Cyber Essentials
assessment and certification
Manage Cyber Essentials and Cyber Essentials Plus assessments with pre-built control templates covering all five technical areas. Track compliance status and generate reports.
No credit card required. Free plan available forever.
Cyber Essentials: achieving and maintaining UK government-backed certification
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber attacks. Operated through the IASME Consortium on behalf of the National Cyber Security Centre (NCSC), the scheme defines five technical controls that, when properly implemented, can prevent the majority of commodity cyber threats. Cyber Essentials certification is a requirement for UK government contracts involving the handling of sensitive data, and it is increasingly expected by private-sector supply chains as a baseline security assurance.
The scheme has two levels: Cyber Essentials (a self-assessment questionnaire verified by a certification body) and Cyber Essentials Plus (which adds hands-on technical testing by an external assessor). While the five controls are straightforward in concept, many organisations struggle with the documentation, evidence gathering, and remediation tracking needed to pass certification, particularly at the Plus level. SecPortal provides structured templates and workflows for both levels, turning the certification process from an ad-hoc document collection exercise into a managed, repeatable workflow.
Five technical controls
Firewalls
Every device that connects to the internet must be protected by a correctly configured firewall (or equivalent network device). This includes boundary firewalls, host-based firewalls, and firewall rules that restrict inbound and outbound traffic to only what is necessary for business operations.
Secure Configuration
Computers and network devices must be configured to reduce vulnerabilities and provide only the services required. This includes removing unnecessary software, changing default passwords, disabling auto-run features, and ensuring only approved applications can execute.
User Access Control
User accounts must be assigned to authorised individuals only, with appropriate privileges. Administrative accounts should be used only for administrative tasks. This covers user account management, privilege control, and authentication requirements including password policies.
Malware Protection
Malware protection must be installed and kept up to date on all devices where it is available. This can be achieved through anti-malware software, application whitelisting, or sandboxing. The approach must prevent malware from running and must be configured to update automatically.
Patch Management
Software running on computers and network devices must be kept up to date and have the latest security patches applied. Patches for high-risk or critical vulnerabilities must be applied within 14 days of release. Unsupported software must be removed from scope or otherwise mitigated.
Assessment and tracking
SecPortal includes pre-built assessment templates for both Cyber Essentials and Cyber Essentials Plus, broken down into the specific sub-requirements within each of the five technical control areas. Your team can track compliance at a granular level, attach evidence to each requirement, and link any findings from penetration testing directly to the affected control area.
- Pre-built assessment templates covering all five technical control areas with specific sub-requirements
- Separate tracking paths for Cyber Essentials (self-assessment) and Cyber Essentials Plus (hands-on verification)
- Control status tracking with compliant, non-compliant, and partial indicators for each sub-requirement
- Evidence collection fields for screenshots, configuration exports, and policy documents per control
- Progress dashboard showing overall readiness percentage and highlighting outstanding items
- Finding-to-control mapping linking discovered vulnerabilities to the specific CE control they affect
Certification workflow
Achieving certification requires completing the self-assessment questionnaire, remediating any gaps, and submitting evidence to a certification body. For CE Plus, an external assessor performs hands-on testing including vulnerability scanning and configuration reviews. SecPortal streamlines both pathways by providing structured checklists, gap analysis reporting, and evidence packaging.
- Structured self-assessment questionnaire aligned with the IASME Cyber Essentials question set
- Gap analysis report identifying non-compliant areas requiring remediation before submission
- Remediation tracking with assignees, deadlines, and status updates for each identified gap
- Evidence package generation compiling all supporting documentation for certification body review
- CE Plus preparation checklist covering the additional hands-on testing requirements
- Recertification reminders and historical tracking to support annual renewal
- CSV export of assessment results for submission to the certifying body
Cyber Essentials certification is annual, meaning organisations must maintain their controls and re-certify each year. SecPortal retains historical assessment data across certification cycles, making recertification faster and providing a clear record of security improvements over time. Whether you are guiding clients through their first Cyber Essentials assessment or managing renewals for a portfolio of organisations, SecPortal provides the structure and traceability the scheme demands.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Firewalls
Assess boundary firewalls, software firewalls, and internet gateway configurations.
Secure Configuration
Track default password changes, unnecessary software removal, and auto-run disabling.
User Access Control
Verify user account management, admin privileges, and authentication mechanisms.
Malware Protection
Assess anti-malware software, application whitelisting, and sandboxing controls.
Patch Management
Track software update policies, patch timelines, and end-of-life software management.
Streamline CE assessments
Pre-built controls for all five technical areas. Start assessing today.
No credit card required. Free plan available forever.