Cyber Essentials

CREST supports UK Government Cyber Essentials scheme

A primary objective of the UK Government’s National Cyber Security Strategy is to make the UK a safer place to conduct business online.  CREST was engaged by the NCSC, the Information Security arm of GCHQ, to develop an assessment framework to support the Government “Cyber Essentials” scheme, which forms a key deliverable of this strategy.

The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against internet-borne threats.

By deploying these controls, organisations can defend against the most common form of basic cyber attacks emanating from the Internet.

Selected by industry experts, the technical controls within the scheme reflect those covered in well-established standards, such as the ISO/IEC 27000 series, the Information Security Forum’s Standard of Good Practice for Information Security and the Standard for Information Assurance for Small and Medium Sized Enterprises.

What does the Cyber Essentials scheme address?

The Cyber Essentials scheme provides guidance to help all sizes of organisations measure their defences against common forms of cyber attacks.  The systems that fall under the scope of the Cyber Essentials scheme include internet connected end-user devices (desktop PCs, laptops, tablets and smartphones) and Internet connected systems (e.g. email, web and application servers).

Further information on the controls required for basic technical cyber protection can be found on the government website at

Where does CREST fit in?

CREST worked closely with NCSC to develop the technical Cyber Essentials assessment framework for the Scheme.  Using technical experts from its membership,  an assessment framework was devised and optimised for the Cyber Essentials scheme.

In order for the Cyber Essentials scheme to be successful and be adopted by industry, certification services must be procured from a trusted organisation utilising knowledgeable, skilled and competent individuals.  These are known as Certifying Bodies and there are appropriate codes of conduct in place for CREST Certifying Bodies that are tied to a complaints and arbitration process.

The preliminary work undertaken by CREST and its team of experts defined the policy, procedures and requirements of companies that can provide certification services under the Cyber Essentials scheme.  CREST also produced syllabus areas and examination structures for both the organisation and individuals providing services under the Cyber Essentials scheme.  Through detailed discussion with service providers, private sector organisations and government, CREST produced:


About Cyber Essentials

Full information on how to get your organisation certified to the Cyber Essentials Standard can be found on our Cyber Essentials website:

You can also download a copy of our Overview document: CREST Cyber Essentials Overview

How to become a Cyber Essentials Certifying Body under CREST

To become a certifying body for Cyber Essentials under CREST, a company needs to be a member of CREST and the first step in that process is for a mutual NDA to be signed which will allow the membership application form to be released.  Our membership process, including subscription details, can be found here.  Please email [email protected] to start this process.

Further information on the Cyber Essentials scheme is also available on our Cyber Essentials website at

Next steps

Whilst organisations are free to implement the requirements within their organisation, some may want or need to gain independent assurance that they have fully implemented the controls.

The Cyber Essentials assurance framework enables organisations to be independently assessed by trusted organisations that have access to suitably skilled knowledgeable and competent individuals.

CREST is a not-for-profit trade association and accreditation body whose role is to create and maintain high standards within the cyber security sector and to drive a consistency of quality across its member organisations to offer assurance to the buying community.  Any organisation procuring Cyber Essentials services can rest assured that CREST Cyber Essentials Certifying Bodies have:

In addition to Cyber Essentials certification services, CREST Certifying Bodies also provide a range of other services to help organisations better manage their cyber security risks.  These include:

Further details of the Cyber Essentials scheme are available here: