Cyber Essentials Requirements

Understand the requirements to become Cyber Essentials Accreditated. Cyber Essentials is the basic level accreditation from the NCSC for Cyber Security.

Recieve a UK Government recognised Security Accrediation for your business

Be listed on a Government Directory of organisations awarded Cyber Essentials

Attract new business with the promise you have cyber security measures in place

Cyber Essentials Certifying Body

Pentest People are a Cyber Essentials Certifying Body and can help you at all stages of your Cyber Essentials accreditation journey.

Cyber Essentials (Stage 1) Requirements

Cyber Essentials LogoThe initial level of Cyber Essentials certification has two specific requirements and both of these are performed remotely with no need for an onsite visit to your business premises.

The first requirement is the Self Assessment Questionaire. This is a form based questionnaire that is delivered through SecurePortal. The questionnaire covers the five technical controls of Cyber Essentials. The initial part of the questionnaire is to provide organisation details, technology in scope and details about the remote vulnerability scan for public-facing infrastructure. The next section is based on technical questions that cover the configuration of your corporate network.

The questionnaire is split into the following sections:

  • Firewalls – 8 Questions
  • Secure Configuration – 18 Questions
  • Access Control – 9 Questions
  • Malware Protection – 9 Questions
  • Patch Management –  8 Questions

You are assessed against the answers to your questionnaire and each individual section requires a score of 70% in order to pass and be able to continue to the remote vulnerability scan.

The second requirement is the Remote Vulnerability Scan. Using the information provided in the self-assessment questionnaire, an infrastructure vulnerability scan is performed against the hosts as well as a web security scan against the web applications.

The results of these vulnerability scans are scored against an NCSC provided flowchart and any High-level vulnerabilities identified and classed as CVSS 7.0 or above would result in a fail.

As long as a passing result is obtained from both the self-assessment questionnaire and the remote vulnerability scan, the customer is awarded Stage 1 certification against the Cyber Essentials standard. The customer is provided with a certificate and associated use of the logo.

How can we help?

Pentest People are a Cyber Essentials Certifying Body and can perform and accredit you to both Stage 1 and Stage 2 of Cyber Essentials.

As well as the certification, Pentest People can also offer consultancy services including a GAP analysis against the 5 technical controls to ensure that you have adequate controls in place before you undertake a paid Stage 1 assessment.

Download the CREST Cyber Essentials Guide

More information about Cyber Essentials can be found on the NCSC Cyber Essentials Homepage.


Find Out More Now!

Penetration Testing

IT Security and the associated terminology is a mainstream issue for all businesses due to the reliance business places on its IT systems combined with the prevalence of attacks. Various forms of compliance exist that mandate regular Penetration Testing as a standard and the risks of not doing anything are widely publicised.

Key Benefits

  • Reassure your existing and potential customers that you take cyber-security seriously
  • Attract new business with the promise you have cyber-security measures in place backed up with a recognised accreditation
  • Be able to remediate any identified vulnerabilities within your organisations network infrastructure
  • Have the confidence that you are protected from the most common cyber-security risks within your organisation

Frequently Asked Questions

  • What is the Cyber Essentials Scheme?

    Cyber Essentials is a scheme led by the UK Government to help organisation protect themselves against common cyber-security threats. There are two levels of certification that both demonstrate an ability to implement technical controls relating to information security.

  • What is the difference between Cyber Essentials and Cyber Essentials Plus?

    Cyber Essentials is Stage 1 and consists of a Self Assessment Questionnaire and external vulnerability assessment of your Internet-facing infrastructure.


    Cyber Essentials Plus is Stage 2 an extends Stage 1 by performing an onsite assessment of security controls including an internal authenticated scan of your workstations and mobile devices.

  • How long does certification take?

    New FAQ : Answer

  • What do we receive once certified?

    When you have undertaken your assessment and met all of the requirements of Cyber Essentials or Cyber Essentials plus you will receive the following:

    • An official PDF of your Cyber Essentials Certificate.
    • A compliant report detailing all findings from the assessment along with any recommendations where appropriate.
    • High-resolution Cyber Essentials logos along with branding guidelines on how to use the logos on your website and marketing materials.
    • Your organisation will be listed on the Government Website that shows your level of certification.