What Cyber Essentials Requires
Five technical controls defined by the NCSC — each addressing a distinct category of common cyber attack. All five must be fully implemented to achieve certification.
Boundary and host-based firewalls must be configured with a default-deny policy. Only approved services and protocols should be permitted inbound.
- ✓FortiGate NGFW — hardware-accelerated perimeter firewall with default-deny policy
- ✓Palo Alto PA-Series — App-ID blocks unapproved applications regardless of port
- ✓Windows Defender Firewall — host-based control for endpoints and servers
Devices must be configured securely: default credentials changed, unnecessary accounts removed, auto-run disabled, and only required software installed.
- ✓Microsoft Intune — enforces device configuration baselines at scale
- ✓CrowdStrike Falcon — detects misconfigured endpoints and policy drift
- ✓Fortinet FortiManager — centralised policy enforcement across network devices
User accounts must follow least-privilege principles. MFA is required for all internet-facing services. Administrator accounts must not be used for everyday tasks.
- ✓CyberArk Privilege Cloud — privileged account vaulting and JIT elevation
- ✓BeyondTrust Password Safe — PAM with session recording and approval workflows
- ✓Microsoft Entra ID — conditional access and phishing-resistant MFA (FIDO2)
All devices must run up-to-date anti-malware software. Application allow-listing or signature-based protection must be active. Malicious websites must be blocked.
- ✓CrowdStrike Falcon — AI-native endpoint protection and EDR
- ✓SentinelOne Singularity — autonomous threat prevention without signature dependence
- ✓Fortinet FortiGuard — web filtering and AV integrated into FortiGate
All software, firmware, and operating systems must be kept up to date. Critical and high-severity patches must be applied within 14 days of release.
- ✓Microsoft Intune — automated Windows patch deployment with compliance reporting
- ✓Fortinet FortiManager — centralised firmware update management for network devices
- ✓CrowdStrike Spotlight — vulnerability management and patch prioritisation
CE vs CE Plus — Which Do You Need?
Both certifications are NCSC-registered and annually renewed. The key difference is verification — CE Plus includes independent hands-on technical testing.
Cyber Essentials
Self-AssessedProcess: Online self-assessment questionnaire completed by your organisation, reviewed and verified by a Certification Body assessor.
Best for: SMEs, organisations seeking government contracts, businesses wanting to demonstrate baseline security to customers and insurers.
- ✓Online assessment questionnaire
- ✓CB review and verification
- ✓CE certificate (valid 12 months)
- ✓NCSC-registered certification
- ✓Cyber Essentials logo licence
Cyber Essentials Plus
Independently VerifiedProcess: In addition to the self-assessment, an independent assessor performs technical verification — hands-on testing of your systems against all five controls.
Best for: Government suppliers, NHS contractors, organisations handling sensitive data, businesses with cyber insurance requirements.
- ✓Everything in Cyber Essentials
- ✓On-site/remote technical testing
- ✓Vulnerability scanning
- ✓Authenticated internal scan
- ✓CE Plus certificate (valid 12 months)
Sectors & Contracts Requiring Cyber Essentials
Mandatory CE for all suppliers handling government data. CE Plus required for sensitive contracts.
Required for NHS Digital supplier registration and Data Security and Protection Toolkit compliance.
Required for G-Cloud and Crown Marketplace frameworks — mandatory for all public sector IT suppliers.
Major UK insurers require or offer significant premium discounts for CE/CE Plus certified organisations.
End-to-End Certification Support
Gap Assessment
We review your current controls against all five Cyber Essentials requirements — identifying gaps and producing a prioritised remediation list before you submit the self-assessment.
Remediation Support
Where gaps exist, we supply and deploy the right products — FortiGate for firewalls, CrowdStrike for malware protection, Intune for patch management — to meet the technical requirements.
Pre-Assessment Review
We review your completed questionnaire before submission to identify any answers that may fail the CB review — reducing the risk of costly re-assessments.
Certification Body Referral
We work with IASME-accredited Certification Bodies and can refer you to a suitable assessor, managing the process end-to-end so you reach certification with minimal disruption.
Ready to achieve Cyber Essentials?
Whether you need CE for a government contract, cyber insurance, or simply to demonstrate security to your customers — Servnet will get you there, efficiently and correctly.