• About Cyber Essentials
  • Security controls
  • Our offerings

About Cyber Essentials

While the sophistication of cyberattacks can vary, most often they are basic and predictable. By employing the right security practices, the information inherent in the organisation stands defensible and free from intruders’ hands.

The Cyber Essentials scheme is conclusively designed to mitigate common cyberattacks by promoting the implementation of five security controls. The scheme defines the five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection to be in place, guarding cyber health.

ManageEngine's guide to complying with Cyber Essentials

Get your copy
ManageEngine's guide to complying with Cyber Essentials

Why does your organisation need
a Cyber Essentials certification?

  • To gain customers' confidence by ensuring cybersecurity measures are in place
  • To gain insights on your organisation's overall cybersecurity posture
  • To help build credibility and secure government contracts
  • To simplify compliance with other security standards, like the ISO 27000 certification
Cyber Essential certification

The five technical controls of Cyber Essentials:

To establish baseline security standards, organisations are required to comply with
five basic security controls suggested by the scheme:

Firewalls

Firewalls

Use a firewall to ensure that all your systems, networks, and devices are protected against incoming threats.

Secure configuration

Secure configuration

Prioritize security settings for all your systems and devices over ease of use.

Security update management

Security update management

Deploy security updates periodically to protect your systems and applications against cybersecurity vulnerabilities.

User access control

User access control

Ensure employees are granted access solely to devices and information they need to fulfil their roles.

Malware protection

Malware protection

Enforce measures like application allowlisting and restrict access to unsecure websites to avoid malware attacks.

How to get your organisation
Cyber Essentials certified

Organisations can get Cyber Essentials certified under two levels. Level 1 involves the applicant organisation running a self-assessment of the questionnaire set by the scheme. Upon further verification by an independent assessor, the certification will be awarded.

The next level is the Cyber Essentials Plus certification, wherein an on-site or remote technical audit is conducted by an authorised body to gain a higher assurance level. The pricing level for either of these tests will vary depending upon factors like the size of the organisation, the time consumed, and complexity.

What's new in the Cyber Essentials scheme?

Know more

Meet the Cyber Essentials security
controls with ManageEngine

ManageEngine is Cyber Essentials Plus certified; the scope includes ManageEngine's UK and EU data centers as well as all cloud service offerings and their corresponding administrative networks, and excludes all other networks of ManageEngine.

Our suite of IT management solutions can help your organisation meet the Cyber Essentials security control requirements.

Cyber Essentials Plus

Download ManageEngine's Cyber Essentials guide to get:

  • A detailed overview of the Cyber Essentials scheme, its different levels, and the benefits of getting certified.
  • Tips on how to employ the right process and technology to become successfully certified.
  • An in-depth look into how ManageEngine's cybersecurity solutions can help you attain the five security controls vital for becoming certified.

Want to learn more about UK's
Cyber Essentials scheme?

Fill out the form to download the guide

Please enter the name

Please enter the valid email

Please enter the phone number

  • In for the information
  • Evaluating tools/solutions to help with Cyber Essentials certification
  • Sign me up for a personalized demo

Please select the Solution(s)

By clicking ‘Get your copy’, you agree to the processing of personal data according to the Privacy Policy.

Disclaimer:

The complete implementation of the Cyber Essentials scheme requires a variety of solutions, processes, people, and technologies. The solutions mentioned in our guide are some of the ways in which IT management tools can help with the Cyber Essentials requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine’s solutions help implement the Cyber Essentials. This material is provided for informational purposes only and should not be considered as legal advice for the Cyber Essentials implementation. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.

X

Inquire now

Please enter the name

Please enter the valid email

Please enter the phone number

#Subject to availability of our solution expert.

By clicking ‘Submit’, you agree to processing of personal data according to the Privacy Policy.

x

The changes to the Cyber Essentials
scheme for the year 2025 are as follows:

  • The term plugins has been updated to extensions. The definition of software has been updated to include extensions instead of plugins, aligning with modern terminology used in browsers and applications.
  • The assessment scope now explicitly includes remote working alongside home working. Not just home working, but any BYOD home and remote devices, routers, and corporate VPN connections used outside of office environments are also under scope for consideration.
  • Starting from 28 April 2025, the "Willow" question set will replace "Montpellier." All applications filed on or after 28 April 2025 will follow the "Willow" framework.
  • The definition of vulnerability fix is newly added, and the line items include patches, updates, registry fixes, configuration changes, scripts, or any other vendor-approved mechanism to address known vulnerabilities. This was previously limited or referred to as "software updates known as patches or security updates."
  • Passwordless authentication is a newly added definition that includes, but is not limited to, biometric data, physical devices such as security keys or tokens, one-time codes, QR codes, and push notifications.
  • Apart from password-based and MFA requirements, guidance is provided on passwordless authentication methods under the user access control.
  • Security updates, whether applied automatically, manually, or via third-party tools, are implemented on time. Updates must comply with the new definition of a vulnerability fix.
  • Organisations seeking certification on or after 28 April 2025 should follow the document's latest version (v3.2). Applications initiated before 28 April 2025 will continue to be governed by the version (v3.1) effective from April 2023.
x ManageEngine's guide to complying with Cyber Essentials scheme