🇬🇧 UK · NCSC · IASME · GOVERNMENT CONTRACT REQUIREMENT

UK Cyber Essentials &
Cyber Essentials Plus

Cyber Essentials is the UK government-backed cybersecurity certification scheme, required for all UK government contracts involving personal data or certain sensitive information. Cyber Essentials Plus adds independent verification via hands-on technical testing. ThreeShield delivers CE and CE+ readiness assessments through our UK entity, ThreeShield Information Security Ltd.

Book CE Assessment See Five Controls →

The Five Cyber Essentials Controls

Cyber Essentials focuses on five fundamental technical controls that protect against the most common cyber threats. Lavawall® directly addresses all five.

1. Firewalls & Internet Gateways

Boundary firewalls and internet gateways configured to protect the network from unauthorized access. All unnecessary services and ports blocked. Lavawall® monitors firewall configuration and alerts on unauthorized exposure of services.

2. Secure Configuration

Computers and network devices configured securely - default passwords changed, unnecessary software removed, auto-run features disabled. Lavawall® monitors device configuration against secure baseline standards continuously.

3. User Access Control

Access to systems and applications limited to authorized users. Standard user accounts for day-to-day work; administrative accounts for administrative tasks only. MFA required. Lavawall® monitors account privilege levels and MFA enrollment continuously.

4. Malware Protection

Protection against malware - anti-malware software, application whitelisting, or sandboxing. Lavawall® monitors endpoint security status across all devices and alerts when protection is disabled or out of date.

5. Patch Management

Software and operating systems kept up to date with latest security patches. High-risk vulnerabilities patched within 14 days. Lavawall® automates patch management across Windows, macOS, Linux, and over 7,533 applications - this is Lavawall®'s primary use case.

CE vs. CE Plus

Cyber Essentials is a self-assessment questionnaire reviewed by a certifying body. Cyber Essentials Plus adds a hands-on technical assessment where an independent assessor verifies the controls are actually in place - similar to the difference between SOC 2 Type I and Type II. CE+ provides stronger assurance and is increasingly required for higher-value government contracts.

UK Government Contract Suppliers NHS Suppliers MoD Supply Chain UK Critical Infrastructure UK Financial Services Canadian Companies with UK Operations

Lavawall® Makes Cyber Essentials Straightforward

All five Cyber Essentials controls map directly to what Lavawall® monitors continuously. Patch management is automated. Configuration compliance is monitored. MFA status is tracked. When CE assessment time arrives, the evidence is already collected and timestamped - the assessment becomes a documentation exercise rather than a scramble.

Three Ways to Achieve Cyber Essentials Certification

Self-Serve

DIY via Lavawall®

For organizations with IT capacity that need Lavawall® monitoring to support CE self-assessment

  • Automated patch management (CE Control 5)
  • MFA and access control monitoring (CE Control 3)
  • Endpoint security status monitoring (CE Control 4)
  • Configuration compliance monitoring (CE Control 2)
  • CE evidence collection for self-assessment questionnaire
Start with Lavawall®
Recommended

Supported

Expert gap assessment and remediation to CE/CE+ standard

  • CE gap assessment against all five controls
  • Lavawall® deployment and configuration
  • Remediation guidance to meet CE standard
  • CE questionnaire support
  • CE+ technical test preparation
Get Supported Engagement
Fully Managed

Done-for-You

Full CE/CE+ certification program through ThreeShield Information Security Ltd (UK)

  • Full CE gap assessment and remediation
  • CE questionnaire completion support
  • CE+ technical assessment preparation
  • Certification body liaison
  • Annual recertification service
Book Done-for-You

Frequently Asked Questions

Yes - Cyber Essentials certification has been mandatory for all UK central government contracts involving the handling of personal information or certain sensitive information since 2014. Many NHS, MoD, and local government contracts also require it. Cyber Essentials Plus is required for higher-sensitivity contracts. For organizations seeking to supply the UK public sector, certification is effectively a prerequisite to bidding.

Cyber Essentials covers five foundational technical controls - it's a baseline certification, not a comprehensive security management framework. ISO 27001 is a comprehensive ISMS standard that encompasses governance, risk management, and 93 Annex A controls. NIS2 is a regulatory framework for critical infrastructure operators. CE/CE+ certification is complementary to ISO 27001 and NIS2 - in fact, CE compliance is generally a subset of what ISO 27001 and NIS2 require. ThreeShield maps all three frameworks to eliminate duplication.

Cyber Essentials certification is available to organizations worldwide, not just UK-headquartered companies. Canadian organizations with UK operations, UK government contracts, or UK public sector customers can obtain CE certification through accredited certification bodies. ThreeShield delivers CE/CE+ readiness engagements and liaises with UK certification bodies through our ThreeShield Information Security Ltd entity.

Ready for Cyber Essentials Certification?

Lavawall® automates the patch management, MFA monitoring, and configuration compliance that CE certification requires. ThreeShield delivers CE/CE+ readiness assessments for UK operations and Canadian companies supplying the UK public sector.

Book a CE Assessment

Delivered through ThreeShield Information Security Ltd (UK) · Also covers EU NIS2 · ISO 27001