What are the Cyber Essential Infrastructure requirements?

Cyber Essentials is a certification program backed by the UK government that helps organisations protect themselves against cyber threats. There are two levels of certification: Cyber Essentials (a self-assessment option) and Cyber Essentials Plus (which requires hands-on technical verification). 

We have written an overview of Cyber Essentials certification as well as the benefits of Cyber Essentials certification in previous articles. Today, we will look at the infrastructure requirements for Cyber Essentials and Cyber Essentials Plus that you’ll need to meet to pass.

We have also created a free Cyber Essentials Checklist so you can achieve the Cyber Essentials infrastructure requirements with ease. You can download it below.

Regardless of which certification you pursue, you will need to meet the Cyber Essentials infrastructure requirements in the following five areas as outlined by the NSCS in its Cyber Essentials Requirements for IT Infrastructure document:  

• Firewalls 
• Secure configuration
• User access control 
• Malware protection 
• Cyber Security update management

Don’t worry, you don’t need to read all of the 22-page document to understand what you need to do. As one of a handful of approved Cyber Essentials Certification Bodies in the southeast, we are expertly placed to break down the requirements for you. 

So read on to find a layman’s explanation of the Cyber Essentials infrastructure requirements to become Cyber Essentials certified and how Method IT can help.

Firewalls 

Any business device connected to the internet must be protected by a firewall. Organisations must configure the firewall to only allow necessary incoming and outgoing traffic. It should be regularly maintained and updated to ensure its effectiveness. 

 To meet Cyber Essentials requirements, you must: 

• Have hard-to-guess administrative passwords or disable remote admin access entirely 
• Prevent administrative access unless there is a clear business need 
• Automatically block unauthorised connections 
• Have inbound firewall rules approved by an authorised individual and remove unnecessary firewall rules quickly 
• Install a software firewall on devices used on untrusted networks

Secure Configuration 

Businesses must configure all systems and devices in a secure manner. This means reducing inherent vulnerabilities and ensuring devices only provide services required to fulfil their role. A secure configuration includes setting strong passwords, disabling unnecessary services and ports, and regularly updating software and firmware. 

To meet Cyber Essentials requirements, you must: 

• Remove or disable unnecessary user accounts and software 
• Change default passwords 
• Disable auto-run features that allow file execution without user permission 
• Authenticate users before allowing access to business data or services 
• Establish secure unlocking controls that require biometric data, a password or PIN

User Access Control 

User access control must be tightly managed to minimise risk and damage if accounts are misused or stolen. This includes implementing unique user accounts, setting permissions and restrictions, and regularly reviewing and revoking access as needed.  

To meet Cyber Essentials requirements, you must: 

• Have a process for creating and approving user accounts 
• Authenticate users before granting access 
• Remove user accounts when they’re no longer required 
• Implement multi-factor authentication wherever possible 
• Have specific accounts for administrative activities

Malware Protection

Businesses must put in place measures to protect against malware. This includes implementing anti-virus and anti-malware software, regularly scanning for threats, and updating these tools to ensure they are up-to-date and effective. 

 To meet Cyber Essentials requirements, you must: 

• Install malware protection on every business device that automatically scans files on access 
• Keep malware software up to date 
• Prevent connections to malicious websites 

Security Update Management 

All software and hardware used by your organisation must be kept up-to-date with the latest security patches and updates at all times. This includes operating systems, applications and firmware.  

To meet Cyber Essentials infrastructure requirements, you must: 

• Keep all hardware and software up to date 
• Enable automatic updates where possible 
• Install patch updates as soon as possible 
• Remove software and applications that no longer receive cyber security updates

All of the above requirements are the same for the Cyber Essentials Plus requirements. The difference between Cyber Essentials and Cyber Essentials Plus is a technical audit, which provides an extra level of assurance about the effectiveness of your organisation's controls.

Get Cyber Essentials Certified With Method IT 

The Cyber Essentials infrastructure requirements can be pretty overwhelming for non-technical business owners and executives. That’s why many companies turn to IT Support companies for help.

As one of the only Cyber Essentials Certification Bodies in the southeast, we are well placed to help you pass certification. Not only do we understand what is required (we are Cyber Essentials Plus certified ourselves), but our Cyber Essentials certification service offer remote support and continuous assessments to ensure you achieve certification and continue to meet the requirements moving forward.

Find out more about our Cyber Essentials certification service and whether Cyber Essentials certification is right for your business. Then get in touch for a free quote and consultation.  

Discover the Cyber Essentials infrastructure requirements in our FREE Cyber Essentials Checklist below. Our Checklist covers the 5 core requirements you need to pass the Cyber Essentials certification with ease.