Cyber Essentials & Cyber Essentials Plus
Status: not currently certified · ready to pursue on demand · last updated 27 May 2026
Cyber Essentials is the UK government's foundational cyber-hygiene certification scheme, operated by the IASME Consortium on behalf of the NCSC. Two tiers exist:
- Cyber Essentials — self-assessment questionnaire signed off by senior leadership; typically certified within a few weeks.
- Cyber Essentials Plus — same five technical controls, verified by an independent IASME-accredited auditor through hands-on testing.
Glassbreak is not currently certified under either tier. This is a deliberate sequencing decision rather than a posture problem: every Cyber Essentials control is in place; the certification itself adds independent attestation rather than new technical work.
Our position
Cyber Essentials is a UK procurement gate for:
- Some UK central-government contracts (mandatory under the Procurement Policy Note 09/14 for contracts involving handling of personal information or provision of certain ICT products and services).
- Many UK local-authority procurements.
- An increasing share of UK private-sector procurement where the customer's own cyber-insurance policy requires it of their suppliers.
It is materially cheaper than ISO 27001 (~£300 for the self-assessment, £1,500–£2,500 for the Plus audit depending on scope) and produces a procurement-recognised certificate within weeks rather than quarters. We will certify when a real UK procurement opportunity asks for it as a hard gate, or sooner if leadership concludes the marketing signal is worth the recurring annual cost.
The five control themes — our coverage
Cyber Essentials assesses five technical-control areas across all in-scope devices, networks, and accounts. The assessment standard is the IASME / NCSC Cyber Essentials Requirements for IT Infrastructure (current version: Willow, effective April 2025).
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| A.1 Firewalls | Boundary firewalls — change default passwords; block unauthenticated inbound; restrict admin to specific IPs or use 2FA | Met | No on-prem boundary. Cloud equivalent: serverless functions sit behind provider-managed edges (Lambda Function URL, Scaleway Functions endpoint, Fastly) with no inbound access except via TLS on 443. SSH access to production is read-only and audited. |
| A.2 Secure configuration | Remove unnecessary user accounts and services; change default passwords; enforce strong authentication | Met | OpenTofu state under version control; no manual cloud-console changes; no default credentials anywhere in the platform. Onboarding policy enforces account-creation discipline. CI-only deployment. |
| A.3 User access control | Unique accounts for each user; least privilege; MFA on cloud services; remove access on leaver | Met | RBAC across the platform; MFA mandatory for all administrative accounts (cloud consoles, GitHub, Stripe Dashboard); offboarding procedure at /policies/offboarding §§3–4 covers same-day access removal. Argon2id password hashing. |
| A.4 Malware protection | Anti-malware on endpoints; application allow-listing OR sandboxing where appropriate | Met | Endpoint anti-malware on staff devices (built-in OS protection on macOS / Windows / Linux); production runtime is serverless (no persistent compute, no installed packages outside the deployed bundle). MDM-enforced full-disk encryption on staff devices. |
| A.5 Security update management | Apply updates within 14 days of release for high/critical CVEs; remove unsupported software | Met | Automated dependency updates via Dependabot with weekly auto-merge for non-breaking patch releases; high/critical CVEs tracked at /policies/cadences/vulnerability-review with 14-day remediation SLA; serverless runtime tracks provider security updates automatically. |
Cyber Essentials Plus — additional verification
The Plus tier adds independent hands-on verification of the same controls:
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| Vulnerability scan — external | Authenticated external vulnerability scan of internet-facing assets | Met | Continuous external scanning via Dependabot + GitHub Advanced Security; ad-hoc scans via the disclosure programme. Independent IASME-auditor scan would be a one-off addition. |
| Vulnerability scan — internal | Authenticated internal scan of in-scope endpoints | Partial | Staff endpoint posture managed informally at current headcount. Centralised endpoint inventory + agent-based scanning would be required before a Plus audit. |
| Malware-test files | Auditor places EICAR test file on a sample of endpoints to confirm protection | Met | Standard EICAR test passes on all staff devices. |
| Email + web malware tests | Auditor sends staged emails / serves test files to confirm filtering / blocking | Met | Standard browser + email-client protections active on all endpoints; managed email security via the corporate mail provider. |
| MFA test | Confirm MFA enforcement on a sample of admin accounts | Met | MFA-required policy enforced at the IdP layer; auditor can verify on a sample of cloud-console accounts. |
What changes if we certify
- A Cyber Essentials certificate (basic tier) requires a senior-leadership-signed self-assessment + minor documentation updates. ~1 week of effort.
- Cyber Essentials Plus requires (a) closing the gap on the centralised endpoint inventory, (b) booking an IASME-accredited auditor, (c) one day of on-site or remote testing. ~3 weeks of effort end-to-end.
- Both certificates are valid for 12 months — annual recertification is mandatory.
The marginal cost over our existing posture is small because the controls are already in place; the work is packaging the evidence into the IASME questionnaire format and (for Plus) booking the auditor.
How this relates to other frameworks
Cyber Essentials maps cleanly to most of the technical controls in larger frameworks — once it's in place, the evidence reuses against:
- ISO 27001 — Annex A.5.15–5.18 (Access control), A.6.1 (Screening), A.8.1 (User endpoint devices), A.8.7 (Protection against malware), A.8.8 (Vulnerability management), A.8.20–8.22 (Networks security). See /trust/iso-27001.
- SOC 2 CC6.1–6.3 (Logical and physical access).
- NIS2 Article 21(2)(g) + (i) (Cyber hygiene, access control).
Customers asking about Cyber Essentials as a UK procurement requirement should also note that our posture meets every technical control in the scheme today; the only gap is the certificate itself, which we can attain on the timeline above.
If Cyber Essentials or Cyber Essentials Plus is a hard procurement requirement for a UK contract, write to compliance@glassbreak.io with the contract reference and expected award date so we can prioritise certification timing.