Cyber Essentials Policies - Written to Pass Your Assessment
Cyber Essentials and Cyber Essentials Plus require documented policies as evidence of technical controls. We write them.
Get a Free QuoteWhat policies does Cyber Essentials require?
Cyber Essentials is built around five technical control areas. Each one needs a corresponding policy document that describes how your organisation applies that control in practice. Assessors use these documents to verify that your controls are real, consistent, and understood by your staff.
Firewalls
Firewall and Network Security Policy
Documents your boundary firewall rules, default deny configuration, and how you manage changes to firewall settings.
Secure Configuration
IT Configuration and Hardening Policy
Covers how devices are set up before deployment - removing default accounts, disabling unnecessary services, and enforcing baseline security settings.
User Access Control
Access Control and User Management Policy
Sets out how user accounts are created, who approves access, how privileges are restricted, and what happens when someone leaves.
Malware Protection
Anti-Malware and Endpoint Protection Policy
Details your approach to preventing malware through endpoint protection software, application whitelisting, or sandboxing.
Patch Management
Patch Management and Software Update Policy
Defines how you identify, test, and apply software updates - including the timeframes for critical patches and how unsupported software is handled.
Additional policies commonly needed for Cyber Essentials Plus
Beyond the five core controls, Cyber Essentials Plus assessors often expect to see supporting documentation that covers day-to-day user behaviour and incident handling. These policies are especially relevant when the assessment includes on-site or remote technical verification.
- Acceptable Use Policy
- Remote Working Policy
- Bring Your Own Device (BYOD) Policy
- Password Policy
- Incident Response Policy
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials (Basic)
A self-assessed questionnaire verified by an accredited certification body. You answer questions about how each of the five controls is applied in your organisation. The assessor reviews your answers and supporting evidence - including your policies - and decides whether to certify. There is no technical testing of your systems.
Cyber Essentials Plus
An independently verified technical audit. An assessor tests your systems directly - running vulnerability scans, checking configurations, and verifying that controls work as described. Your policies are examined more closely because the assessor is comparing what you have written against what they can see on screen.
Both levels require documentation, but Plus raises the bar. A policy that vaguely refers to "regular patching" without specifying timeframes or responsibilities will not hold up under technical verification. We write policies that satisfy both levels so you do not need to rewrite anything if you decide to upgrade later.
Why accurate policies matter for certification
Assessors are not looking for long documents full of security jargon. They are looking for policies that describe controls you actually have in place. If your firewall policy references a DMZ you do not operate, or your access control policy describes a joiner-mover-leaver process that nobody follows, the assessment will fail.
Generic templates downloaded from the internet are a common cause of failure. They describe a fictional IT environment that bears no resemblance to the one your assessor will be reviewing. We write policies based on your actual setup - your firewall rules, your device management approach, your patching schedule, and your access control procedures. The result is documentation that reflects reality, which is exactly what the assessment requires.
We also make sure your policies are consistent with each other. If your patch management policy says critical patches are applied within 14 days, your configuration policy should not say something different. Assessors read across documents, and contradictions raise questions.
Who needs Cyber Essentials?
Cyber Essentials started as a government initiative, but certification is now expected across a much wider range of sectors and supply chains.
Government contractors
Cyber Essentials is mandatory for central government contracts involving the handling of certain sensitive data. Most public sector procurement frameworks now require it as a minimum.
MOD suppliers
The Ministry of Defence requires Cyber Essentials for any supplier handling MOD data or operating within the defence supply chain.
NHS suppliers
NHS Digital expects suppliers to hold Cyber Essentials certification. It is frequently listed as a pass/fail requirement in NHS procurement exercises.
Enterprise supply chains
Large private sector organisations increasingly require Cyber Essentials from their suppliers as part of vendor risk management.
Cyber insurance applicants
A growing number of UK insurers now ask for Cyber Essentials certification when underwriting cyber liability policies, or offer reduced premiums to certified businesses.
Related services
Cyber Essentials policies often sit alongside broader IT security and compliance documentation. If you need a wider set of policies, we can help with those too.
Get your Cyber Essentials policies sorted
Tell us about your setup. We'll come back with a fixed price - usually within one business day.
