The Cyber Essentials scheme has been developed as part of the UK’s National Cyber Security Programme and in close consultation with industry. It is now mandatory for central government contracts that involve handling personal information and providing certain ICT products and services.



Cyber Essentials Certification

Cyber Essentials Plus Certification


Quorum Cyber are approved by CREST as a Certifying Body (CB) for Cyber Essentials.  The scheme has been developed to fulfil two functions:

  • Provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security.

  • Offer a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have effectively taken these essential precautions.

Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and build upon. Correctly implementing these measures can significantly reduce an organisation's cyber security risk exposure.

However, it does not offer a silver bullet and remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy.

What Cyber Essentials does do is define a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.

Read our Public Sector Action Plan here.

Cyber Essentials concentrates on five key controls:


Boundary firewalls and internet gateways

These are devices designed to prevent unauthorised access to or from private networks, but correct set-up of these devices either in hardware or software form is important for them to be fully effective. 


Secure configuration

Ensuring that systems are configured in the most secure way for the needs of the organisation


Access control

Ensuring only those who should have access to systems, have access and at the appropriate level.


Malware protection

Ensuring that virus and malware protection is installed and is up to date. 


Patch Management

Ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.


Cyber Essentials is specifically designed for SMEs to help prevent the vast majority of cyber attacks. Even a simple virus or piece of malware could result in loss of company and client data, disrupt cash flow and take up staff time. An attack could also put off your customers, stop you trading and damage a hard-earned reputation. Loss of data could breach the Data Protection Act and the upcoming General Data Protection Regulation (GDPR) leading to fines or prosecution.

Having a Cyber Essentials badge will:

  • Protect your organisation against common cyber threats
  • Show your customers you take this issue seriously
  • Enable you to bid for Government contracts

Since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services. Holding a Cyber Essentials badge enables you to bid for these contracts.

There are two levels of badges that your organisation can apply for:


Cyber Essentials

Requires the organisation to complete a self-assessment questionnaire, with responses independently reviewed by an external certifying body.


Cyber Essentials PLUS

This covers the same requirements as Cyber Essentials but tests of the systems are carried out by an external certifying body using a range of tools and techniques.


The Cyber Essentials documents are free to download and any organisation can use them to put essential security controls in place. However, applying for a Cyber Essentials certificate will provide independent assurance that you have the protections correctly in place. You will also be able to display the Cyber Essentials badge to demonstrate to customers, partners and clients that you take cyber security seriously – boosting reputations and providing a competitive selling point.

Quorum Cyber Services

At Quorum Cyber we aim to make your route to certification simple, so we have developed a comprehensive approach to achieving the certification level you require.


Gap Analysis

  • Scope definition. First we host a conference call to discuss the assessment process and to determine the full scope of the engagement.
  • Gap Analysis. Next, we conduct a gap analysis exercise, to identify any issues that need to be remediated prior to applying for the Cyber Essentials and Cyber Essentials PLUS certifications.
  • Support. We can provide additional support, as agreed, for the remediation of the identified issues.

Cyber Essentials Certification

  • Questionnaire. We provide you with the Cyber Essentials questionnaire for completion and provide assistance as required to complete it.
  • Review. We review the answers provided to the questionnaire as your Cyber Essentials certification body.
  • External Assessment. We then carry out an in-depth security assessment of your external network infrastructure and any web applications.
  • Preliminary Report. Next, we provide a preliminary Cyber Essentials Report, highlighting any problem areas that must be remediated in order to achieve Cyber Essentials certification.
  • Remediation. You remediate any issues (with our help if needed) and resubmit new answers, within a 4 week time frame.
  • Re-Assessment. We then repeat the external assessment (if necessary) and review all updated answers to the questionnaire.
  • Final Report. Lastly, we provide a final report of activities including the assessment results and the Cyber Essentials certificate.


Cyber Essentials PLUS Certification

Achieving the Cyber Essentials certification is a prerequisite to achieving Cyber Essentials PLUS*

  • On-Site Assessment. One of our consultants carries out a security assessment at your offices to verify that your organisation complies with the Cyber Essentials PLUS standard.
  • Preliminary Report. Next, we provide a preliminary Cyber Essentials PLUS Report highlighting any problem areas that must be remediated in order to achieve Cyber Essentials PLUS certification.
  • Remediation. You remediate any issues (with our help if needed) and resubmit new answers, within a 4 week time frame.
  • Re-Assessment. We repeat the internal assessment if necessary.
  • Final Report. Lastly, we provide a final report of activities including the assessment results and the Cyber Essentials PLUS certificate.

*Note – once you have achieved Cyber Essentials certification, you have 90 days to achieve Cyber Essentials Plus certification. Failure to do this will require certifying to Cyber Essentials again.

Find out about our Public Sector Action Plan here.