UK government contract eligibility mandatory for many public sector contracts; without it, bids may be disqualified at the procurement stage
The UK government's baseline cybersecurity certification
first step for any business that wants to demonstrate it takes security seriously
We help businesses based in India, the Gulf, and beyond prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification including those working through the UK certification process from outside the UK.
Cyber Essentials and Cyber Essentials Plus what is the difference
Cyber Essentials
The base level of certification is achieved through a verified self-assessment. You complete a questionnaire confirming that the five technical controls are in place across your organisation’s IT systems within scope. The questionnaire is reviewed and verified by an accredited certification body. If the assessment confirms the controls are in place, the certificate is issued.
Cyber Essentials certification is valid for twelve months. It is renewable annually.
Cyber Essentials Plus
Cyber Essentials Plus covers the same five technical controls but replaces self-assessment with independent technical verification. An assessor from an accredited certification body tests your systems directly running vulnerability scans, attempting to identify weaknesses in the controls you have declared, and verifying that your environment matches what your questionnaire described.
Cyber Essentials Plus provides a stronger assurance than the base certificate and is required for certain UK government contracts. For businesses selling to clients who want more than a self-declaration, Plus is the more credible credential.
Note: Cyber Essentials Plus assessment must be conducted within three months of achieving the base Cyber Essentials certificate. Planning both together from the start avoids the risk of the base certificate expiring before the Plus assessment can be completed.
Understanding scope for Cyber Essentials
The scope of a Cyber Essentials assessment is the organisation’s entire IT infrastructure unless a defined subset is explicitly scoped out and any scoped-out systems must be separated from the in-scope environment by a firewall or equivalent boundary control.
For many businesses, the practical scope includes: end-user devices (laptops, desktops, mobile phones, tablets used for work), servers (on-premises and cloud), and network devices (routers, switches, firewalls). Cloud services have specific treatment under the scheme: cloud infrastructure that the organisation configures and manages (IaaS and PaaS) is in scope; cloud services where the provider controls the underlying security configuration (most SaaS) are generally not.
Getting scope right matters. Businesses that attempt to artificially narrow their scope claiming certain devices or systems are out of scope without proper network separation risk failing the assessment. We review scope carefully at the start of every Cyber Essentials engagement.
Who needs Cyber Essentials
- Businesses supplying to UK government Cyber Essentials is mandatory for many UK public sector contracts, particularly those involving personal data or technical services
- UK-based businesses selling to enterprise clients where Cyber Essentials is a vendor procurement requirement the scheme is widely recognised across UK regulated sectors
- Indian IT services, technology, and outsourcing companies with UK clients who require evidence of baseline cybersecurity Cyber Essentials is the most commonly requested UK-specific security credential
- Gulf-based businesses targeting the UK market or working with UK-headquartered organisations
- Businesses of any size that want a credible, cost-effective, independently verified baseline security credential Cyber Essentials is proportionate for small and mid-sized businesses in a way that ISO 27001 may not yet be
- Organisations that have completed Cyber Essentials and want to progress to Cyber Essentials Plus to provide stronger technical assurance to clients
- Businesses seeking cyber insurance some UK insurers treat Cyber Essentials certification as a factor in underwriting assessment
What we do
Cyber Essentials is straightforward in concept but surprisingly easy to fail without proper preparation. The most common failure points are not exotic technical weaknesses they are basic configurations that have drifted, unsupported software that nobody noticed, or scope questions that were answered without fully understanding what the scheme requires. We prepare businesses to pass the first time.
Readiness Assessment
We assess your current environment against the five Cyber Essentials controls across all in-scope systems. We identify configuration gaps, unsupported or unpatched software, access control issues, and scope questions that need to be resolved before the formal assessment. The readiness assessment tells you exactly what needs to be fixed and in what order.
Scope Review and Documentation
We review your IT environment, advise on how the Cyber Essentials scoping rules apply to your specific infrastructure including cloud services, BYOD devices, and remote working arrangements and document the scope in a way that is defensible in assessment.
Remediation Support
We work alongside your IT team or managed service provider to remediate the gaps identified in the readiness assessment. This includes configuration hardening, patch management, access control review, and firewall rule review. We document the changes made and verify the remediation before the formal assessment proceeds.
Self-Assessment Questionnaire Guidance
For the base Cyber Essentials certification, we guide you through the self-assessment questionnaire ensuring that every answer accurately reflects your environment, that scope is correctly described, and that the evidence supporting your answers is in place before submission.
Cyber Essentials Plus Preparation and Assessment Liaison
For Cyber Essentials Plus, we prepare your environment specifically for the technical verification understanding what the assessor will test, ensuring your controls will withstand independent scrutiny, and acting as a technical liaison during the assessment process. We coordinate the timing of base certification and Plus assessment to ensure they fall within the required three-month window.
Certification Body Selection
Cyber Essentials assessments must be conducted by an accredited certification body approved by IASME (the scheme's delivery partner). For businesses based outside the UK, selecting a certification body that is experienced with remote and international assessments matters. We advise on suitable certification bodies for your situation.
Cyber Essentials and other security frameworks
Cyber Essentials occupies a specific position in the security framework landscape it is a baseline, not a comprehensive security management system. Understanding where it sits relative to ISO 27001 and SOC 2 helps businesses make the right choice for their situation. Cyber Essentials covers five specific technical controls and nothing else. It does not address risk management processes, security governance, supplier security, business continuity, incident response, or the management system disciplines that ISO 27001 requires. A business that holds Cyber Essentials has demonstrated a technical baseline; it has not demonstrated mature information security management. For businesses that need Cyber Essentials for UK procurement purposes alongside ISO 27001 for broader enterprise sales, the two are complementary. The technical controls required by Cyber Essentials are a subset of what ISO 27001 implementation covers a business implementing ISO 27001 properly will satisfy the Cyber Essentials technical requirements as part of that process. We implement them in sequence or in parallel depending on your commercial priorities.
What Cyber Essentials gives your business
Resources
ISO 42001
|
4 min read
Building Trusted, Responsible AI Compliance for Modern Enterprises with AI 42001 : 2023
ISO 42001:2023 is the first international standard specifically dedicated to the management of artificial-intelligence (AI) systems. It defines requirements and guidance for establishing, implementing, maintaining and continually improving an AI Management System (AIMS) within an organisation. (Microsoft Learn) The standard covers the full lifecycle of AI systems — from conception, design, development, deployment, monitoring, through […]
DPDPA
|
5 min read
How Xiligent Simplifies Your Privacy Assessment Process
Privacy is power. With data breaches and privacy regulations on the rise, businesses must take privacy assessments seriously. However, the process can often feel overwhelming. This is where Xiligent comes in. Xiligent offers a streamlined approach to privacy assessments, making it easier for organizations to manage their data privacy needs. In this post, we will […]
DPDPA
|
6 min read
Essential Steps for Implementing DPDP Regulations Efficiently
The rise of data breaches and privacy concerns, regulations like the Data Protection and Digital Privacy (DPDP) are crucial. Implementing these regulations can seem daunting, but with the right approach, it can be a smooth process. This blog post will guide you through essential steps for implementing DPDP regulations efficiently. Understanding DPDP Regulations Before diving […]
GDPR
|
7 min read
Understanding GDPR Compliance for Your Business Needs
In today’s digital world, data privacy is more important than ever. The General Data Protection Regulation (GDPR) is a law that protects personal data in the European Union. If your business handles personal data, understanding GDPR compliance is crucial. This post will guide you through the essentials of GDPR, its requirements, and how to ensure […]
Find out if you are ready to certify before the assessment does.
A readiness assessment against the five Cyber Essentials controls tells you exactly where you stand and what needs to change. For most businesses, the path to certification is shorter than expected once the gaps are clearly identified.
We are based in India. Can we still get Cyber Essentials certified?
+Yes. Cyber Essentials is a UK scheme, but there is no requirement that the organisation being certified is based in the UK. The certification is issued by a UK-accredited certification body regardless of where you are located. For businesses based in India or the Gulf with UK clients requiring the certification, it is entirely achievable the practical requirements are the same, and remote assessment processes are well-established for the base certification. Cyber Essentials Plus requires a more involved technical assessment, but accredited bodies with experience in international engagements can conduct this remotely for most infrastructure types.
How long does it take and what does it cost?
+For a business that has done the preparation work, the formal Cyber Essentials assessment is quick typically a matter of days for the base certification once the questionnaire is submitted. The preparation work remediating gaps, hardening configurations, updating software takes longer and depends on the current state of your environment. Most businesses with reasonable IT hygiene can be assessment-ready in four to eight weeks. Certification fees are set by the certification body and are generally modest for the base level; Cyber Essentials Plus is more expensive given the technical assessment involved.
Our IT is mostly cloud-based. Does Cyber Essentials still apply?
+Yes, though the scope treatment of cloud services has nuance. Cloud services where the provider controls the underlying security configuration most SaaS applications are generally outside the scope of your Cyber Essentials assessment, because you do not control the security configuration. Cloud infrastructure where you configure and manage the security virtual machines, containers, cloud-hosted servers is in scope. End-user devices (laptops, mobiles) that access those services are in scope regardless. For cloud-heavy organisations, the scope is often smaller than expected, but it is not empty.