What's the difference between CE and CE Plus?

Cyber Essentials is a verified self-assessment. Cyber Essentials Plus covers the same five controls but adds a hands-on technical audit by an assessor, including vulnerability scans and tests of in-scope devices, providing a higher level of assurance.

Is multi-factor authentication required?

Yes. The current Cyber Essentials requirements make multi-factor authentication mandatory for cloud services where it is available, alongside stricter marking of critical controls such as timely security updates. NCSC and IASME refresh the technical requirements annually, so the question set evolves each year.

Who needs Cyber Essentials?

Any UK organization that wants a recognized cybersecurity baseline — and notably, it is required for many UK central-government contracts that involve handling certain sensitive or personal information.

UK Cyber Essentials, made simple

Certify to Cyber Essentials and CE Plus

The five Cyber Essentials technical controls — firewalls, secure configuration, access control, malware protection, and update management — implemented, evidenced, and ready for assessment.

Start free trial Book a demo

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme — owned by the National Cyber Security Centre (NCSC) and delivered by the IASME Consortium — designed to protect organizations against the most common internet-based cyber attacks. It is deliberately simple: the entire scheme rests on five technical controls, which makes it an excellent baseline and a frequent requirement for UK public-sector contracts.

The five technical controls

Firewalls — boundary and host firewalls configured to block untrusted traffic.
Secure configuration — remove or disable unnecessary functionality and change default credentials.
User access control — least-privilege accounts, with multi-factor authentication required for cloud services.
Malware protection — anti-malware, allow-listing, or sandboxing across in-scope devices.
Security update management — keep software supported and patched within required windows.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials is a verified self-assessment against the five controls. Cyber Essentials Plus assesses the same controls but adds a hands-on technical audit — vulnerability scans and tests of a sample of in-scope devices — for a higher level of assurance. NCSC and IASME update the technical requirements annually, so recent revisions have tightened expectations (for example, mandatory MFA for cloud services and stricter marking of critical controls).

How episki helps

episki implements the five Cyber Essentials controls as living controls with scoping for your devices, users, and cloud services, and keeps the evidence current for the annual recertification or the CE Plus audit. Because the controls map up to ISO 27001, NIST CSF, and SOC 2, Cyber Essentials becomes the first rung of a larger program rather than a dead end.

Cyber Essentials outcomes with episki

Quantify the impact security and compliance brings to your business.

5 controls

Firewalls, secure configuration, access control, malware protection, and updates.

CE + CE Plus

Self-assessed Cyber Essentials and hands-on-verified Cyber Essentials Plus.

MFA required

Multi-factor authentication for cloud services per the current requirements.

Why teams choose episki for Cyber Essentials

Framework-specific automation, collaboration, and reporting in one workspace.

The five technical controls

The complete Cyber Essentials control set, implemented and evidenced.

Firewalls and secure configuration
User access control with MFA
Malware protection and update management

CE and CE Plus ready

Self-assessment for CE, and a clean evidence trail for the CE Plus audit.

Self-assessment questionnaire support
Asset and device scoping
Evidence ready for the CE Plus technical audit

A UK on-ramp that maps up

Cyber Essentials controls feed your larger frameworks.

Crosswalk to ISO 27001 and NIST CSF
Reuse evidence across SOC 2
Government-recognized baseline

Cyber Essentials readiness inside episki

What a UK organization needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Scope definition (devices, users, cloud services)
✓ Firewalls and boundary controls
✓ Secure configuration and removal of defaults
✓ User access control with MFA on cloud services
✓ Malware protection across in-scope devices
✓ Security update management within required windows

Cyber Essentials accelerators

Pass the assessment and keep the certificate current year over year.

Scope builder

Define the devices, users, and cloud services in assessment scope.

Control evidence tracker

Owners and evidence for each of the five technical controls.

ISO 27001 crosswalk

Reuse Cyber Essentials work toward ISO 27001 and SOC 2.

Cyber Essentials frequently asked questions

Certify to Cyber Essentials in episki

Implement the five controls once and reuse the evidence toward ISO 27001 and SOC 2.

Start free trial Book a walkthrough

Certify to Cyber Essentials and CE Plus

What is Cyber Essentials?

The five technical controls

Cyber Essentials vs Cyber Essentials Plus

How episki helps

Cyber Essentials outcomes with episki

Why teams choose episki for Cyber Essentials

Cyber Essentials readiness inside episki

Cyber Essentials accelerators

Cyber Essentials frequently asked questions

Other compliance frameworks

Certify to Cyber Essentials in episki