Loading
Infraspine guides organisations through the UK government-backed Cyber Essentials scheme — preparing and implementing the five technical controls required for CE and CE+ certification, managing the assessment process, and ensuring your organisation achieves certification first time.
Infraspine implements and verifies each of the five Cyber Essentials controls and manages the assessment process end-to-end for both CE and CE+ certification.
The first of the five Cyber Essentials technical controls requires that all devices connecting to the internet are protected by a properly configured boundary firewall. Infraspine reviews your firewall and internet gateway configurations against Cyber Essentials requirements: rules must block unapproved inbound connections by default, any administrative access to the firewall must be restricted to specific management networks or devices, and unnecessary inbound services must be disabled. For CE+ certification, which involves hands-on technical verification, we test that firewall rules are correctly applied and that there are no pathways for unapproved inbound traffic. Common failures include overly permissive rules left from development or testing, administrative interfaces exposed to the internet, and home routers in use without the password changed from the factory default.
The secure configuration control requires that all computing devices — servers, desktops, laptops, mobile devices, and network equipment — are configured securely by removing or disabling unnecessary software, services, and user accounts. Default credentials must be changed before any device is put into service, and unnecessary features must be turned off to reduce the attack surface. Infraspine reviews your device configuration standards and assesses a sample of devices against Cyber Essentials requirements. We identify devices with unnecessary services running, software that is not required for business purposes, and settings that deviate from secure baseline configurations. For organisations without existing configuration standards, we develop Cyber Essentials-aligned configuration baselines for Windows, macOS, Linux, iOS, and Android devices based on Cyber Essentials guidance and CIS Benchmarks.
The access control requirement under Cyber Essentials covers three key areas: user accounts must be created with the minimum privileges needed for each user's role; administrative accounts must be separate from standard user accounts and used only for administrative tasks; and multi-factor authentication must be enabled for all cloud services and any remote access. Infraspine reviews your user account management processes and current account configurations against these requirements. We identify standard user accounts with unnecessary administrative privileges, administrators who use a single account for both privileged and routine work, and cloud services with administrative access that lacks MFA. This control is particularly important for CE+ certification as it is tested hands-on during the assessment, and failures in this area are among the most common reasons organisations receive a non-compliant finding.
Cyber Essentials requires that all devices have protection against malware — but this requirement has evolved significantly in recent years. Traditional signature-based antivirus alone may not be sufficient under the updated Cyber Essentials technical requirements. The scheme now accepts application allowlisting as an alternative to traditional antivirus on managed devices, and recognises that sandboxing is appropriate for some platforms. Infraspine reviews your malware protection coverage across all device types in scope: Windows and macOS endpoints, mobile devices, and servers. We assess whether protection is installed, up to date, enabled in real-time scanning mode, and configured to prevent users from disabling it. For organisations using Windows Defender or third-party EDR tools, we verify the configuration meets Cyber Essentials requirements and is applied consistently across all in-scope devices.
The patch management control under Cyber Essentials requires that all software on in-scope devices is kept up to date with security patches, and that software which is no longer supported by its vendor (end-of-life software) is removed or segregated from the internet. The requirement specifies that critical and high-severity patches must be applied within 14 days of release. Infraspine reviews your patch management processes and assesses the currency of software across your device estate. We identify devices running end-of-life operating systems or applications, software that is more than 14 days behind on security patches, and gaps in your patch deployment process. For CE+ assessment, we sample devices to verify that patches have been applied and that no unsupported software is present on internet-connected devices. Patch management findings often have the most straightforward remediation path — but require consistent process, not just one-time effort.
Infraspine manages the full Cyber Essentials and Cyber Essentials Plus assessment process from initial readiness assessment through to certification. For Cyber Essentials, we conduct a pre-assessment review of your environment, complete the self-assessment questionnaire with your team, and submit to the certification body. For Cyber Essentials Plus, which requires hands-on technical verification by an assessor, we prepare your organisation for the CE+ assessment: coordinating access to sample devices, pre-testing to identify any non-compliant configurations before the assessor arrives, and supporting your team during the assessment day. We have experience with all major Cyber Essentials certification bodies and manage the assessor relationship, assessment logistics, and any queries or requests for evidence throughout the assessment process. Where non-conformities are found, we provide remediation guidance and support re-assessment.
Common questions from organisations preparing for Cyber Essentials or Cyber Essentials Plus certification.
Book a free readiness assessment call with Infraspine. We will identify any gaps in the five technical controls and give you a clear path to CE or CE+ certification.