IT Security

Written by Joanne Hughes, Policy & Compliance Specialist at Policy Pros

Last reviewed:

IASME Cyber Essentials Checklist Policies and Procedures

Cyber Essentials is the UK Government's flagship cyber security certification scheme, backed by the National Cyber Security Centre (NCSC). It is designed to help organisations of all sizes protect themselves against the most common cyber threats and demonstrate a baseline level of cyber security to customers, partners, and regulators. Since June 2014, Cyber Essentials certification has been mandatory for suppliers bidding for UK Government contracts involving the handling of sensitive and personal information, or the provision of certain technical products and services — specifically contracts valued at over £25,000. Understanding the scheme, its technical controls, and the supporting policies you need is essential for any UK business that wants to win public sector work or simply strengthen its security posture.

What Is the Cyber Essentials Scheme?

Cyber Essentials was developed in partnership between the UK Government and industry to establish a clear, achievable standard of cyber hygiene for organisations. The scheme is overseen by the NCSC and administered by IASME Consortium, which has been the sole accreditation body for Cyber Essentials since 2020 (having been selected by the NCSC from an original group of five accreditation bodies). IASME was originally established to develop information assurance standards for SMEs, and its expertise in supply chain security has shaped the Cyber Essentials programme from its inception.

The scheme addresses the five most common categories of cyber attack and provides a framework of technical controls that, when properly implemented, can prevent the vast majority of commodity-level cyber threats. The NCSC estimates that Cyber Essentials can help protect against around 80% of common cyber attacks.

The Five Technical Controls in Detail

The Cyber Essentials scheme is built around five core technical control areas. Understanding each control in detail is critical to passing certification and, more importantly, to genuinely securing your organisation.

1. Firewalls and Internet Gateways

Every device that connects to the internet must be protected by a correctly configured firewall. Firewalls act as the boundary between your internal network and external, untrusted networks (including the internet). The requirements include:

  • All devices accessing the internet must be protected by a boundary firewall or a software firewall on the device itself
  • Default administrative passwords on firewalls and routers must be changed to strong, unique passwords
  • Firewall rules must block all inbound connections by default, allowing only those that are explicitly required for business purposes
  • Remote administrative interfaces must not be accessible from the internet unless there is a clear business need and appropriate controls (such as MFA) are in place
  • Firewall rules should be reviewed regularly and any that are no longer needed should be removed

2. Secure Configuration

Computers, servers, and devices often come with default settings that prioritise ease of use over security. Secure configuration involves hardening systems to reduce the attack surface. Requirements include:

  • Removing or disabling unnecessary software, services, and user accounts
  • Changing all default passwords to strong, unique alternatives
  • Disabling auto-run and auto-play features on all devices
  • Ensuring that each user account is authenticated with a unique username and password
  • Implementing account lockout or throttling mechanisms to protect against brute-force password attacks

3. User Access Control

User accounts — particularly those with administrative privileges — are high-value targets for attackers. Effective access control limits the damage that can be done if an account is compromised. Requirements include:

  • Granting user accounts only the minimum access rights needed for the user's role (principle of least privilege)
  • Controlling and limiting the number of administrator accounts, and ensuring they are only used for administrative tasks (not day-to-day activities such as browsing the web or reading email)
  • Having a documented process for creating, approving, and removing user accounts when staff join, change roles, or leave
  • Requiring multi-factor authentication (MFA) for all cloud service accounts and for administrator access
  • Using strong passwords — at least 8 characters for accounts protected by MFA, or at least 12 characters where MFA is not in use

4. Malware Protection

Malware — including viruses, ransomware, spyware, and trojans — is one of the most prevalent cyber threats. Organisations must implement at least one of the following approaches to protect against malware:

  • Anti-malware software that is installed on all in-scope devices, set to update automatically, configured to scan files on access (including downloads and email attachments), and set to prevent connections to malicious websites
  • Application whitelisting (allow-listing), which restricts devices to running only approved software
  • Sandboxing, where applications run in isolated environments to prevent malware from affecting the wider system

For most organisations, anti-malware software is the most practical approach. Where devices run operating systems that do not support traditional anti-malware software (such as iOS or ChromeOS), the built-in platform security controls are generally considered sufficient, provided the device is kept up to date.

5. Patch Management (Security Update Management)

Unpatched software is one of the easiest routes for an attacker to compromise a system. Patch management ensures that known vulnerabilities are fixed promptly. Requirements include:

  • All software (including operating systems, applications, firmware, and drivers) must be licensed and supported by the vendor — unsupported software must be removed from scope
  • High-risk or critical security patches must be applied within 14 days of release
  • Automatic updates should be enabled wherever possible
  • Organisations must maintain an awareness of the software and firmware versions running across their estate to identify when updates are available

IASME Governance vs Cyber Essentials vs Cyber Essentials Plus

Understanding the differences between these certifications is important for choosing the right level of assurance for your organisation.

Cyber Essentials (Standard)

Cyber Essentials is a self-assessment certification. Organisations complete an online questionnaire (approximately 160 questions) covering the five technical control areas. The completed questionnaire is submitted to an IASME-accredited certification body, which reviews the responses and either awards certification, requests further information, or identifies areas requiring corrective action. The self-assessment approach makes Cyber Essentials accessible and affordable for organisations of all sizes.

Current costs for Cyber Essentials (standard) are:

  • Micro organisations (0-9 employees): £300 + VAT
  • Small organisations (10-49 employees): £400 + VAT
  • Medium organisations (50-249 employees): £450 + VAT
  • Large organisations (250+ employees): £500 + VAT

Cyber Essentials Plus

Cyber Essentials Plus builds on the standard certification by adding an independent, hands-on technical audit of your organisation's security controls. A qualified assessor will visit your premises (or conduct a remote audit) and perform tests including vulnerability scanning, checks on device configuration, verification of patch levels, tests of malware defences, and review of access control settings. You must hold a valid Cyber Essentials (standard) certificate before applying for Plus.

Cyber Essentials Plus typically costs from around £1,400 + VAT upwards, depending on the size and complexity of your organisation and the certification body you choose.

IASME Governance (Cyber Assurance)

IASME Governance (now branded as IASME Cyber Assurance) is a broader information security standard developed by IASME Consortium. It includes the Cyber Essentials technical controls but goes further, covering areas such as risk management, business continuity, incident response, data protection (including alignment with UK GDPR Article 32 on security of processing), staff awareness training, and supply chain security. IASME Governance is particularly suitable for organisations that want a more comprehensive assurance framework without the cost and complexity of ISO 27001 certification.

Cyber Essentials and UK Government Contracts

Since 2014, UK Government procurement policy has required that suppliers hold Cyber Essentials certification for contracts that involve handling sensitive or personal information, or providing certain technical products and services. This requirement applies to contracts valued at over £25,000. Many local authorities, NHS trusts, and public bodies have adopted similar requirements. Increasingly, private sector organisations — particularly those in financial services, legal, and healthcare — are also requiring Cyber Essentials certification from their supply chains.

The Network and Information Systems Regulations 2018 (NIS Regulations), which implement the EU NIS Directive in UK law, also set out security requirements for operators of essential services (such as energy, transport, health, water, and digital infrastructure). While the NIS Regulations require compliance with the NCSC Cyber Assessment Framework (CAF) rather than Cyber Essentials, achieving Cyber Essentials certification demonstrates a commitment to cyber security that supports broader NIS compliance efforts.

Common Failure Points in Cyber Essentials Assessments

Many organisations fail their Cyber Essentials assessment on the first attempt. Understanding the most common failure points can help you avoid them:

  • Unsupported software: Running operating systems or applications that are no longer receiving security updates from the vendor (e.g., Windows 7, Office 2013)
  • Missing patches: Failing to apply critical security updates within the 14-day window
  • Weak password policies: Not enforcing minimum password lengths, not requiring MFA on cloud services, or allowing shared accounts
  • Uncontrolled administrator accounts: Too many users with admin rights, or admin accounts being used for everyday activities
  • Default credentials: Leaving default passwords on firewalls, routers, or other network devices
  • BYOD without controls: Allowing personal devices to access corporate data without appropriate security controls
  • Lack of asset inventory: Not maintaining an up-to-date list of all devices, software, and cloud services in scope
  • Misconfigured firewalls: Allowing unnecessary inbound services or failing to review firewall rules regularly

How Policies and Procedures Support Cyber Essentials Certification

While Cyber Essentials is primarily a technical control scheme, having well-written policies and procedures is essential for demonstrating that your security controls are consistently applied, communicated to staff, and maintained over time. The Cyber Essentials questionnaire includes questions about documented processes for password management, user account creation and removal, administrator access, patching, and BYOD management. Without supporting policies, it is difficult to evidence that your technical controls are embedded in day-to-day operations.

Key policies that support Cyber Essentials certification include:

  • Information Security Policy
  • Acceptable Use Policy (Email and Internet)
  • Password Management Policy
  • Access Control Policy
  • Patch Management and Vulnerability Management Policy
  • Mobile Devices and Remote Working Policy
  • BYOD Policy
  • Asset Management and Disposal Policy
  • Change Management Policy
  • Removable Media Policy
  • Data Classification and Handling Policy
  • Incident Response Policy
  • Backup and Recovery Policy

Under UK GDPR Article 32, organisations that process personal data are also required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Cyber Essentials certification and the supporting policies listed above contribute directly to demonstrating compliance with this requirement.

Recertification

Cyber Essentials certification is valid for 12 months. Organisations must recertify annually to maintain their certified status. The assessment questionnaire is updated each year to reflect the evolving threat landscape and changes to the scheme's requirements, so it is important to review the latest version of the readiness tool and requirements specification before each recertification.

How Policy Pros Can Help

Policy Pros works with Government bodies, local authorities, private companies, non-profits, and NGOs to develop the policies and procedures needed for Cyber Essentials certification and broader information security assurance. Our IT security policies service covers all of the documentation required for Cyber Essentials, including information security, access control, password management, patch management, acceptable use, and BYOD policies.

We also provide a comprehensive policy and procedure writing service for organisations seeking IASME Governance certification or preparing for ISO 27001. Every policy we produce is written in plain English, tailored to your organisation's systems and processes, and designed to be a practical, working document that supports both certification and day-to-day security management.

Contact Policy Pros today to discuss your Cyber Essentials policy requirements and take the first step towards certification.

Get a QuoteView All Services
Trustpilot Reviews - 5 Stars