• Understanding Cyber Essentials: Certification & purpose
  • Cyber Essentials vs Cyber Essential Plus
  • The five Cyber Essentials security controls
  • Is Cyber Essentials mandatory for NHS providers?
  • Benefits of Cyber Essentials compliance framework for NHS trusts
  • How ManageEngine AD360 supports Cyber Essentials compliance framework
  • FAQs

Cybersecurity is now a fundamental part of patient care. With the NHS rapidly digitising operations—electronic health records, remote care platforms, and cloud integrations—the threat of cyberattacks continues to grow. NHS organisations must now strike a balance between agility and security.

Achieving Cyber Essentials compliance framework is not just a regulatory step; it is crucial for safeguarding sensitive patient data and building trust in a rapidly evolving digital healthcare landscape.

To help organisations defend against common cyber threats, the UK Government introduced Cyber Essentials compliance framework—a baseline cyber security certification developed by the National Cyber Security Centre (NCSC). For NHS trusts, care providers, and third-party vendors, Cyber Essentials NHS is more than a framework—it is a strategic tool that ensures cyber readiness, protects patient data, and supports regulatory compliance.

In this blog, we outline what Cyber Essentials entails, how it aligns with the Data Security and Protection Toolkit (DSPT), and how ManageEngine AD360 helps NHS organisations meet the technical controls required by the framework.

Understanding Cyber Essentials: Certification & purpose

What is Cyber Essentials?

Cyber Essentials is a fundamental set of standards and assessments designed to foster robust cyber security practices within organisations, including small businesses in the United Kingdom (UK). These guidelines offer a structured approach to implementing technical and administrative controls, establishing a baseline for cyber resilience. The scheme aims to protect organisations against the majority of common online security threats.

What is the Cyber Essentials certificate?

The Cyber Essentials certificate is the official UK Government-backed recognition of an organisation's commitment to these standards. It enables organisations of all sizes, including NHS trusts, to protect themselves against common online threats. Introduced in 2014 as part of the UK’s National Cyber Security Programme, the certification is renewed annually to ensure continued compliance.

The certificate is sometimes required for certain government contracts, making it vital for NHS procurement processes.

Who needs Cyber Essentials?

Certification under the Cyber Essentials compliance framework is increasingly a necessity for NHS organisations and entities seeking central government contracts that involve handling of sensitive patient data or providing specific technical products and services. This certificate is often mandatory to bid on such contracts, ensuring the NHS compliance with government cyber security standards.

Cyber Essentials vs Cyber Essential Plus

There are two levels of the Cyber Essentials certification:

Cyber Essentials: A self-assessment option

Cyber Essentials Plus: Includes the self-assessment and an independent technical verification

Cyber Essentials Cyber Essential Plus
Entry-level certification A more rigorous evaluation
Focuses on fundamental security controls and principles Includes all Cyber Essentials requirements plus hands-on technical testing
Based on a self-assessment questionnaire verifying basic security measures Involves comprehensive technical verification by independent assessors
Emphasises protection against common cyber threats Validates advanced security measures and control
Designed for organisations seeking a foundational level of cyber assurance Suitable for organisations requiring a higher level of assurance
Ideal for small to medium-sized businesses Recommended for larger or higher-risk organisations
Provides a starting point for enhancing cyber security measures Offers a deeper, independent assessment of security posture

The five Cyber Essentials security controls

  • Firewalls: Ensuring that every internet-connected device has firewall protection is crucial. Configuring firewalls to permit only necessary traffic, regular maintenance, and updates is critical. This discovers vulnerabilities in the internal networks and implements intrusion detection systems to identify security risks in the external networks. Fulfilling these requirements involves:
    • Setting strong administrative passwords or disabling remote admin access.
    • Restricting administrative access based on clear business needs.
    • Blocking unauthorized connections automatically.
    • Approval of inbound firewall rules by authorized personnel and swift removal of unnecessary rules.
    • Installing software firewalls on devices used in untrusted networks.

    By meeting these requirements, NHS organisations strengthen their defences against external threats, an essential aspect of NHS digital security.

  • Secure configuration: Configuring systems and devices securely involves mitigating vulnerabilities by limiting unnecessary services and ensuring robust password settings. To adhere to these requirements:
    • Eliminate or disable redundant user accounts and software.
    • Change default passwords and disable auto-run features.
    • Authenticate users before granting access to business services.
    • Establish robust unlocking controls requiring biometric data, passwords, or PINs.

    Adhering to these secure configuration practices is foundational for NHS cybersecurity compliance.

  • User access control: Effective management of user access is critical to minimize risks associated with misuse or theft of accounts. Compliance involves:
    • Implementing a structured process for creating and authorising user accounts.
    • Authenticating users before granting access.
    • Regularly reviewing and eliminating unnecessary user accounts.
    • Implementing MFAwhenever feasible.
    • Assigning dedicated administrative accounts for admin tasks.

    Effective management of user access is critical to minimize risks associated with misuse or theft of accounts, particularly vital for patient data protection in NHS environments.

  • Malware protection: Protection against malware entails deploying antivirus and anti-malware software, conducting regular scans, and ensuring these tools are updated and effective.
    • Install malware protection on every business device.
    • Enable automatic scanning of files.
    • Keep malware protection software up-to-date.
    • Restrict access to malicious websites.

    Implementing robust malware protection is paramount for maintaining NHS IT governance and safeguarding patient systems.

  • Security update management: Continuously updating and refining security measures based on changing regulations and business objectives is vital. These requirements encompass:
    • Maintaining all hardware and software with regular updates.
    • Enabling automatic updates where feasible.
    • Prompt installation of patch updates.
    • Uninstalling software that lacks cybersecurity updates.

    Continuously updating and refining security measures based on changing regulations and business objectives are vital for ongoing healthcare cyber compliance and overall NHS digital security.

By implementing these five controls, NHS organisations can significantly reduce the risk of ransomware, phishing attacks, data exfiltration, and system compromise—ensuring a secure digital healthcare environment.

Is Cyber Essentials mandatory for NHS providers?

While not yet a legal requirement across the NHS, the Cyber Essentials compliance framework is increasingly becoming a practical necessity—particularly for suppliers and digital health partners.

Scenarios where certification is required include:

  • NHS procurement: Most tenders now require Cyber Essentials or Cyber Essentials Plus, especially where sensitive data is involved.
  • Third-party risk management: NHS Digital recommends Cyber Essentials to assess and secure the digital supply chain.
  • DSPT alignment: For care providers completing the DSPT, Cyber Essentials Plus supports the required technical evidence for access control, malware prevention, and system configuration.

Organisations and vendors that handle patient data or integrate with NHS systems should regard Cyber Essentials as a mandatory safeguard rather than a choice.

Benefits of Cyber Essentials compliance framework for NHS trusts

Achieving Cyber Essentials NHS certification provides far more than technical safeguards—it delivers measurable business value. From procurement eligibility to supply chain confidence, NHS organisations and partners benefit in the following ways:

Protection against most common internet threats

Cyber Essentials certification helps NHS organisations defend against the majority of common online threats, including ransomware and phishing. Research shows that organisations with Cyber Essentials controls are 92% less likely to make a cyber insurance claim, highlighting its effectiveness in reducing vulnerability to attacks.

Demonstrate commitment to cyber security

Achieving Cyber Essentials publicly demonstrates that your NHS trust or healthcare organisation takes cyber security seriously. Certification builds trust with patients, partners, and regulators by showing a clear commitment to protecting sensitive data and maintaining high standards of cyber hygiene.

Enables bidding for NHS contracts

Many NHS tenders and government contracts now require Cyber Essentials certification as a minimum standard. Certification enables your organisation to bid for these contracts, expanding business opportunities and ensuring compliance with NHS procurement requirements.

Insurance incentives

Insurers recognise the lower risk profile of Cyber Essentials-certified organisations. Many offer reduced premiums, and some provide automatic cyber insurance for eligible organisations. This not only saves costs but also signals to insurers that your organisation is proactive about risk management.

Increasing the UK’s cyber resilience

Widespread adoption of Cyber Essentials strengthens the entire UK healthcare sector’s resilience to cyberthreat. By implementing the scheme’s technical controls, NHS trusts and suppliers help raise the national standard and contribute to a more secure digital health ecosystem.

Compliance and data protection

Cyber Essentials supports NHS compliance with regulations like the Data Protection Act 2018 and directly aids in meeting the requirements of the DSPT. By ensuring robust controls are in place to protect personal and patient data from unauthorised access and cyberthreats, this helps NHS organisations meet both legal and NHS-specific data protection requirements.

Education and awareness

The process of achieving Cyber Essentials certification educates staff and management about cyber security best practices. This increases awareness, embeds a culture of security, and equips teams to recognize better and prevent cyberthreats in their daily work.

Supply chain security

Cyber Essentials is increasingly used as a benchmark for supply chain security. Certification gives NHS organisations confidence in the cyber security of their suppliers and partners, reducing the risk of third-party breaches and protecting sensitive healthcare data throughout the supply chain.

Continuous improvement

Cyber Essentials is an annually renewable certification, encouraging NHS trusts and providers to regularly review and update their cyber security measures. This continuous improvement helps organisations stay ahead of emerging threats and maintain compliance over time.

How ManageEngine AD360 supports Cyber Essentials compliance framework

Cyber Essentials requirements How ManageEngine AD360 helps deliver these requirements

Requirement 2. Secure Configuration Cyber Essentials recommends:

  • Removal and deletion of unnecessary user accounts.
  • Change default/guessable account passwords.
  • Ensure users are authenticated before gaining access to organisational data/services.
  • Ensure appropriate device locking controls which include MFA, time-based authentication, and throttling of login attempts.

AD360 can:

  • Deploy risk-based MFA, passwordless login, and SSO across NHS systems and apps.
  • Supports 20 authentication factors for user validation.
  • Enforce password policies that block compromised or weak credentials.
  • Identify and delete inactive or suspicious accounts centrally.
  • Generate detailed login audit reports to flag anomalies.

Requirement 4. User Access Control Cyber Essentials recommends:

  • A defined process to create and approve user accounts.
  • Remove/disable user privileges when no longer required.

AD360 can:

  • Orchestrate user life cycle management processes such as account creation, provisioning, modification, and deprovisioning via supervised and controlled automation.
  • Enable IT admins to review, revoke, and update user access privileges from a single console.
  • Apply conditional access policies based on user risk, IP address, time, and device type.

Further guidance, which includes recommendations such as:

  • Backup of data
  • Zero Trust and Cyber Essentials

AD360 can:

  • Provide granular backup and restoration of application and directory (on-premises AD and Azure AD) environments.
  • Implement Zero Trust principles with least privilege access, MFA, real-time alerts and continuous monitoring.

Final thoughts: Cyber Essentials as the NHS baseline for cyber maturity

Cyber Essentials compliance framework is not merely a certification; it's a foundational, indispensable step towards building a more secure, resilient, and compliant NHS. With the escalating threat of cyberattacks targeting healthcare infrastructure and sensitive patient data, it is imperative that NHS organisations must adopt structured, auditable controls that safeguard both patient data and critical system access.

ManageEngine AD360 simplifies and accelerated the implementation of key Cyber Essentials technical requirements, particularly across crucial areas like secure configuration and user access control. By leveraging AD360, NHS trusts can significantly advance their journey towards a robust Zero Trust, compliance-ready architecture, thereby enhancing their overall NHS cybersecurity compliance.

FAQs

While not a universal legal obligation, Cyber Essentials certification is increasingly a practical requirement. It is frequently mandated in NHS contracts and strongly recommended under the DSPT and broader NHS cybersecurity policies.

Absolutely. AD360 directly supports key areas of DSPT compliance by providing robust features for access management, identity governance, comprehensive audit trails, and efficient user provisioning–all critical components for meeting DSPT requirements for patient data protection in NHS.

ManageEngine AD360 supports critical Cyber Essentials requirements by securing user access, enforcing authentication controls, and automating account life cycle management. Its features align with key audit areas such as secure configuration and access control, helping NHS providers pass both the Cyber Essentials and Cyber Essentials Plus audits more efficiently.

Yes. ManageEngine AD360 fully aligns with and facilitates the adoption of Zero Trust principles as recommended by both NHS Digital and NCSC. It enables core Zero Trust concepts such as least-privilege access, continuous monitoring, and strong identity-based authentication across hybrid NHS environments. When combined with rigorous Cyber Essentials controls, this creates a highly layered, modern, and resilient approach to NHS IT governance.

While AD360 addresses access and configuration controls, Log360 supports the malware protection requirement within Cyber Essentials by:

  • Continuously monitoring logs for suspicious activity.
  • Blocking malicious IPs and URLs using updated threat feeds.
  • Sending real-time alerts for malware-related incidents.

This makes Log360 a valuable addition for NHS organisations aiming for complete Cyber Essentials compliance, especially in detecting and responding to evolving cyberthreats.