This page brings together the key dates and documents relating to the UK Governments Cyber Essentials Scheme. Where possible links are to the National Archives versions of the historic government websites.
When reviewing historic documents care should be taken to understand how the scheme was organised and run prior to 2020.
The scheme originated in the 2011 UK Cyber Security Strategy which mentioned encouraging the development of a cyber 'kite-mark'. A consultation in 2013 was carried out and concluded that no existing cyber standard would meet their requirements - a new one would therefore need to be created.
Shortly before launch it was reported in multiple outlets that it would be a 3-tier scheme:
- Bronze – A self assessed tier
- Silver – An independently verified test
- Gold – An independently verified test with an accompanying audit
However this did not materialise and Cyber Essentials started as the same two tier system we have today.
At launch in 2014 HM Government published a summary of the standard, a set of requirements and an assurance framework.
After these 3 documents were published by the Government a minor revision was noted in the Assurance Framework in January 2015 where "the option for an organisation to be both an Accreditation Body and a Certification Body" was removed. No futher updates to these files were found.
Alongside these publications, CESG (the forerunner to NCSC) published two documents, the Cyber Essentials Common Questionnaire and Cyber Essentials PLUS Common Test Specification.
Accreditation Bodies took these documents and adapted them. These bodies then appointed Certification Bodies who would carry out the assessments. This can lead to confusion as there were subtly different interpretations of the standard across Accreditation Bodies - a point noted in the 2016 DCMS report.
Between 2016 and 2020 the Requirements document moved from PDF format to a webpage. Unfortunately this page is not versioned so will be referred to by date. The Common Questionnaire does not appear to be updated during this period but the archived QG website contains updates. It is unclear whether these updates came from NCSC or were operational decisions made by QG as an Accreditation Body.
In 2020 the Accreditation Bodies were dropped and IASME became the sole Delivery Partner. The NCSC now publish two documents - Cyber Essentials: Requirements for IT infrastructure and Cyber Essentials Plus: Illustrative Test Specification. IASME now publish a Self-Assessment booklet and the Questionnaire.
| Term | Definition |
|---|---|
| Accreditation Body | An organisation that develops the certification tests |
| Certification Body | An organisation that can carry out an assessment |
| Date | Event | Links |
|---|---|---|
| 25 November 2011 | UK Government publishes Cyber Security Strategy which mentioned "encouraging the development of security ‘kitemarks’" | Cyber Security Strategy Policy Paper |
| 2012 | 10 Steps to Cyber Security is published | 10 Steps to Cyber Security Executive Companion |
| March 2013 | Government starts consulation on new standard | Cyber security organisational standards: a call for views and evidence (BIS/13/659) |
| 23 April 2013 | Government publishes cyber security guide for small businesses | Small Businesses: What you need to know about cyber security |
| November 2013 | Government publishes response to March 2013 consultation calling for new standard | Consultation outcome / Call for evidence on a preferred standard in cyber security: government response |
| 26 November 2013 | Government publishes research from PWC on UK cyber security standards | Research abstract / UK cyber security standards: research report (BIS/13/1294) |
| 12 December 2013 | Francis Maude MP speech - "we are developing an industry-led kite mark-style standard for cyber security," " next year all central government departments will be expected to adopt this standard for their own procurement" | Speech on second anniversary of the Cyber Security Strategy |
| May 2014 | New standard reportedly may have "Gold, Silver and Bronze Tiers" | IT Governance - Is the standard of your organisation’s IT Security Bronze, Silver or Gold? / HMG Cyber Essentials Scheme |
| 6 June 2014 | Cyber Essentials scheme launches with 2 Accreditation Bodies - CREST and IASME | IT Governance - 10 Facts About the Cyber Essentials Scheme |
| September 2014 | QG becomes third Accreditation Body | Cyber Essentials has a third Accreditation Body |
| 25th September 2014 | Cabinet office release policy on "how to use the Cyber Essentials scheme" for procurement | Original version / Revised version from 2016 |
| 3 October 2016 | NCSC created, replacing CESG and others | National Cyber Security Strategy 2016, p29 |
| 21 December 2016 | DCMS publish research into the adoption of CE | Cyber Essentials Scheme – process evaluation and communications testing |
| 26 November 2017 | NCSC Blog post about "the future of Cyber Essentials" | The future of Cyber Essentials - A look at our roadmap for the scheme |
| 27 November 2017 | Chris Ensor blog post about the history of Cyber Essentials | A brief history of Cyber Essentials |
| 21 June 2019 | NCSC Blog post announcing the future of the scheme with intention to have a single Devliery Partner | Cyber Essentials Blog The Bare Essentials |
| 7 October 2019 | IASME win 5 year contract to be sole CE Delivery Partner | NCSC - Announcing IASME Consortium as our new Cyber Essentials Partner / News article - What Does This Mean? |
| 1 April 2020 | IASME become sole Delivery Partner for CE | Announcement / NCSC Blog Post / IASME Blog Post on NCSC website |
| 22 June 2023 | Report on December 2022 evaluation of CE by DSIT | Cyber Essentials scheme process evaluation / News Article - Companies Call for Changes to UK’s Cyber Essentials Scheme |
| Accreditation Body | Homepage | List of Certification Bodies |
|---|---|---|
| APMG | 2018 CE Homepage | n/a |
| CREST | 2018 CE Homepage | 2018 Certification Bodies |
| IASME | 2018 CE Homepage | 2018 Certification Bodies |
| IRM Security | 2019 CE Homepage | see archived homepage |
| QG Management Standards | 2018 CE Homepage | 2018H2 Certification Bodies / 2018H1 / 2016 |
NOTE: The QG Certification Bodies links also contain links to their CE Questionnaires in MS Word format
One of the key differences of approach to Cyber Essentials between 2014-2020 was the number of questions in the questionnaire.
Key:
- F - Firewalls (pre-2017 Boundary Firewalls and Internet Gateways)
- SC - Secure Configuration
- UAC - User Access Control
- MP - Malware Protection
- SUM - Security Update Management (pre-2017 Patch Management)
| Accreditation Body | Version/Date | F | SC | UAC | MP | SUM | Total | Notes |
|---|---|---|---|---|---|---|---|---|
| APMG | 20/11/2017 | 40 | ||||||
| Crest | 29/08/2017 v3.0 | 9 | 18 | 9 | 9 | 8 | 53 | Questions are numbered 1-52 but 8 and 8a are considered as two distinct questions |
| Crest | 07/09/2017 v3.1 | 9 | 18 | 9 | 9 | 8 | 53 | See notes for version 3.0 |
| IASME | 05/2018 v10.5 | 12 | 10 | 11 | 6 | 6 | 45 | Amwell IS branded version |
| IASME | 02/2019 v11 | 12 | 10 | 11 | 6 | 6 | 45 | First version to number questions as A2.1, A2.2 etc instead of numbers 1-45 |
| IASME | 03/2020 v11b | 12 | 10 | 11 | 6 | 6 | 45 | |
| IASME | 08/2020 v11c | 12 | 10 | 11 | 6 | 6 | 45 | |
| QG | 2014 | 7 | 8 | 7 | 7 | 5 | 34 | Unknown version but URL is dated 2014. Provides guidance on the answers |
| QG | 20/02/2016 Issue 5 | 7 | 8 | 7 | 7 | 5 | 34 | |
| QG | 06/02/2018 v1.050 | 7 | 9 | 7 | 9 | 3 | 35 | 3 Questions from SC are broken out into a specific password section |
This section includes some important information such as how certification bodies could apply to the accreditation bodies, what requirements were imposed on them, and fees. Links to archived lists of certification bodies are also included.
| Accreditation Body | Date | URL |
|---|---|---|
| APMG | unknown | Become a Cyber Essentials Certification Body / Internet Archive |
| CREST | 2016 | CREST certifying bodies by region |
NOTE: IASME became sole Delivery Partner in 2020, replacing the Accreditation Bodies
| Year | Codename | Version | Date | Notes |
|---|---|---|---|---|
| 1 | n/a | 2014 | June 2014 | Released as 3 documents: Summary, Requirements and Assurance Framework |
| 2.2 | Beacon | 2021 | 26th April 2021 | First codename version |
| 3.0 | Evendine | 2022 | April 2022 | n/a |
| 3.1 | Montpellier | 2023 | 24th April 2023 | n/a |
These are the original Cyber Essentials scheme documents. According to Cyber Essentials – A Pocket Guide by Alan Calder, IT Governance Publishing, 2014 there were originally three documents that comprised the scheme:
| Date | Document (clickable link) |
|---|---|
| June 2014 | Cyber Essentials Scheme: Summary / alt link 1 / alt link 2 |
| June 2014 | Cyber Essentials Scheme: Requirements for basic technical protection from cyber attacks |
| June 2014 | Cyber Essentials Scheme: Assurance Framework |
The test specifications for Cyber Essentials and Cyber Essentials Plus were also published in 2014
| Date | Document (clickable link) |
|---|---|
| 23 September 2014 | Cyber Essentials Common Questionnaire v1.1 / alt link 1 / alt link 2 |
| 20 October 2014 | Cyber Essentials PLUS Common Test Specification V1.2 / alt link 1 / alt link 2 |
The following is the only update that was found published based on the original document set.
| Date | Document (clickable link) | Notes |
|---|---|---|
| January 2015 | Cyber Essentials Scheme: Assurance Framework / alt link | "only change [...] is the removal of the option for an organisation to be both an Accreditation Body and a Certification Body" |
In 2017 the Requirements for basic technical protection from cyber attacks PDF document was withdrawn and replaced by a webpage. The What's New provides a decent overview of the changes but fails to mention the removal of alternative controls. The original version of the document stated at the top of page 4:
"Where a particular control cannot be implemented for a sound business reason (e.g. is not practical or possible) alternative controls should be identified and implemented."
Although alternative controls have been dropped from the Requirements, they are still present in at least the QG implementation of the scheme where there is a statement:
"Take steps as necessary to ensure that your organisation meets every requirement, throughout the scope you have determined. If you can’t, highlight any compensating controls you have put in place to mitigate the risk."
| Date | Document (clickable link) |
|---|---|
| 06 February 2017 | Requirements for IT Infrastructure |
| 06 February 2017 | Threats in scope (Cyber Essentials scheme) |
NOTE: The Requirements for IT Infrastructure appear to be static from this point until IASME are appointed sole Delivery Partner. The 2020 version of the page has an identical What's New section.
| Accreditation Body | Date | Document (clickable link) |
|---|---|---|
| APMG | 24 September 2018 | A guide to the Cyber Essentials Self-Assessment Questionnaire / Internet Archive |
| APMG | 20 November 2017 | Cyber Essentials Illustrative Questionnaire / Internet Archive |
| APMG | no date | Your Guide to the Cyber Essentials Questionnaire / Internet Archive |
| IASME | March 2017 | Self-Assessment Preparation Booklet 10.5 |
| QG | 25th July 2017 | Reqirements for IT Infrastructure BIS 14/696/1.2 |
| QG | July 2017 | 7Elements Cyber Essentials Questionnaire v1.050 |
| QG | 2017 | IndelibleData Cyber Essentials Questionnaire v1.050 |
| Document | Date | Version (clickable link) |
|---|---|---|
| Self-Assessment Preparation Booklet | April 2021 | Beacon |
Notable update: On licensed software the statement clarifying what licensed and supported means. The key statement is "The vendor must provide the future date when they will stop providing updates." link to blog post
| Document | Date | Version (clickable link) |
|---|---|---|
| Self-Assessment Preparation Booklet | April 2022 | 11d |
| Self-Assessment Preparation Booklet | July 2022 | 13a |
| Document | Date | Version (clickable link) |
|---|---|---|
| Self-Assessment Preparation Booklet | January 2023 | 14 |
| Document | Date | Version (clickable link) |
|---|---|---|
| Cyber Essentials: Requirements for IT Infrastructure | August 2020 | Version 2.1 |
| Cyber Essentials: Requirements for IT Infrastructure | April 2021 | Version 2.2 |
| Cyber Essentials: Requirements for IT Infrastructure | November 2021 | Version 3 |
| Cyber Essentials: Requirements for IT Infrastructure | April 2023 | Version 3.1 |
| Document | Date | Version (clickable link) |
|---|---|---|
| Cyber Essentials Plus: Illustrative Test Specification | April 2020 | Version 2.0 |
| Cyber Essentials Plus: Illustrative Test Specification | January 2022 | Version 3.0 |
| Cyber Essentials Plus: Illustrative Test Specification | April 2023 | Version 3.1 |
The intention from version 1 was that the scheme would become mandatory for Government suppliers. From the Questions section in the June 2014 Summary document:
- Will this be mandated by government?
Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified. This is likely to include ICT and personal and sensitive information handling contracts.
"Cyber Essentials is for all organisations of all sizes, and in all sectors. We are making the scheme mandatory for central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services."
The above collection of links and dates were collected as part of a Master's Thesis for the award of MSc Cyber Security from University of Strathclyde in 2023. The thesis can be downloaded in PDF format from the University of Strathclyde PurePortal.
In the thesis 17 recommendations are made - the high level recommendations are listed below.
- Revert back to insisting on screen grabs for evidence, with guidance on what is acceptable evidence
- Revert back to allowing compensating controls to mitigate risk when requirements can’t be met
- Implement a second Delivery Partner to focus on large organisations or organisations who need greater assurance. Let IASME continue to work with SMEs
- If Active Directory is used then the entire AD Domain should be included when defining a sub-set
- If a VLAN is used to define a sub-set ensure inter-VLAN routing is disabled or, if not, that a firewall is in place
- A full review of the question set should be undertaken to see if parts can be simplified or consolidated – in particular the password management for firewalls questions could be moved into the Secure Configuration category
- Where documentation is presumed to exist, as in A5.8 “do you have a documented password policy,” ask to see it instead of just accepting yes as an answer
- If the organisation or sub-set has more than 500 devices then a management tool should be used to configure the security controls
- If the organisation or sub-set has more than 500 devices then screenshots and an explanation of how the management tool configures the controls should be provided to the assessor
- If a management tool is used within a sub-set then all devices connected to that instance of the management tool should be considered part of the same sub-set
- Software firewalls on laptops should be checked to ensure they are on and correctly configured
- Use stop-and-go sampling to reduce the sample size when the management tool backs up initial findings
- NCSC should ensure that the Delivery Partner publish the actual test specification
- NCSC should follow the lead of the PCI Council and ISO 27001 in running two versions of the scheme concurrently – the newer version being best practice until the retirement of the old version
- Create Internal Assessors using the existing IASME coursework and exams
- Define Asset Management as an explicit control
- Add questions asking for the source of the asset information and when it was gathered