.

Making sure proper malware protection is in place on all devices will help you protect your business against cyber threats such as ransomware and viruses which may run throughout the network.

Keeping your software up to date with the latest security updates is important as well as helping to reduce the changes of devices being compromised.

Why go with InfoSec Governance?

InfoSec Governance will work with you to help you answer any questions or concerns with passing Cyber Essentials. InfoSec Governance’s consultants will assessment certify your business quickly as soon as you’ve submitted your results. InfoSec Governance consultants have worked with and helped a wide range of customers who are all happy and certified.

How much does it cost?

If you would like to achieve the basic self-assessment version of Cyber Essentials, yourself without any support the pricing will be as follows.

Micro organisations (0-9 employees) £320 +VAT
Small organisations (10-49 employees) £440 +VAT
Medium organisations (50-249 employees) £500 +VAT
Large organisations (250+ employees) £600 +VAT

If you would like some support, please get in touch with us to see how we can help you and how much support you would require.

Frequently Asked Questions

Cyber Essentials looks at five key areas of cyber security for protecting your business, these areas are:

  • Access control
  • Firewalls and routers
  • Malware protection
  • Secure configuration
  • Software updates

All Cyber Essentials related certificates are valid for 12 months only. After this time, you will have to renew your certificate.

The Cyber Essentials basic assessment involves completing a questionnaire covering the five key technical controls. Cyber Essentials Plus goes a step further and includes a vulnerability scan of externally facing devices in scope along with internal devices. The Cyber Essentials Plus certification must be achieved within 3 months of obtaining the basic certification.

Normally yes, if you have any mobile devices which access business data (like emails) then these must be in scope of your assessment. This also includes any BYOD devices that are used by staff.

A device under the Cyber Essentials Scheme is classified as a device that can be used to connect to and use the internet, this includes web applications, email and any other company based resources.  Devices are only in scope if they have access to the internet, if the device has no access to the internet, and this is enforced by a technical controls such as firewall, segregated VLANs and/or air gapped networks, then the devices can be considered out of scope and do not need to be included in the assessment.

Examples of devices are:

  • Workstation or Laptop
  • Server that provides users access to the internet through a GUI
  • Tablet
  • Mobile Phone (including personal, if access to business resources, such as email)

In order to get started, once you contact you, you need to check the terms and conditions of the agreement, if you accept these, you must then provide the following information:

  • Name of company to be certified (as against Companies House)
  • Registered company address
  • Name of person filling in the self-assessment
  • Email address of person above
  • Mobile number of person above (to receive password to portal)
  • Purchase Order number (if needed)
  • Finance billing email address

Once we have this information we can get you setup on the portal and you can start your journey to Cyber Essentials.

Once the online portal has been setup, you will have 6 months to complete the self-assessment, any longer than this and your access to the portal may be denied and additional costs may be incurred.

Yes you can, you can download the latest question set from IASME’s website at: