CST

Call us on +44 (0)20 7621 7836 LinkedInTwitter

Call +44 (0)20 7621 7836 LinkedInTwitter

CST have been specialising in Information Protection and Cyber Defence for 20 years. Our aim is to help organisations manage cyber security with the least amount of disruption, and for organisations who strive to improve their security posture but don’t have the correct resource in place.

We would be happy to discuss your requirements over the phone or meet with you at your office.

Get in touch

CST 20 years experience

Recognising that not all organisations have the necessary resources to address the business-critical issue of cyber security.

The UK Government’s Cyber Essentials Scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification in order to prove their compliance. Addressing these five topics and controls eliminate up to 80% of typical Cyber threats.

Cyber Essentials certification

CST is registered by the IASME to assess and certify against the UK Government Cyber Essentials Scheme. CST are also licensed to advise on achieving Cyber Essentials certification, as well as deliver Cyber Essentials PLUS and the IASME governance assessment and certification. We have a number of Cyber Essentials product and service options available.

Why the Cyber Essentials Scheme exists

Since October 2014, the UK Government has required all suppliers bidding for certain information handling contracts be Cyber Essentials certified for the purpose of providing further protection for the information the Government handles.

As well as the Government mandating the standard, it is also being used by non-government affiliated organisations to demonstrate a level of formal compliance to security best practises. Many of our customers are asked by their customers to complete IT security questionnaires, and agree with information protection agreements. Using the Cyber Essential scheme is a method to respond and validate their security posture to their clients.

What is the Cyber Essentials Scheme

Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the UK Government instigated a call for evidence on a preferred cyber security standard. In November 2013 it concluded that no individual standard met its specific requirements, so developed the Cyber Essentials Scheme, a set of controls and implementation guidance for basic cyber hygiene against which organisations can achieve different levels of certification. Certification can be used by organisations to demonstrate to their customers and business partners that industry-minimum cyber security measures are in place, and provides evidence to validate the organisation’s security posture. It was officially launched on 5th June 2014 and addresses:

  • The level and different types of cyber threat
  • Vulnerabilities, weaknesses and exploits
  • Cyber incidents and their local and national impacts

The Cyber Essentials Scheme covers five key areas

All of the five requirements are recommended as part of the “SANS Top 20” controls, and the ISO27001 standard:

1. Secure configuration
Implementing the security measures required when building and installing any computers and network devices, in order to reduce unnecessary vulnerabilities.

2. Boundary firewalls and internet gateways
Providing a basic level of protection where an organisation connects to the Internet.

3. Access control and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts.

4. Patch management
Keeping the software used on computers and network devices up to date, and resistant to low-level cyber-attacks.

5. Malware protection
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software, and ransomware) including options for virus removal, which will protect your computer, your privacy, and your important documents from attack.

Achieving certification to the Cyber Essentials Scheme

There are currently two levels against which organisations can be certified:

Cyber Essentials (Stage 1), which relies on self-assessment.
Cyber Essentials Plus (Stage 2), which relies on an independent (on-site) audit.

Organisations must be assessed by an accredited certification body such as CST, and must successfully complete Stage 1 prior to proceeding to Stage 2.

Once an organisation has successfully passed an assessment against either level of the scheme’s requirements it will be awarded the relevant Cyber Essentials award or 'badge' and will need annual re-assessment.

Cyber Essentials - Stage 1 (documenting what you do)

  • First, the scope is used to determine what part of the organisation is to be assessed.
  • The organisation answers the Cyber Essentials questionnaire to demonstrate its level of compliance with the requirements for basic cyber security. The questionnaire is signed by an authorised signatory from the organisation to confirm its accuracy, and is then sent to a recognised body to be reviewed.

Cyber Essentials Plus - Stage 2 (confirming what you stated)

  • Once Stage 1 has been completed, organisations will undergo a much more thorough audit by a certifying body to determine whether controls have been implemented correctly, based on an internal security assessment of end-user devices, which simulates attack scenarios to determine the organisation’s level of cyber security.

In both cases, certification reflects the state of an organisation’s cyber security only at the time of assessment. It is no proof of the ongoing effectiveness of an organisation’s cyber security. However, certification will provide numerous benefits, including the opportunity to tender for business where certification to the scheme may be a prerequisite, reducing insurance premiums, and helping to improve investor and customer confidence.

How CST can help

CST can help you complete Stage 1 and Stage 2, we can provide the guidance and support required, and ultimately certify you against the standard. We operate under the ISAME assessment body which means qualifying compliant businesses also receive Cyber Insurance (up to £25,000 Cyber Liability Insurance free of charge) as part of successful certification.

Call or email if you would like to know more, we would be happy to arrange an informal time with one of our scheme consultants for a more in-depth discussion.

Opinion & Resources






We are pleased to have successfully accomplished the Cyber Essentials+ certification. The scheme will provide our clients with additional confidence, and reduce risk against cyber-threats. CST assisted us in understanding the Scheme, worked with us to advance our cyber-defence posture, and undertook the assessment. Their approach was professional, efficient and pragmatic, I can highly recommend them.

Andrew Flatt CTO, Omni Partners Ltd. Dec 2017.

Omni Partners LLP is a London based hedge fund sponsor and investment management firm founded in 2004.

Business leaders will benefit from the access to helpful and authoritative cyber security guidance. Encouraging firms to adopt this scheme is a positive step towards greater awareness of cyber security and more widespread action to manage the risks. John Cridland, Director General of the CBI Cyber Essentials


Learn what National Audit Office has to say about Cyber Essentials and WannaCry.