top of page

Cyber Essentials


ICT9 will ensure your IT infrastructure meets Cyber Essentials.  This is a set of requirements set out by the UK Government that reduce the risks of loss or damage to your organisation through poor IT security practices.

This is a simplified overview designed to give business owners and managers an introduction to the steps required to become certified.  The full requirements are set out on the National Cyber Security Centre website. ​


1. Scope

  • Identify all devices and software in your organisation that connect to the Internet, either directly or indirectly.  This includes personal devices (BYOD) which access your organisation's data or services.

  • Include:

    • all IaaS (infrastructure as a Service) components.

    • all externally managed services.

    • all commercial web applications created by development companies.


  • Exclude:

    • SaaS (Software as a Service).

    • Paas (Platform as a Service).

    • bespoke, custom and in-house developed web applications. 

2. Firewalls

  • Ensure each device is protected by a boundary firewall or a host-based firewall.

  • Only the required ports are open.

  • Open ports must be documented and include the business requirement.

3. Secure Configuration

  • Restrict administrative access with secure passwords, multi-factor authentication and conditional access.

  • Use technical controls to enforce authentication requirements; shift the burden away from individual users.

  • Ensure any system that relies on password-based authentication is not vulnerable to a brute-force attack.

  • Ensure only authorised users can access the device.

  • Default configurations must be checked to ensure compliance.


4. User Access Control

  • Ensure user accounts are assigned to authorised individuals only.

  • Only provide access to devices, data and services where there is a business requirement.

  • Have a user account approval, creation and revocation process.

  • Have an administrative account approval, creation and revocation process, and policies describing when the administrative account should be used.

  • Use administrative accounts only for administrative activities and not for standard user activities.

  • Ensure users are aware of password policies and have a level of security awareness.

  • A process to manage special access privileges and ensure they are removed when no longer required (for example when a member of staff changes role).

5. Malware protection

  • Before any software is allowed to execute, it must be:

    • Scanned with anti-malware software using  signature files that are updated at least daily; or​

    • Pre-approved using a whitelist and code-signing; or

    • Running within a sandbox with no access to other resources unless permission is explicitly granted by the user.

6. Patch management

  • All software must be licensed and supported, and removed from devices when no longer supported.

  • Patch updates marked as critical or high risk must be applied within 14 days of release.


Our Approach

We have over 25 years experience working in regulated industries including finance and healthcare.


To make it as easy as possible for your organisation to meet security and regulatory requirements:

  1. We use modern Cloud services such as Microsoft Azure Active Directory and Perimeter 81.​ 

  2. We provide training and mentorship for your nominated Tech Lead to ensure they are correctly administering your systems.

  3. We provide guidance, management and oversight for business owners and stakeholders.

  4. We make security as easy as possible for your users, by using modern technology such as Password-less authentication, Microsoft Hello for Business and Azure Active Directory Single Sign-On.

starts here

If your organisation is not yet Cyber Essentials certified, contact ICT9.  We will help you identify the the items that need to be included in scope, introduce you to the products available that will help you achieve certification most effectively, and ensure you are meeting your obligations as Director or Data Protection Officer.

bottom of page