Cyber Essentials

Question 1

What is Cyber Essentials and why does it exist?

Answer 1

It’s a UK government-backed certification that establishes a baseline of cybersecurity against common attacks. It builds customer trust and demonstrates that the organization meets minimum technical safeguards.

Question 2

What are the two levels of Cyber Essentials certification?

Answer 2

Cyber Essentials — Self-assessment against core controls.

Cyber Essentials Plus — Includes independent technical audit and vulnerability testing.

Question 3

What must be clearly defined in the scope of certification?

Answer 3

The boundary of certification, including all in-scope IT assets — such as devices, servers, cloud services, remote endpoints, and internet-facing systems.
All must comply with Cyber Essentials controls.

Question 4

What are the key Cyber Essentials requirements for firewalls?

Answer 4

Protect all internet-facing devices.

Change all default passwords.

Allow only necessary ports and services.

Use IP allowlisting for trusted connections.

Block unauthenticated inbound traffic.

Enforce MFA for cloud admin panels.

Question 5

What defines secure configuration in Cyber Essentials?

Answer 5

Remove unused accounts/software.

Change default credentials.

Enforce strong passwords and disable auto-run.

Authenticate all access.

Regularly review settings and secure new devices before deployment.

Question 6

What are the core principles of user access control under Cyber Essentials?

Answer 6

Approve and document all new accounts.

Remove inactive accounts.

Separate admin and user roles.

Enforce MFA for all logins.

Apply least privilege and unique credentials.

Audit permissions regularly.

Question 7

How must organizations protect against malware?

Answer 7

Use up-to-date anti-malware software with web and email scanning.

Prevent unauthorized software installations.

Maintain allowlists.

Protect IoT and cloud systems.

Update malware tools daily (or as required).

Question 8

What are the patching and update requirements?

Answer 8

Only use supported, licensed software.

Remove outdated applications.

Automate updates where possible.

Apply critical/high-risk patches (CVSS ≥7) within 14 days.

Track patch coverage and compliance across all devices.

Question 9

What documentation is needed for Cyber Essentials certification?

Answer 9

Asset inventories, access logs, patch records, and configuration baselines.

For Cyber Essentials: complete the self-assessment.

For Cyber Essentials Plus: support external audit and vulnerability scans.

Question 10

How should organizations maintain compliance after certification?

Answer 10

Integrate controls into daily IT operations.

Review and update regularly as threats evolve.

Train users and prepare for annual recertification.

Act swiftly on audit findings or failed controls.

Question 11

Why is communication important in Cyber Essentials?

Answer 11

Builds executive and staff buy-in.

Ensures everyone understands password, phishing, and device security expectations.

Embeds secure practices into onboarding, training, and everyday processes.

Question 12

What’s the ultimate goal of Cyber Essentials?

Answer 12

To create a culture of baseline cyber hygiene that protects organizations from common threats, supports customer confidence, and demonstrates responsible cyber governance.

Question 13

How does asset management support Cyber Essentials compliance?

Answer 13

While not a standalone control, effective asset management is crucial for tracking and controlling all devices and software in scope. Good asset management enables the organization to quickly identify which IT assets need to comply, makes deployment of updates and controls easier, and reduces risks related to unauthorized or unknown devices.

Question 14

What is the importance of defining the physical and network boundary in Cyber Essentials scope?

Answer 14

Clearly establishing the physical location, managing business units, and network segments ensures that all in-scope devices and services—whether managed in one site, multiple offices, or remote/home worker devices—are covered by Cyber Essentials controls. It ensures no gaps in security coverage.

Question 15

How is Bring Your Own Device (BYOD) addressed in Cyber Essentials?

Answer 15

All user-owned devices accessing organizational data or services must be in scope, except devices exclusively used for basic telephony, SMS, or MFA applications. BYOD increases complexity as controls must be implemented on less standardized devices, so policies and technical controls are needed to ensure compliance.

Question 16

How does Cyber Essentials cover home and remote working?

Answer 16

All corporate or BYOD devices used for home or remote work are in scope. If a company-supplied router is provided, it’s in scope; otherwise, software firewalls must be active on devices. If a remote worker connects via corporate VPN, the firewall boundary moves to the organizational firewall.

Question 17

Which wireless devices fall in scope for Cyber Essentials?

Answer 17

Wireless access points communicating via the internet are in scope. Home/remote location routers provided by the org are in scope, but ISP-owned customer routers are not. Wireless devices that can’t be attacked directly over the internet are excluded from scope.

Question 18

What is the responsibility regarding cloud services in Cyber Essentials?

Answer 18

If using cloud services to process/store data, these must be included in scope. The applicant is responsible for ensuring all relevant controls are implemented—sometimes directly, sometimes by ensuring proper contractual commitments from cloud providers.

Question 19

Who typically implements firewall controls for cloud services (IaaS, PaaS, SaaS)?

Answer 19

For IaaS: both organization and provider. For PaaS: provider or sometimes the org. For SaaS: provider implements. Still, the applicant must ensure controls are present by policy or contract.

Question 20

How should accounts used by third parties or MSPs be managed under Cyber Essentials?

Answer 20

Accounts owned by the organization, even if used by external admins, are in scope and must comply. The organization must ensure that outsourced service providers maintain all technical controls, with evidence provided during assessment.

Question 21

What is required for devices loaned to third parties?

Answer 21

Devices owned by the organization and given to volunteers, contractors, or similar parties must be included in the scope. For third-party-owned devices accessing services, responsibility lies with the organization to require and monitor correct configurations.

Question 22

How are web applications treated in Cyber Essentials?

Answer 22

Public, commercial web applications used by the organization are in scope by default; custom-built or in-house code is not. Security depends on the developer—organizations are encouraged to use best practice like the OWASP ASVS for resilience.

Question 23

What is the key aim of the firewall control?

Answer 23

To ensure only necessary and secure network services are accessible from the internet, and to restrict all unauthenticated inbound connections by default, thereby reducing the attack surface.

Question 24

What are software firewalls and when are they required?

Answer 24

A software firewall is installed on the device itself (e.g., Windows Firewall). When a device operates on untrusted or public networks, a software firewall is required on that host if the network boundary can’t be controlled by the organization.

Question 25

What additional steps should be taken when configuring firewalls?

Answer 25

Default admin passwords must be changed, remote admin interfaces must not be exposed to the internet unless vital (and even then secured by MFA or IP allowlisting), all inbound rules must be documented with business justification, and redundant rules should be removed.

Question 26

What is the principle behind secure configuration control?

Answer 26

Devices and services should be provisioned with only essential features; unnecessary accounts, services, and applications should be removed, default/passwords changed, and auto-run features disabled to reduce exploitable vulnerabilities.

Question 27

What credential requirements exist for device unlocking?

Answer 27

Devices requiring physical presence for logon (e.g., laptops), must have credentials (biometric, PIN, or password) set, protected against brute-force attacks (e.g., attempt throttling, automatic lockouts after failures), with minimum six-character passwords or PINs.

Question 28

How must organizations manage account lifecycle under Cyber Essentials?

Answer 28

The organization must have processes to approve and create accounts, assign unique credentials, regularly review privileges, promptly disable/remove inactive or unnecessary accounts, and strictly segregate admin from standard roles/uses.

Question 29

What evidence of compliance may be required for user access controls?

Answer 29

Documentation of account approval processes, password and MFA enforcement, logs showing account creation, modification, and deactivation, and proof that permissions and admin privileges are reviewed and limited.

Question 30

What are the rules for password-based authentication?

Answer 30

Passwords must be at least 12 characters (or 8 with deny list and block for common passwords), support for password managers, no forced complexity/expiry, account lockouts or throttling for failed logon attempts, prompt change procedure if compromise is suspected.

Question 31

What is multi-factor authentication (MFA) and where must it be used?

Answer 31

MFA requires at least two forms of proof (something you know, have, or are). It’s mandatory for all admin/cloud and remote/accounts accessible via the internet, using preferable non-SMS second factors such as apps, physical tokens, or biometrics.

Question 32

What is passwordless authentication and what are examples?

Answer 32

Authentication methods that don’t rely on user knowledge (no password memorization), including biometrics, hardware tokens (FIDO/security keys), one-time codes, or app-based push approvals. These prevent replay/phishing risks of passwords.

Question 33

Why is it dangerous to combine admin and user activities in one account under Cyber Essentials?

Answer 33

Using a privileged/admin account for email or web access exposes that account to more malware/phishing threats. Separation reduces risk that malware will execute with elevated rights if a non-admin account is compromised.

Question 34

What is application allow listing and why is it powerful for malware protection?

Answer 34

Only pre-approved, signed applications can run, blocking installation/execution of unauthorized or potentially malicious software. Maintains a current list and prevents users from installing unsigned/unverified apps.

Question 35

What are vendor patching requirements for in-scope software?

Answer 35

All in-scope software must be supported (not end-of-life), have patches applied within 14 days for “critical” or CVSS ≥7 vulnerabilities, and be configured for automatic updates where possible.

Question 36

How should organizations manage third-party updates (e.g., for plugins/extensions)?

Answer 36

Plugins, extensions, and add-ons must be maintained with the same rigor as other software. When unsupported, they must be removed or isolated from internet connectivity, and update policies documented.

Question 37

What are examples of “malware protection mechanisms” that meet Cyber Essentials requirements?

Answer 37

These include anti-malware/endpoint security software, application allowlisting, or a managed application store if it reliably screens for malicious apps. The mechanism must actively prevent execution or access to known malware.

Question 38

Why is regular data backup strongly recommended (though not required) in Cyber Essentials?

Answer 38

Backups ensure that critical data can quickly be restored in case of ransomware, malware infection, or accidental deletion. Frequent, automated cloud or physically detached backups offer resilience beyond technical controls.

Question 39

What are the main considerations for achieving Cyber Essentials with a zero-trust architecture?

Answer 39

Zero-trust removes implied network trust, requiring strong authentication, granular authorization, device health checks, and continuous verification of access requests. Though not mandated, Cyber Essentials controls fully support zero-trust if properly implemented.

Question 40

How is scope defined regarding IaaS, PaaS, and SaaS in cloud environments for Cyber Essentials?

Answer 40

The organization is ultimately responsible for control compliance—directly or contractually. For IaaS, more controls are managed by the client; PaaS/SaaS, often by the provider, but the org must still ensure secure configuration and access management.

Question 41

What special requirements apply to corporate routers for remote/home workers?

Answer 41

If the router is supplied by the organization, it is in scope and must comply (e.g., secure admin credentials, firewalls enabled/sample policies). If not, the workstation must run a compliant software firewall.

Question 42

How does Cyber Essentials treat the security of web-facing applications differently from general IT infrastructure?

Answer 42

While COTS (commercial off-the-shelf) web apps are in scope, bespoke in-house developed apps are not. Organizations are encouraged, but not required, to adopt best practice frameworks, such as OWASP ASVS, to secure their own web application code.