Cyber Essentials

CREST supports UK Government Cyber Essentials scheme

A primary objective of the UK Government’s National Cyber Security Strategy is to make the UK a safer place to conduct business online.  CREST was engaged by CESG (now known as the NCSC), the Information Security arm of GCHQ, to develop a technical assessment framework to support the Government “Cyber Essentials” scheme, which forms a key deliverable of this strategy.

The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against internet-borne threats.

By deploying these controls, organisations can defend against the most common form of basic cyber attacks emanating from the Internet.

Selected by industry experts, the technical controls within the scheme reflect those covered in well-established standards, such as the ISO/IEC 27000 series, the Information Security Forum’s Standard of Good Practice for Information Security and the Standard for Information Assurance for Small and Medium Sized Enterprises.

What does the Cyber Essentials scheme address?

CE Mandatory ControlsThe Cyber Essentials scheme provides guidance to help all sizes of organisations measure their defences against common forms of cyber attacks.  The systems that fall under the scope of the Cyber Essentials scheme include internet connected end-user devices (desktop PCs, laptops, tablets and smartphones) and Internet connected systems (e.g. email, web and application servers).

Further information on the controls required for basic technical cyber protection can be found on the government website at

Where does CREST fit in?

CREST worked closely with CESG to develop the technical Cyber Essentials assessment framework for the Scheme.  Using technical experts from its membership,  an assessment framework was devised and optimised for the Cyber Essentials scheme.

In order for the Cyber Essentials scheme to be successful and be adopted by industry, certification services must be procured from a trusted organisation utilising knowledgeable, skilled and competent individuals.  These are known as Certifying Bodies and there are appropriate codes of conduct in place for CREST Certifying Bodies that are tied to a complaints and arbitration process.

The preliminary work undertaken by CREST and its team of experts defined the policy, procedures and requirements of companies that can provide certification services under the Cyber Essentials scheme.  CREST also produced syllabus areas and examination structures for both the organisation and individuals providing services under the Cyber Essentials scheme.  Through detailed discussion with service providers, private sector organisations and government, CREST produced:


About Cyber Essentials

CE_How It WorksFull information on how to get your organisation certified to the Cyber Essentials Standard can be found on our Cyber Essentials website:

For information on the forthcoming changes to the Cyber Essentials Scheme, please read the following article:
The Bare Essentials

How to become a Cyber Essentials Certifying Body under CREST

To become a certifying body for Cyber Essentials under CREST, a company needs to be a member of CREST and the first step in that process is for a mutual NDA to be signed which will allow the membership application form to be released.  Our membership process, including subscription details, can be found here.  Please email [email protected] to start this process.

Further information on the Cyber Essentials scheme is also available on our cyber essentials website at

If you are interested in becoming a Certifying Body under CREST, please read the information concerning changes to the Operating Model here.

Next steps

Whilst organisations are free to implement the requirements within their organisation, some may want or need to gain independent assurance that they have fully implemented the controls.  The assurance framework followed by CREST Certifying Bodies enables organisations to be independently assessed by trusted organisations that have had their quality processes, data handling procedures and technical methodologies audited by CREST and have access to suitably skilled, knowledgeable and competent individuals.  Both company and individuals will have signed up to enforceable and meaningful CREST Codes of Conduct.  The framework will also provide confidence that the controls defined in the scheme have been implemented correctly.

Further details of the Cyber Essentials scheme are available at