Forensic Control

What are the Cyber Essentials certification requirements?

The certification requirements are extensive and can trip up IT novices. Forensic Control offers a comprehensive step-by-step certification service …



Cyber Essentials certification requirements

Congratulations on deciding to look into the Cyber Essentials and Cyber Essentials Plus qualifications. The average cost for micro and small businesses that lost data or assets after cyber security breaches in the UK leapt to £8,170 in 2021, pushing more businesses to start taking their IT security more seriously. These are some of the most widely recognised schemes in the UK to confirm cybersecurity credentials. The certification requirements are extensive and can trip up IT novices. Forensic Control offers a comprehensive service to ensure that your business passes the first time with minimal disruption to your employees.

Cyber Essentials involves you answering around 80 questions covering your technical controls against cyber security risks. The questions cover your firewalls (both those on the edge of your network and those built into your devices), the secure configuration of your devices, user access control, how you protect against malware, and the updating (patching) of your systems. The assessment and certification should cover the entire IT infrastructure of your business, which will be clearly defined before work begins.

The requirements apply to all the devices and software that are within the boundary of the scope and that meet any of these conditions:

  • can accept incoming network connections from untrusted internet-connected hosts; or
  • can establish user-initiated outbound connections to devices via the

internet; or

  • control the flow of data between any of the above devices and the internet.

Detailed requirements of the scheme can be found in Cyber Essentials: Requirements for IT infrastructure v3.0.

Within the questionnaire itself, we supply detailed guidance, including example ‘model’ answers and unlimited help to assist you with your responses. If you discover that any part of your IT infrastructure isn’t up to code at this point, we can help you to make the necessary changes before testing takes place. Once you’ve completed all the questions and we’re happy that you’re compliant, a director/board level equivalent within your organisation will need to sign off your answers as accurate. We’ll then mark your answers and issue your Cyber Essentials certificate.

You can then progress on to Cyber Essentials Plus, which audits your responses to the Cyber Essentials questionnaire by assessing a representative sample set of your computers and phones. It checks that your anti-malware works effectively and includes a vulnerability scan against your router/firewall. It also verifies that operating systems and apps have been updated to protect against the latest threats – this is done remotely via the temporary installation of vulnerability scanning software and desktop/mobile screen sharing. We run test scans to ensure that each selected device is compliant before the assessment date.

Speak to our experts

We walk you through every step of the certification process, and as long as you make any required changes, we won’t let you fail.

Related content

As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones.


Sign up here if you wish to receive updates and news from Forensic Control by email. We will not send you anything else and you may end the subscription at any time.

By providing your email address, you agree to receive marketing
messages as per our Privacy Policy