Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Cyber Essentials (CE) is the UK government‑backed baseline for stopping common, internet‑originating attacks.
It comes in two levels – Cyber Essentials (self‑assessment, board sign‑off) and Cyber Essentials Plus (the same controls, plus independent testing) – and certification renews annually.
In a government‑commissioned study, 99% of internet‑originating vulnerabilities were mitigated when CE controls were in place, while none were mitigated without them.
Most organizations also report increased confidence that the controls protect against common threats and reduce risk.
If you sell into the UK public sector, CE also shortens the paper chase. 48% of buyers report time savings in supplier due diligence when a bidder holds CE, rising to 59% with CE Plus.
What Cyber Essentials Covers
CE focuses on five technical control areas that stop the vast majority of commodity attacks.
The current standard is v3.2 (Willow). You can download it directly from the NCSC: Cyber Essentials Requirements for IT Infrastructure v3.2 (PDF) and the IASME page for the latest question set and resources.
Firewalls: Configure to block unauthenticated inbound connections by default, restrict/approve rules, protect admin interfaces (e.g., MFA, IP allow‑lists). Devices used on untrusted networks must enable a software firewall.
Secure Configuration: Remove/disable unnecessary accounts and services; change defaults; disable auto‑run; enforce device locking and proper authentication.
User Access Control: Use unique credentials, remove accounts promptly, separate admin from standard use, and always use MFA for cloud services.
Malware Protection: Implement either anti‑malware (kept up to date per vendor guidance, on‑access scanning, web blocking) or application allow‑listing.
Security Update Management: Keep software licensed/supported. Enable auto‑updates where possible, and apply security updates within 14 days when critical/high (or when severity isn’t specified). Remove or isolate unsupported software.
Why It Matters and Does It Actually Work?
Many organizations say building to CE forced practical hygiene – like instituting the 14‑day patch window – into everyday operations. But beyond operational benefits, the measurable impact is significant.
The government’s 2024 Impact Evaluation confirms CE’s effectiveness:
Risk Reduction: 99% mitigation of internet‑originating vulnerabilities when controls are in place
Confidence: 82% believe the controls protect against common threats; 80% say they help mitigate organizational risk
Supply‑Chain Advantages: CE is widely used for supplier assurance. Just under half of users (48%) save time on due diligence when a bidder has CE, rising to 59% for CE Plus
Getting Certified Without the Headache
The certification process follows these key steps:
Choose Your Level: CE (self-assessment with board sign-off) or CE Plus (same controls plus independent testing)
Scope Correctly: Agree the boundary, including cloud services. In CE, even where a provider implements a control, you’re responsible for assuring it. MFA must always be used for cloud services.
Collect Evidence as You Go: Document patch and asset lists, firewall rule approvals, MFA settings, admin account separation, and anti‑malware/allow‑listing configuration.
Renew Annually: Keep up with the standard (currently v3.2 “Willow”) and maintain your certification.
For additional guidance, leaders can reference the NCSC’s Board Toolkit and Small Business Guide.
How Heimdal Helps with CE – and Makes Audits Easier
Your objective is twofold: meet each requirement and prove it cleanly. Heimdal helps on both fronts with a One Agent deployment model, unified visibility, and optional 24/7 Managed SOC.
Firewalls: While boundary devices stay in scope, endpoints still need protection on untrusted networks. Heimdal adds DNS‑layer blocking and endpoint telemetry you can surface during assessment.
Secure Configuration: Use Privilege Elevation & Delegation Management (PEDM) to enforce least privilege and Patch & Asset Management (PAM) to remove vulnerable/unused software and harden baselines at scale.
User Access Control: Enforce segregation of admin activity with PEDM and policy. CE requires MFA for cloud access – document this across your SaaS estate and capture proof in your audit pack.
Malware Protection: Deploy NGAV + XTP with on‑access scanning and web blocking. If you choose allow‑listing, pair it with Application Control / Zero‑Trust.
Security Update Management: PAM automates OS and third‑party patching against your 14‑day SLA and inventories unsupported software.
Evidence and Reporting: If you prefer to centralize evidence, Heimdal’s platform provides reporting that helps you demonstrate control status (e.g., patch SLAs, endpoint posture, DNS blocks).
For Public Sector Bidders
Policy is governed by PPN 014, which replaced PPN 09/23 in February 2025 for all procurements. It basically says “include CE/CE Plus where it makes sense for the risk level.”
Use CE as your qualification signal – it’s widely recognized and speeds up due diligence for everyone. The government’s Impact Evaluation confirms those 48%/59% time savings we mentioned earlier.
What CE Doesn’t Do (And Why That’s Fine)
CE raises the floor, not the ceiling. It won’t stop nation-state hackers or sophisticated targeted attacks. Think of it as your foundation – then layer on detection, response, backups, and incident planning based on your actual risk profile. The NCSC calls it a minimum standard for good reason.
Ready to Get Started?
Heimdal’s One Agent approach covers NGAV + XTP, DNS Security, PAM, and PEDM – giving you broad CE coverage with fewer moving parts and centralized audit evidence:
