Cyber Essentials: How to meet IT infrastructure requirements and get certified

IT infrastructure requirements

If you’re an SME looking to get Cyber Essentials accredited, a strong IT infrastructure, well-trained staff, and a thorough plan will help you to meet certification requirements.

Once you’ve met the requirements you’ll be:

Before you start your application, it’s important to know exactly what’s expected of you and to prepare accordingly. In January this year, the Cyber Essentials requirements changed to better reflect current cybersecurity challenges. 

You can read the full documentation from NCSC, but this article covers what you need to know about the technical controls used to assess your application.

Cyber Essentials requirements for compliant IT infrastructure

There are five categories of criteria you need to meet. Working through each will help you on your way to safer, smarter, and more sustainable data management. 

The 5 Cyber Essentials categories are:

  1. Firewalls
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management

1. Firewalls

Every device connecting to your network must have a boundary firewall. This will restrict the flow of network traffic and protect against cyber attacks. You must:

  • Have a strong administrative password and change it regularly
  • Have two-factor authentication or an IP whitelist to access admin controls
  • Block unauthenticated connections by default
  • Document and approve inbound connections
  • Be able to enable/disable functions
  • Use a software firewall to protect devices on untrusted networks like public Wi-Fi

Cut through the noise of cybersecurity certifications with our quick and easy guide. Learn how to choose the right certification for you, and how to get certified.

2. Secure configuration

You must configure all computer and network devices to reduce vulnerabilities and restrict functionality based on job role fulfilment. To comply with Cyber Essentials, secure configuration has to go beyond out-of-the-box solutions. You must be able to:

  • Change passwords 
  • Remove or deactivate user accounts
  • Remove unused or unnecessary software and applications 
  • Disable auto-run features that don’t need authorisation
  • Authenticate users before they access sensitive data
  • Introduce device locking controls for users on-site

The National Cyber Security Centre includes the following in their definition of a device. You’ll need to include all that apply to you in your preparation for the self-assessment.

  • Hosts
  • Networking equipment
  • Servers
  • Networks
  • Desktop computers
  • Laptop computers
  • Thin clients
  • Tablets
  • Physical and digital mobile phones

3. User access control

Businesses must have controls in place to manage user access to applications, devices, and sensitive business data. Employees should only have access to what they need. Administrator-level users must manage and monitor access.   

You must be able to:

  • Approve user account creation and remove or disable accounts
  • Authenticate users before granting additional access
  • Use multi-factor authentication for all cloud services and, where possible, for other services. 
  • Restrict use of administrative accounts 
  • Revoke or disable additional access privileges 

4. Malware protection

Anti-malware software protects against attacks on networks and users by restricting untrusted software from accessing sensitive data. 

Malware protection must allow you to:

  • Keep all software up to date and safe
  • Regularly scan to ensure the network is safe
  • Automatically scan browsers and online applications
  • Block and prevent connections to malicious websites
  • Whitelist applications following a full approval process

5. Security update management

Security update management helps to keep existing software up to date and reduces the business risk of security flaws or gaps in protection. You must:

  • Keep all software licensed and supported
  • Remove unsupported software from devices 
  • Enable automatic updates if possible
  • Update within 14 days of release where automatic updates are not available

Improving your cybersecurity

You might feel ready to take the next step in your cybersecurity journey and complete the self-assessment to get certified. But if you’re just getting started or feel unsure, you’re not alone and support is available if you need it. You can partner with an expert who’ll show you how to prepare and help you pass first time.

When you’ve got a Cyber Essentials certification, you can strengthen your cybersecurity by applying for certifications like Cyber Essentials Plus or ISO 27001. The standards you should uphold all depend on the industry you operate in and what will protect and benefit your business and customers.

Discover which cybersecurity certification is right for your business in our certification guide.

CE guide CTA