• About Cyber Essentials
  • Security controls
  • Our offerings

About Cyber Essentials

While the sophistication of cyberattacks can vary, most often these attacks are basic and predictable, and exploit the most common and preventable vulnerabilities. By adopting the right security practices, the information inherent in the organisation stands defensible and free from intruders’ hands.

The Cyber Essentials scheme is conclusively designed to help organisations mitigate common cyberattacks by implementing five key security controls. The scheme defines the five technical controls: Firewalls, secure configuration, security update management, user access control, and malware protection to be in place, guarding cyber health, and strengthen an organisation's overall cyber security posture.

ManageEngine's guide to complying with Cyber Essentials

Get your copy
ManageEngine's guide to complying with Cyber Essentials

Why does your organisation need a
Cyber Essentials certification?

  • To build customers' confidence by ensuring essential cybersecurity measures are in place.
  • To gain better visibility into your organisation's overall cybersecurity posture.
  • To strengthen credibility and improve eligibility for securing government and public sector contracts.
  • To simplify compliance alignment with other security standards, like the ISO 27001 certification.
Cyber Essential certification

The five technical controls of Cyber Essentials:

To establish baseline security standards, organisations are required to comply with
five basic security controls defined by the scheme:

Firewalls

Firewalls

Use firewalls to help protect systems, networks, and devices against unauthorised access and incoming threats.

Secure configuration

Secure configuration

Configure systems and devices appropriately by prioritising security settings and reducing unnecessary threat exposures.

Security update management

Security update management

Deploy security updates promptly to protect systems and applications against cybersecurity vulnerabilities.

User access control

User access control

Ensure employees are granted access solely to the devices, systems, and information required to perform their roles.

Malware protection

Malware protection

Implement measures such as application allowlisting and access restriction to unsafe websites to reduce the risk of malware attacks.

How to get your organisation
Cyber Essentials certified

Organisations can get Cyber Essentials certification at two levels. The first level involves the applicant organisation running a verified self-assessment (VSA) of the questionnaire defined by the scheme. Upon further verification by an independent assessor, the certification will be awarded if the required criteria are met.

The second level is the Cyber Essentials Plus (CE+) certification, where an on-site or remote technical audit is conducted by an authorised body to provide a higher level of assurance. The pricing level for either of these assessments may vary depending upon factors like the size of the organisation, assessment scope, the time required for completion, and complexity.

What's new in the
Cyber Essentials scheme?

Know more

Meet the Cyber Essentials security
controls with ManageEngine

ManageEngine is Cyber Essentials Plus certified; the scope includes ManageEngine's UK and EU data centers, all cloud service offerings, their corresponding administrative networks, and excludes all other networks of ManageEngine.

Our suite of IT management solutions can help your organisation meet the Cyber Essentials security control requirements.

Cyber Essentials Plus

Download ManageEngine's Cyber Essentials guide to get:

  • A detailed overview of the Cyber Essentials scheme, its certification levels, and the benefits of becoming certified.
  • Practical guidance on how to adopt the right processes and technologies to become successfully certified.
  • An in-depth look into how ManageEngine's cybersecurity solutions can help you address the five security controls essentials for Cyber Essentials certification.

Want to learn more about UK's
Cyber Essentials scheme?

Fill out the form to download the guide

Please enter the name

Please enter the valid email

Please enter the phone number

  • In for the information
  • Evaluating tools/solutions to help with Cyber Essentials certification
  • Sign me up for a personalized demo

Please select the Solution(s)

By clicking ‘Get your copy’, you agree to the processing of personal data according to the Privacy Policy.

Disclaimer:

The complete implementation of the Cyber Essentials scheme requires a variety of solutions, processes, people, and technologies. The solutions mentioned in our guide are some of the ways in which IT management tools can help with the Cyber Essentials requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine’s solutions help implement the Cyber Essentials. This material is provided for informational purposes only and should not be considered as legal advice for the Cyber Essentials implementation. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.

X

Inquire now

Please enter the name

Please enter the valid email

Please enter the phone number

#Subject to availability of our solution expert.

By clicking ‘Submit’, you agree to processing of personal data according to the Privacy Policy.

x

Cyber Essentials 2026 updates

The changes to the Cyber Essentials scheme for the year 2026 are as follows:

  • MFA is now formally defined and mandatory. The marking criteria from A7.14 - A7.17 describes that any cloud service that offers MFA whether free, included, integrated through another service, or available at an additional cost must have MFA enabled. Organisation failing to implement this will result in an automatic assessment failure.
  • Cloud services are now formally defined. Any organisational data or services hosted on cloud platforms must be explicitly declared and cannot be excluded from the assessment scope.
  • Backup, while not a technical requirement, is repositioned to emphasise its importance and the need for organisations to implement appropriate backup solutions.
  • Passkeys are the newly recommended secure and effective authentication method by NCSC. The accepted authentication methods have been reordered to improve focus and clarity on passwordless authentication and MFA.
  • The definition of passwordless authentication is updated to include FIDO2 authenticators as examples of acceptable authentication factors.
  • Two new questions, A6.4 and A6.5 are added for timely security updates and vulnerability fixes (within 14 days of release) with auto-fail remarks. Non-compliance will result in automatic certification failure.
  • The Willow question set is replaced by the Danzell question set with revised marking criteria, updated assessment questions, tighter scoping requirements, and more structured enforcement.
  • These changes apply to all assessments taking place after 26 April 2026. Organisations with an active assessment account created before this date will have six months to attain Cyber Essentials certification using the previous requirements. Cyber Essentials Plus must be completed within three months of the Cyber Essentials basic certification, which may extend the CE+ completion window into January 2027.
x ManageEngine's guide to complying with Cyber Essentials scheme