Cyber Essentials: What policies do I need to have in place?

August 21st, 2019
Cyber Essentials: What policies do I need to have in place?

What policies do I need for Cyber Essentials - blog feature image (900 x 300)

To secure Cyber Essentials certification, you need to be able to demonstrate compliance and awareness of the importance of security throughout your organisation. The National Cyber Security Centre (NSCS), which administers the scheme alongside the UK government, says that you may be required to supply various forms of evidence in order to gain accreditation.

With that in mind, having policies in place and making sure they’re shared throughout the business prior to completing your questionnaire or requesting third-party testing is a good idea.

You may choose to produce one, larger security manual, or you might decide to implement individual documents that form part of a larger policy. Below you will find some suggestions from us, including making sure you’re meeting the five baseline control requirements.

It’s also a good idea to note who has responsibility for IT security at all levels of the business. Include both day-to-day details and which director or board level executive has security responsibilities too.


The NCSC includes boundary firewalls, desktop computers, laptop computers, routers and servers in the Cyber Essentials and Plus assessments, to ensure that “only safe and necessary network services can be accessed from the Internet”.

A firewall monitors all incoming and outgoing network traffic and decides whether to block or allow specific data, depending on your business security rules. A personal firewall protects an individual device, while a boundary firewall covers the entire network. Ensure that you have the appropriate firewalls in place to protect your system and document in your policy what ports are open, why and when they will be reviewed.

Secure Configuration

The purpose of this control is to reduce vulnerabilities across devices and applications, including laptops, tablet and desktop computers, mobiles, web, email and application servers, routers and firewalls.

The NCSC draws attention to the fact that default settings on equipment may not be adequate. For instance, they often come with a standard password which is easy to guess, unnecessary applications or pre-set user access which is not appropriate. Again, make sure this is covered in your policies and processes. It is also good practice to document what software users are allowed to access on their company-owned devices.

User Access Control

This is a really important part of security, particularly if you have lots of staff or multiple offices. The key is to make sure that individual users only have access to the information appropriate to their role and that they don’t share their account information with others.

Key to helping employees keep information safe is a password policy that all staff must follow. Include guidance on how to pick a secure password and the steps to follow if they think their password has been compromised.

Particular attention needs to be given to administrator accounts, which have greater privileges than most user accounts. Remember that if an administrative user clicks on malware or other unverified links or attachments, their privileges are then available to the hackers.

Specific details on this should be included in your policy, as well as the process for adding new employees and removing those no longer with the business. Make sure you have an appendix to list which people in the company have administrator access.

Bring Your Own Devices (BYOD)

This follows on directly from the point above. BYOD is not one of the five baseline controls, but as more and more employees work from home or access work emails or data from their smartphones or tablets, it needs to be included as part of your security manual.

Decide first of all if staff have permission to use personal devices for work information, or if it’s restricted to certain team members, for instance, senior management or the sales team who are out on the road.

Then, decide what they can access and what to restrict. Finally, include a way of ensuring that each device is secure, whether it’s your internal IT department or your external IT support partner who sets up the technical controls.

Make sure you have a specific section in your policy about the use of mobile devices, both those belonging to the employees and any company-owned ones issued to staff. Define acceptable use and which applications can be installed, as well as making it clear that devices must not be jailbroken (i.e. removing any restrictions on the device imposed by the manufacturer or carrier or replacing the operating system).

What policies do I need for Cyber Essentials - quote (900x300)

Malware Protection

For this control, NCSC looks for evidence that you have measures in place to “restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data”. Again, this applies to tablets, laptops, mobiles and desktop machines.

Malware covers phishing emails, suspicious links and attachments from unverified senders, spyware and worms. You should be able to demonstrate in your policy that you’re as prepared as possible for a cyber-attack, with tools such as anti-malware and data backup and disaster recovery, as well as the use of sandboxes (to limit data access) and whitelists.

Patch Management

‘Patch management’ refers to the process used for any code changes (patches) that take place in software and applications installed on your devices. Patch management makes sure that patches are installed and tested correctly and that the right ones are updated. You need to document exactly how you manage updates and patches for any high and critical risk issues.

NCSC acknowledges that devices running software are vulnerable to security flaws. These vulnerabilities can be exploited by hackers and other malicious individuals, enabling them to attack systems. This control is designed to ensure that “devices and software are not vulnerable to known security issues for which fixes are available.”

Wireless Devices

It’s also worth including something in your manual about wireless devices which may be accessing your internet or intranet, or are able to communicate with your organisation’s devices (and any belonging to employees). Ensure it’s not possible for cyber criminals to attack your systems via these devices.

Also document how visitors’ and non-company approved devices connect to any guest networks you make available to them, and if there will be any restrictions or specific requirements for guest users.

Cloud and External Storage

Your company may use a third-party to provide data storage and backup, whether that’s a physical site or virtually in the cloud. If you’re sending tapes off-premises, investigate their security processes and systems and give yourself peace of mind that data is safe.

If you’re storing data in the cloud, it’s even more important to ensure information is adequately protected. If you’re relying on public, shared cloud storage, your data is at risk even if you have robust systems in place.

You can’t be sure who else is using the same cloud, the information they’re holding and how secure (or otherwise) it is. Give serious consideration to purchasing private cloud storage, ideally before you apply for Cyber Essentials accreditation.

If you’d like more information on what the NCSC recommends you take into account in your security policies, click here.

If you’d like to know more about how ATG can help you become Cyber Essentials compliant get in touch. Or you can also download our free booklet, Cyber Essentials: Small Business Guide, which will answer any other questions you might have.