Your Cyber Essentials Roadmap

Key Factors Affecting Time Required:

• Number of devices: Each computer, server, mobile device, and network appliance must be assessed and configured correctly.

• Number of users: More users means more accounts to manage, more access controls to configure, and more training required

• Current security posture: Organisations with weak or non-existent security controls will require significantly more remediation work

• IT infrastructure complexity: Multiple locations, remote workers, BYOD policies, and extensive cloud service usage all increase complexity

• Technical expertise: Lack of in-house IT security knowledge will extend the time needed to understand and implement requirements

These estimates are based on industry experience from UK cyber security providers and represent the actual work time required, not elapsed calendar time. The certification process itself (assessor review) typically takes 1-3 working days after submission.

Download Official Documentation
Access the Willow Question Set and Requirements for IT Infrastructure v3.2 from the IASME website. These documents are mandatory reading before you begin.

Define Your Scope (REQUIRED)
Your assessment and certification should cover the whole of the IT infrastructure used to carry out your organisation’s business, or if necessary, a well-defined and separately managed sub-set. You must clearly define the scope boundary: the business unit managing it, the network boundary and physical location. You must agree the scope with the Certification Body before assessment begins. A scope that doesn’t include end user devices isn’t acceptable.

Inventory Your IT Estate
Create a comprehensive list of all devices and software in scope that meet any of these conditions: can accept incoming network connections from untrusted internet-connected hosts; can establish user-initiated outbound connections to devices via the internet; control the flow of data between any of the above devices and the internet. This includes: all end user devices, servers (on-premise and cloud), network equipment, software applications, cloud services, and home and remote working arrangements.

Identify Current Security Controls
Document what security measures you already have in place across the five control areas.

Review each of the five Cyber Essentials controls against your current setup to identify what needs to be implemented:

This phase typically requires the most work, as you must implement all required controls that are currently missing or incorrectly configured. The time required scales directly with the number of devices and users in your organisation.

Configure Boundary Firewalls

You must protect every device in scope with a correctly configured firewall. For all firewalls, you must: change default administrative passwords to a strong and unique password; prevent access to the administrative interface from the internet (unless protected by MFA or IP allow list with properly managed password authentication); block unauthenticated inbound connections by default; ensure inbound firewall rules are approved and documented; remove or disable unnecessary firewall rules.

Harden All Systems

You must proactively manage your computers and network devices. You must regularly: remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used); change any default or guessable account passwords; remove or disable unnecessary software; disable any auto-run feature which allows file execution without user authorisation; ensure users are authenticated before allowing them access to organisational data or services.

Implement Access Controls

Your organisation must: have in place a process to create and approve user accounts; authenticate users with unique credentials before granting access; remove or disable user accounts when they’re no longer required; implement MFA where available (authentication to cloud services must always use MFA); use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities); remove or disable special access privileges when no longer required.

Deploy & Configure Malware Protection

You must make sure that a malware protection mechanism is active on all devices in scope. For Windows or MacOS devices using anti-malware software, it must be configured to: be updated in line with vendor recommendations; prevent malware from running; prevent the execution of malicious code; prevent connections to malicious websites over the internet.

Establish Patch Management

All software on in-scope devices must: be licensed and supported; be removed from devices when it becomes unsupported (or removed from scope); have automatic updates enabled where possible; be updated, including vulnerability fixes, within 14 days of release for critical or high risk vulnerabilities (CVSS v3 base score of 7 or above, or identified by vendor as critical/high risk).

Address Cloud Services

If your organisation’s data or services are hosted on cloud services, these services must be in scope. For cloud services, the applicant organisation is always responsible for ensuring all controls are implemented, but some controls can be implemented by the cloud service provider. You must make sure that the cloud provider has committed to implementing relevant controls via contractual clauses or documents referenced by contract.

Purchase Certification
When you are ready, you will need to register for certification and make a payment. Register with an IASME-accredited Certification Body and pay the assessment fee. Note this is a yearly fee paid directly to the accrediting body.

Answer All Questions Accurately
Cyber Essentials is self assessment, with organisations completing a questionnaire. Once your application and payment have been received, you will receive your online assessment portal log-in details so that you can enter your answers into the online assessment platform. The questionnaire covers your scope, devices, locations, and detailed questions on each of the five controls. Some of the Cyber Essentials self-assessment questions can be difficult to understand if you do not have a technical IT background or have a complex company structure.

Obtain Board-Level Sign-Off
A senior member of the board or equivalent from your organisation must e-sign a document to verify that all the answers are true (GOV.UK PPN 014).

Submit for Assessment
The questionnaire is then verified by an independent certification body to assess whether the appropriate standard has been achieved, and certification can be awarded. A qualified external Assessor will mark the answers. Once you have submitted your assessment for marking, your Assessor may send you feedback.

Respond to Assessor Queries
Cyber Essentials Assessors work for a Certification Body. They are trained and licensed by IASME to assess whether an organisation meets the criteria required for Cyber Essentials certification. They will also be able to help you understand the assessment questions and how they relate to your company. Your assessor may send you feedback or request clarification on specific answers.

Receive Your Certificate
If successful, this results in the award of a certificate valid for one year. You will be listed on the directory of certified organisations and can display your digital Cyber Essentials certificate on your website and email footer.

Your Cyber Essentials certificate is valid for 12 months. Suppliers must recertify every 12 months in order to maintain a valid certificate. Failure to do so renders the supplier uncertified (GOV.UK PPN 014).

During that year, you must maintain compliance with all five controls, including:

• Continuing to apply security updates within 14 days for critical/high risk vulnerabilities
• Maintaining firewall configurations
• Managing user access and privileges
• Ensuring all new devices meet security standards
• Updating configurations when you add new cloud services or software