What is Cyber Essentials

The Cyber Essentials Scheme was created by the UK Government and industry working together to design a basic set of requirements that all businesses could apply with limited experience of cybersecurity. Those business that apply these requirements would then be able to publicly demonstrate their commitment to cybersecurity via the Cyber Essentials Badge.

The process is designed to be easy/low cost and provide a respected minimum standard in Cyber Security.

The Scheme is designed to address the most common internet based treats to your business cybersecurity, particularly attacks that uses tools that require little skill by the attacker, these tools are widely available are increasing used. These threats are as follows:

  • Hacking, using known vulnerabilities in Internet-connected devices, using tools and techniques found on the internet
  • Phishing, ways of tricking users into installing or executing a malicious application, such as email attachments
  • Password guessing, manual (typed in) or automated (using tools found online) attempts to log on from the Internet to your systems, by guessing passwords

The devices in scope of the scheme are (get in contact if you are not sure):

  • Desktop/Laptop PC’s (including MS Surface)
  • Tablets and smartphones
  • All types of server and network equipment

The scheme has been proven to be effective, and provides:

  • Your customers with reassurance that your business is working to secure their data
  • Builds trust with suppliers
  • Tendering advantage where it is required for contracts and thus competitive advantage
  • A good starting point for Data Protection (GDPR) security

Cyber Essentials Basic — Self Assessment

Cyber Essentials Basic is a multi choice self assessment questionnaire covering the 5 core elements of the Cyber Essentials Scheme that all organisations should adhere to:

  1.         Firewalls and router, Using a firewall to secure your Internet connection
  2.         Secure Configuration, Choosing the most secure settings for your devices and software
  3.         Access Control, Control who has access to your business data and services
  4.         Malware Protection, Protect from viruses and other malware
  5.         Software updates, Keeping devices and software up to date

Your business must ensure that the business meets all the requirements. The first thing you should do is determine what is in scope, then review all 5 requirements for those systems. CyberAggress can provide guidance on which devices are in scope and how you can meet the requirements, we do not however offer IT support, but we are happy to work alongside your own.

Cyber Essentials Plus

Cyber Essentials Plus (CEP) is the part of the scheme that tests your systems are compliant with requirements and that those controls are effective. It requires that your business has already obtained certification at the basic level within the last 3 months. Unlike typical vulnerability testing the Cyber Essentials Plus audit tests the defence mechanisms used by business rather than just looking for vulnerabilities to exploit.

The cost of the audit depends on the number of devices, the number of locations, and complexity of the networks in scope. Get in contact for quote by email.


Cyber Essentials Plus works alongside ISO 27001 proving the information security management controls are working.


* Further information available on request.
** Access to the portal is limited to 6 months once your account has been created.

I want Cyber Essentials


  1. Cyber Essentials Plus — Pre-Assessment — gap analysis prior to audit From £500+VAT
  2. Add on IASME Governance with GDPR Readiness certification, Shows a good standard of Information Governance and covers the core areas of GDPR +£150+VAT
  3. Full IASME Governance Standard audited assessment POA

What’s in it for me?

  • Reduce risk to your organisation from internet based threats.
  • Show due care and active risk management ready for GDPR (General Data Protection Regulation).
  • Avoid or reduce the impact of a breach, reduce the cost to recover, reduce the fine the ICO could hit you with.
  • Established minimum standard.
  • Competitive advantage, win contracts over those that don’t have it.
  • If you deal will with Government/local authority contracts it is in now mandatory for many.
  • Reduce your risk, save money on your insurance premium.
  • Free Cyber insurance for one year**.
  • Best practice with many official bodies (Accountants, Lawyers, Estate-agents…).
  • According to a Cyber Security Breaches Survey 2017 46% of all UK business have identified at least 1 security breach in the last 12 months (2016-2017) (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2017).
  • Only half of all firms (52%) have enacted ‘basic’ technical controls across the five areas laid out under the Government-endorsed Cyber Essentials Scheme, this means that 48% of businesses still do not have the basic protection in place or have not formalised their approaches to cybersecurity.
  • Crypto-ransom is a multibillion dollar industry, Cyber Essentials reduces your businesses risk of being a victim.
  • 72% of cases where firms identified a breach or attack are related to staff receiving fraudulent emails (phishing).
  • 33% of cases are related to viruses, spyware and malware (hacking).
  • 27% of cases are related to people impersonating the organisation in emails or online (hacking/phishing).
  • 17% of cases are related to ransom-ware (hacking/phishing).
  • Cyber Essentials will directly mitigate 80% of commodity hacking or phishing attempts.
  • Gaining certification and actively practising good cybersecurity housekeeping can significantly reduce the risk of most common cyberattacks, and shows a level of risk management as required by GDPR/Data Protection Law.
  • Cyber Essentials is mandatory for Central Government Contracts some require Cyber Essentials Plus as minimum in addition to ISO 27001.
  • Cyber Essentials is used and backed by the UK and Scottish Government.

How Do I get it?

  1. Call 01292 811 811 or email us at cyberessentials@aggress.co.uk
  2. We will discuss your needs and timelines
  3. From here you will either:
    1. Complete the online submission through our portal and get certified on meeting the requirements
    2. Or, for basic, have a remote walk/talk through with our certified assessor over a total of 2 to 4 hours of support, depending on your location the assessor may visit, and help you determine where you are and where you need to be to meet the Cyber Essentials requirements. When you and the assessor are happy you can formally submit through our portal.
    3. Where Cyber Essentials Plus is required a scoping exercise will ensure good coverage and efficient testing takes place, expediting the process.

*all prices are plus VAT
**details of the insurance policy available on request

Background to Cyber Essentials

Cyber Essentials Scheme was set up by the UK government in 2014 and is now a worldwide recognise baseline standard for IT security. At its core it covers 5 areas of IT and IT security controls, the scheme focuses on preventing attacks originating from the internet aimed at businesses IT infrastructure. These attacks come from the network boundary (connection to your broadband) to the end device (PC/Laptop/Server/Smartphone etc).

Cyber Essentials offers a sound foundation of basic hygiene measures that all types of business can implement and potentially build upon. Implementing these measures can significantly reduce your business’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence businesses facing these threats will need to implement additional measures as part of their security strategy.

What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cybersecurity for all sizes of business.  With Cyber Essentials you get a choice over the level of assurance you wish to gain (basic/plus) and the cost of doing so.

It is important to recognise that certification only provides a snapshot of the cybersecurity practices of the business at the time of assessment, maintaining a robust cybersecurity stance requires additional measures such as a sound risk management approach, as well as ongoing updates to the Cyber Essentials control themes, such as patching.

It offers the right balance between providing additional assurance of a business’s commitment to implementing cybersecurity to third parties, while retaining a simple and low cost mechanism for doing so.