Guidance for applicants

Why you need MFA for all users and administrators for full Cyber Essentials compliance

Cyber Essentials certification helps organisations prove they have basic cybersecurity measures in place. Many businesses see it as a straightforward step to improve security and build trust with clients. With the rise of AI tools, some might consider using artificial intelligence to complete their Cyber Essentials assessment. While AI can assist in many areas, relying on it entirely for this assessment carries significant risks that could undermine your security efforts. Why

One of the most frequent points of confusion we see from Cyber Essentials applicants relates to personally owned devices or Bring Your Own Device (BYOD) . Many organisations assume that if a device is owned by a member of staff rather than the business, it is automatically out of scope  for Cyber Essentials.This assumption is incorrect and regularly leads to failed assessments. This article explains the correct position under the Cyber Essentials scheme  and provides practica

The Cyber Essentials scheme is designed to help you protect your organisation from common cyber threats. The 2025 updates focus on strengthening security controls and improving resilience. Here’s what you need to know: Key Changes in Cyber Essentials 2025 Enhanced Password Policies : Passwords must be stronger. Multi-factor authentication (MFA) is now mandatory for all cloud access. Passwordless Authentication is also included. Improved Software Security : You must keep all

Why does Cyber Essentials keep changing? The government approved Cyber Essentials scheme includes five technical controls that help protect organisations from the most common cyber attacks. The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the government-approved, minimum level of cyber security in place and can be trusted with their data and business. In order to stay effective in the ever-evol

In the world of Cyber Essentials, it is not enough to simply declare that a security control or process is in place. Saying, for example, “We patch our routers promptly” or “We update antivirus software regularly” does not explain how  these tasks are actually carried out, or what mechanisms are in place to ensure they are consistently completed. Understanding the distinction between stating what is done and describing how it is done  is critical for demonstrating effective c

Policy v's process logo When preparing for Cyber Essentials assessments , one of the most common pitfalls is confusion between policies and processes . Organisations often submit “policy answers” that describe what should happen, rather than clear “process answers” that explain how it happens. Understanding this distinction is key to achieving certification and demonstrating real cyber resilience. What Is a Policy? A policy is a formal statement of intent or a set of rule