7 Steps for Passing Cyber Essentials Certification

7 Steps for Passing Cyber Essentials Certification

people having a discussion near an office table

The Cyber Essentials plan offers a simple yet effective structure for organisations to defend themselves against cyber threats. Cyber Essentials accreditation is one of the first measures that any organisation can take to secure its digital assets and personal data, and it offers the obligatory certification needed to compete on UK Government supply chain contracts.

Like other legitimate certifications, obtaining a Cyber Essentials certification requires preparation and a corporate commitment in time, money, and technical knowledge.

This article will go through how to prepare for and pass Cyber Essentials.

Create a Policy for Information Security

The first stage in creating a well-planned information security strategy is establishing the company’s cybersecurity needs and guidelines. This policy should include rules for handling and processing customer, employee, and third-party personal data, a password policy, and user guidelines. The policy should not be extensive and complicated but rather basic and obvious so that all workers and third-party users with access to the systems or data can understand and follow it.

Appoint a Data Protection Officer

A senior employee as a Data Protection Officer (DPO) may help firms enforce their information security plan. A DPO may manage all company security activities for SMEs and serve as the single point of contact for security-related questions and issues. Because Cyber Essentials certification requires businesses to fill out and submit a self-assessment questionnaire as well as provide relevant evidence to support answers, having a single point of contact in a DPO ensures everybody comprehends who is responsible for finishing the questionnaire as well as who to go to over the most current assistance and direction.

Maintain a Record of Your Digital Assets

It is critical to have a digital asset inventory to verify that all software and devices are safeguarded. This contains software versions and updates for both devices and the software. Knowing what devices are on the network or can connect to it is the most effective technique to discover unauthorised devices and take action to isolate them. Tracking digital assets allows you to spot weaknesses and monitor devices in your network.

Implement Access Control

Cyber Essentials certification requires effective access control to ensure only authorised personnel may access important information.

Use a function-Based Access Control (RBAC) system to guarantee that IT users have the rights required for their job function and access to only the systems required to be successful and safe.

Use the Proper Tools and Setups

A firewall and antivirus software are both required security measures for Cyber Essentials. A firewall protects network devices from outside threats, while an antivirus protects computers from viruses and other malware. Firewalls should be appropriately designed to deny access to dangerous information, assisting organisations in preventing the most prevalent forms of cyber assaults.

Perform Frequent Safety Inspections

To keep digital assets safe and secure, it is critical to record, monitor, and analyse the performance of cybersecurity measures. Regular security audits should be performed to monitor all devices and software, comprehend the sorts of devices in use, assess the efficiency of the information security policy, and guarantee that all software and devices are correctly set for safe operations. Understanding the network’s strengths and weaknesses helps fine-tune cybersecurity for better protection.

Steps for Passing the Cyber Essentials Certification

Cyberattacks against businesses have become an increasing risk, often resulting in irreparable damage to reputation and data. Implementing an effective cybersecurity framework requires an investment in terms of both time and financial resources. The Cyber Essentials certification from IASME’s UK government initiative offers an easy and straightforward self-assessment process that helps mitigate business risks by protecting against up to 80% of cyber threats.

Cybersecurity may seem intimidating, but attaining Cyber Essentials certification can actually be relatively straightforward and cost-effective. This is especially true for IT-managed service providers offering this as part of their portfolio; earning a good margin by performing self-assessments for clients and submitting applications is also possible; plus, you could upsell additional services required by clients to meet higher-level requirements for Cyber Essentials Plus certification, which can add value as well.

The basic certification process begins with a self-assessment that typically takes around 3 days to complete and is designed to cover all core elements of your IT infrastructure, such as firewalls, antivirus and antimalware software, patch management, and user account management, including password policies. When submitted, an independent assessor will mark it and produce a report, which you must review online before being granted your certificate.

Once your business has passed the basic certification process and one year has elapsed, you can apply to be awarded the more advanced Cyber Essentials Plus certification. This process involves either a remote or on-site audit by a certified Cyber Essentials assessor to ensure all necessary controls have been put in place to protect it, such as having a more robust firewall policy, installing 3rd-party anti-virus software on all workstations, and minimising lag between workstations and internal or external anti-virus servers.

As is required for base-level certifications, annual assessments must also take place to monitor the implementation and maintenance of controls. At Qlic, we have seen many customers that initially fail re-assessments but then improve their IT processes to pass, for example, when failing to update antivirus definitions on all workstations promptly and successfully; these improvements ultimately led to them passing their re-assessment and receiving Cyber Essentials Plus certification.

At Qlic, we highly encourage our clients to pursue Cyber Essentials certification, as it’s an easy, cost-effective way to reduce cyber attack risks while showing commitment to security. In fact, tendering for government projects or local authorities increasingly requires this certification, and our managed service customers must include it as part of their cybersecurity portfolios. Reach out today so we can assist your journey; our knowledgeable team is standing by, ready to support you all along the way.


Getting started with cybersecurity as a small to medium-sized firm might be intimidating, particularly if you need more technical IT expertise. On the other hand, being certified as Cyber Essentials is one of the ideal ways to start. A minimal investment of time and work may lower your risk exposure. Following the certification steps, you will be ready to pass Cyber Essentials.