# UK Cyber Essentials Certification made easy with Endpoint Central

UK Cyber Essentials is a cybersecurity certification program designed to help organizations safeguard against cyber threats. It is endorsed by the National Cyber Security Centre (NCSC) of the United Kingdom Government. Built around five essential technical controls, it involves a self-assessment certification process overseen by IASME, the official certification partner.

As part of the certification process, organizations must complete a [self-assessment questionnaire](https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/), which needs to be reviewed and signed by a board member or a competent authority from the organization. Once signed, the assessment must be submitted to a [certification body](https://iasme.co.uk/cyber-essentials/find-a-certification-body/) licensed by IASME for review and certification. The certification remains valid for 12 months, requiring annual renewal to ensure ongoing compliance.

### ManageEngine: Leading by example with cyber essentials certification

We’re proud to share that ManageEngine is certified under [Cyber Essentials](https://registry.blockmarktech.com/certificates/df4a2fb2-58c7-428b-b622-0d1dbd68ae22/?share_key=PwjlpR4D2cDUHh3Sdo8M0rcjExwK72mQ-XIpo5xzVlM) and [Cyber Essentials Plus](https://registry.blockmarktech.com/certificates/061e91c4-e56a-4f0c-a09c-66fea8d9c587/?share_key=kMr-rs_DyO5lC0s7L7ldCEi-8F3G4jYAUViD4SoAUm0). These certifications reflect our commitment to upholding the same cybersecurity standards we advocate, demonstrating our dedication to robust security practices and leading by example.

### Benefits of UK cyber essentials certification:

According to IASME, the key benefits of obtaining Cyber Essentials certification include:

- Demonstrate Cybersecurity Commitment: Prove to customers, partners, and stakeholders that cybersecurity is a top priority in your organization.
- Stay Ahead of Cyber Risks: Regular assessments ensure your systems align with a recognized cybersecurity framework, helping you proactively address new and emerging threats.

### Three reasons why endpoint central is poised to help you achieve UK cyber essentials certification:

### Secure configurations – Assured protection

Endpoint Central empowers your organization to uphold strong cyber hygiene through robust security measures. From data encryption to preventing unauthorized privilege escalation, blocking data leaks, and managing USB access, Endpoint Central ensures your systems remain secure, compliant, and resilient against evolving cyber threats.

### Seamless updates across all devices

Stay ahead of vulnerabilities with Endpoint Central's comprehensive patch management. It supports updates for Windows, Mac, and Linux devices, along with over 1,000 third-party applications. Beyond traditional endpoints, it streamlines mobile device updates—covering Apple, Android, and both store and in-house applications—ensuring every device stays secure and up-to-date.

### Total IT visibility with Endpoint Central

Gain complete visibility into your IT infrastructure with Endpoint Central's advanced asset management tools. Proactively monitor, manage, and secure your assets while leveraging powerful anti-malware capabilities. With features like one-click data restoration and endpoint quarantine, Endpoint Central minimizes business disruptions, keeping your operations seamless and resilient.

### Two levels of cyber essentials certification

Organization could choose the level that best aligns with your organization's cybersecurity needs and assurance requirements.

1. **Cyber Essentials:** A basic level certification based on self-assessment and verification of the five key technical controls.
2. **Cyber Essentials Plus:** Includes a hands-on technical audit of your IT systems to verify the proper implementation of the required controls.

The latest version of Cyber Essentials: Requirements for IT Infrastructure (v3.1) emphasizes the **importance of asset management** in effectively implementing the five key technical controls, even though it is **not officially listed as one of them**. Drawing from NCSC's guidance on asset management, we’ve outlined how Endpoint Central is uniquely equipped to support your organization in achieving efficient and comprehensive asset management. Click [here](https://www.manageengine.com/products/desktop-central/ncsc-asset-management-guidance.html) to learn more.

Similarly, the latest version of Cyber Essentials: Requirements for IT Infrastructure (v3.1) includes Bring Your Own Device (BYOD) within its scope. This means organizations seeking UK Cyber Essentials certification **must ensure that BYOD devices are effectively managed and secured** in alignment with the framework's requirements. Referencing NCSC's guidance on BYOD management, Endpoint Central is well-equipped to help your organization establish robust controls for BYOD security and compliance. Click [here](https://www.manageengine.com/products/desktop-central/ncsc-byod-guidance.html) to learn more.

The table below provides a detailed overview of how Endpoint Central is strategically positioned to help your organization effectively implement and excel in each of the five key technical controls.

| Controls | Description (as mentioned in [Cyber Essentials: Requirements for IT Infrastructure v3.1](https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-April-2023.pdf)) | How Endpoint Central helps |
|---|---|---|
| **Firewall** | **Requirements**<br><br>You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality).<br><br>Information: Most desktop and laptop operating systems now come with a software firewall preinstalled; we advise that these are turned on in preference to a third-party firewall application.<br><br>For all firewalls (or network devices with firewall functionality), your organization must:<br><br>- Change default administrative passwords to a strong and unique password (see password based authentication) – or disable remote administrative access entirely<br>- Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by one of the following controls:<br>  i) Multi-factor authentication<br>  ii) an IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach<br>- Block unauthenticated inbound connections by default<br>- Ensure inbound firewall rules are approved and documented by an authorized person, and include the business need in the documentation<br>- Remove or disable unnecessary firewall rules quickly when they are no longer needed.<br><br>Make sure you use a software firewall on devices which are used on untrusted networks, such as public wifi hotspots. | Endpoint Central comes handy for admins to [configure Windows Firewall](https://www.manageengine.com/products/desktop-central/help/computer_configuration/configuring_windows_xp_firewall.html) for the end-users. |
| **Secure Configuration** | **Requirements**<br><br>**Computers and network devices**<br><br>Your organization must proactively manage your computers and network devices. You must regularly:<br><br>- Remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used)<br>- Change any default or guessable account passwords (see password-based authentication)<br>- Remove or disable unnecessary software (including applications, system utilities and network services)<br>- Disable any auto-run feature which allows file execution without user authorization (such as when they are downloaded)<br>- Ensure users are authenticated before allowing them access to organizational data or services<br>- Ensure appropriate device locking controls for users that are physically present<br><br>**Device unlocking credentials**<br><br>If a device requires a user’s physical presence to access a device’s services (such as logging on to a laptop or unlocking a mobile phone), a credential such as a biometric, password or PIN must be in place before a user can gain access to the services.<br><br>You must protect your chosen authentication method (which can be biometric authentication, password or PIN) against brute-force attacks. When it's possible to configure, you should apply one of the following:<br><br>- ‘Throttling' the rate of attempts, so that the number of times the user must wait between attempts increases with each unsuccessful attempt. You shouldn’t allow more than 10 guesses in 5 minutes<br>- Locking devices after more than 10 unsuccessful attempts.<br>- When the vendor doesn't allow you to configure the above, use the vendor’s default setting.<br><br>Technical controls must be used to manage the quality of credentials. If credentials are just to unlock a device, use a minimum password or PIN length of at least 6 characters. When the device unlocking credentials are also used for authentication, you must apply the full password requirements to the credentials described in ‘user access controls.’ | [Revoke administrative rights to unintended users](https://www.manageengine.com/vulnerability-management/misconfiguration/user-account-management/how-to-disable-built-in-administrator-account.html) and enforce the [principle of least privilege](https://www.manageengine.com/application-control/endpoint-privilege-management.html) using Endpoint Central.<br><br>Admins can [prohibit users](https://www.manageengine.com/products/desktop-central/help/inventory/configure_prohibited_software.html) from installing unnecessary software and can create list of software which are [allowed/ blocked](https://www.manageengine.com/application-control/allowlisting-vs-blocklisting.html) in their IT environment.<br><br>Endpoint Central also can [block executables](https://www.manageengine.com/products/desktop-central/help/inventory/block_executables.html), preventing the files from automatically getting executed. Endpoint Central also empowers admins to control the [Child processes](https://www.manageengine.com/application-control/child-process-control.html) arising out of other applications. To ensure safe access to corporate application, Endpoint Central [leverages enterprise SSO](https://www.manageengine.com/mobile-device-management/enterprise-single-sign-on-sso.html) using kerberos protocol. Endpoint Central also leverages Certificate Based Authentication using [SCEP](https://www.manageengine.com/mobile-device-management/help/profile_management/ios/mdm_scep.html).<br><br>Endpoint Central enables administrators to set [passcode policies](https://www.manageengine.com/mobile-device-management/mdm-passcode-policy.html) for mobile devices running on Android, Apple, and Windows. |
| **Security Update Management** | **Requirements**<br><br>You must make sure that all software in scope is kept up to date. All software on in-scope devices must:<br><br>- Be licensed and supported<br>- Removed from devices when it becomes unsupported or removed from scope by using a defined sub-set that prevents all traffic to / from the internet<br>- Have automatic updates enabled where possible<br>- Be updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:<br>  i) The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’<br>  ii) The update addresses vulnerabilities with a CVSS v3 base score of 7 or above<br>  iii) There are no details of the level of vulnerabilities the update fixes provided by the vendor<br><br>**Please note:** For optimum security, we strongly recommend (but it’s not mandatory) that all released updates are applied within 14 days of release.<br><br>*It's important that updates are applied as soon as possible. 14 days is considered a reasonable period to be able to implement this requirement.<br><br>**Information:** If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with a CVSS 3.0 score of 7 or above or are identified by the vendor as 'critical or high risk'. **Caution:** Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues then it must be installed within 14 days. | Endpoint Central provides comprehensive vulnerability management from a single console, including built-in remediation. It offers [risk-based vulnerability management](https://www.manageengine.com/vulnerability-management/risk-based-vulnerability-management.html) to prioritize vulnerabilities based on CVSS score, CVE impact type, patch availability, and more.<br><br>Endpoint Central features a vulnerability age matrix and [vulnerability severity summary](https://www.manageengine.com/products/desktop-central/patch-management-reports.html) for insights into patch impact. It supports patch testing and approval workflows and provides patch support for Windows, Linux, macOS, Windows Server OS, and 1,000+ third-party applications, hardware drivers, and BIOS.<br><br>Endpoint Central's SLA for patches:<br>- Third-party updates are supported within 6–9 hours from vendor release.<br>- Security updates are supported within 12–18 hours from vendor release.<br>- Non-security updates are supported within 24 hours from vendor release. |
| **User Access Control** | **Requirements**<br><br>Your organisation must be in control of your user accounts and the access privileges that allow access to your organisational data and services. This includes third-party accounts.<br><br>Your organization must:<br><br>- Have in place a process to create and approve user accounts<br>- Authenticate users with unique credentials before granting access to applications or devices (see password-based authentication)<br>- Remove or disable user accounts when they’re no longer required<br>- Implement MFA, where available – authentication to cloud services must always use MFA<br>- Use separate accounts to perform administrative activities only<br>- Remove or disable special access privileges when no longer required<br><br>**Password-based authentication**<br><br>Passwords must be protected against brute-force guessing by implementing at least one of:<br><br>- Multi-factor authentication<br>- ‘Throttling' the rate of attempts (no more than 10 guesses in 5 minutes)<br>- Locking accounts after no more than 10 unsuccessful attempts<br><br>Use technical controls to manage the quality of passwords, including:<br><br>- Multi-factor authentication<br>- Minimum password length of at least 12 characters, with no maximum length restrictions<br>- Minimum password length of at least 8 characters, with automatic blocking of common passwords using a deny list<br><br>Support users to choose unique passwords by educating them, encouraging longer passwords (three random words), providing secure storage, not enforcing regular expiry, and not enforcing complexity requirements.<br><br>**Multi-factor authentication (MFA)**<br><br>MFA should always be used for administrative accounts and internet-accessible accounts. Additional factors may include:<br><br>- A managed/enterprise device<br>- An app on a trusted device<br>- A physically separate token<br>- A known or trusted account | [Revoke administrative rights to unintended users](https://www.manageengine.com/vulnerability-management/misconfiguration/user-account-management/how-to-disable-built-in-administrator-account.html) and enforce the principle of least privilege using Endpoint Central.<br><br>Endpoint Central enables administrators to set [passcode policies](https://www.manageengine.com/mobile-device-management/mdm-passcode-policy.html) for mobile devices.<br><br>Zoho offers [Zoho OneAuth](https://www.zoho.com/accounts/oneauth/) for Multi Factor Authentication requirements.<br><br>Zoho also offers [Zoho Vault](https://www.zoho.com/vault/) – an enterprise password manager. |
| **Malware Protection** | **Requirements**<br><br>You must make sure that a malware protection mechanism is active on all devices in scope.<br><br>**Anti-malware software (for Windows or macOS devices including servers, desktops, laptops)**<br><br>It must be configured to:<br><br>- Be updated in line with vendor recommendations<br>- Prevent malware from running<br>- Prevent the execution of malicious code<br>- Prevent connections to malicious websites over the internet<br><br>**Application allow listing (option for all in scope devices)**<br><br>- Actively approve applications before deploying them to devices<br>- Maintain a current list of approved applications; users must not install unsigned or invalidly signed applications | Endpoint Central has a built-in [next gen antivirus engine](https://www.manageengine.com/products/desktop-central/nextgen-antivirus.html) (currently available as early access) that proactively detects cyber threats like malware with AI-assisted, real-time behavior detection and deep learning technology.<br><br>It performs incident forensics to analyze root cause and severity of threats and can quarantine endpoints when suspicious behavior is detected.<br><br>Endpoint Central also provides [instant, non-erasable backup of the files](https://www.manageengine.com/products/desktop-central/anti-ransomware.html) in your network every three hours using Microsoft’s volume shadow copy service. Its Application Control module allows admins to [allowlist/ blocklist](https://www.manageengine.com/application-control/allowlisting-vs-blocklisting.html) software applications. |

**Recommended reads/ links:**

1. [ISO compliance made easy with Endpoint Central](https://www.manageengine.com/products/desktop-central/iso-27001-compliance.html)
2. [Meeting PCI DSS requirements is no longer a challenge for financial institutions.](https://www.manageengine.com/products/desktop-central/pci-dss-compliance.html)

### Compliance in action: Real Success stories with Endpoint Central

https://www.youtube-nocookie.com/embed/MwleKB3OTYA?si=p6bYgUUiDK_t2WDj