With our team’s deep expertise in UK cyber security standards and AI governance, we’re here to make your Cyber Essentials and Cyber Essentials Plus journey straightforward and stress-free.
Below, we answer the most common questions about Cyber Essentials and Cyber Essentials Plus, from understanding the basics to achieving and maintaining certification. Whether you’re just beginning or aiming to enhance your current security measures, you’ll find clear, practical guidance right here.
Cyber Essentials is a certification scheme backed by the UK Government to ensure businesses protect themselves against the most common cyber threats. Businesses are required to fill out a self-assessment questionnaire and meet a minimum threshold to secure a ‘Pass’.
Cyber Essentials is the self-assessment stage, and once complete, you have 90 days to undertake an external audit to verify your cybersecurity controls to achieve Cyber Essentials Plus. They test this in a real-world context, so they will include a vulnerability scan of your devices and a simulated phishing test.
Yes, you need to complete Cyber Essentials first, and then you have 90 days to complete your Cyber Essentials Plus audit.
Both Cyber Essentials and Cyber Essentials Plus must be renewed annually.
Firewalls: This is like the digital gatekeeper for your network—it stops unauthorised users from accessing your systems and data.
Secure Configuration: It means getting rid of all the easy-access points on your devices, like changing default passwords and turning off things you don’t actually use.
User Access Control: This is about who gets to see what—making sure only the right people have permission to view or change sensitive files.
Malware Protection: This is your computer’s antivirus; it uses software to find and block software viruses and other malicious code that could corrupt or prevent access to your data.
Patch Management: Just like updating your phone, this is making sure all your software and operating systems are always kept up-to-date to fix security holes quickly.
The Cyber Essentials Plus is a hands-on security test that is completed by an external company that is approved by the certification scheme owners, IASME. It consists of:
External vulnerability scan: The Auditor will check your outside-facing systems (like your website and firewalls) to see if there are any obvious security holes a hacker could get through.
Internal system test: They take a sample of your team’s devices and check that security settings are correct, and software/operating systems are fully up-to-date.
Malware Protection Check: They try to send you some safe, dummy virus files to see if your antimalware software catches them.
Configuration Check: This verifies that your crucial settings, like screen locking or password rules, are set up properly, validating the controls claimed in the initial questionnaire.
You decide the scope for your Cyber Essentials, and it must stay the same for the Cyber Essentials audit. The most popular or default scope is for the whole organisation to ensure the security standards are up to date.
However, for large MedTech companies, they can choose the scope they want to assess, e.g. the specific network segment that handles the NHS product/contract. Although this is only accepted if it is proven to be securely and technically isolated.
The assessment will only be on a representative sample of your user devices that fall within scope of the test. So the bigger the organisation, the larger the sample size required.
If any high-risk vulnerabilities are identified and an update is required, you have 14 days from the update release to fix the vulnerability. Once the fix is made, a re-audit can take place to complete your certification.
Most of the time, people fail because of two simple things:
Missing Updates: Staff haven’t installed those critical security updates (patches) before the audit happens.
Too Much Access: People are using high-level admin accounts for basic, everyday stuff—like checking their emails or browsing the web—when they don’t really need that kind of access for their day job.
If you fail the Cyber Essentials Plus audit, you do get the opportunity to do a retest. Usually, this is in the areas that failed the original audit.
Protecting sensitive information is crucial in today’s digital healthcare landscape, and Cyber Essentials sets the UK standard for robust cyber security. At 8fold Governance, our team of specialists guides you through the Cyber Essentials and Cyber Essentials Plus requirements—helping you build trust and keep your data secure with confidence.
With expertise across UK Regulatory and Market Specific standards, we can help you get from where you are, to where you need to be
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |