IASME’s Cyber Essentials Readiness Tool and how it helps you prepare for certification
Cyber Essentials is a UK government-backed certification scheme that helps organisations protect themselves from around 80% of common cyber threats. It’s widely recognised as a minimum standard for cyber security assurance and is often required in public-sector procurement contracts.
The certification process is managed by IASME (the IASME Consortium), which licenses certification bodies – such as IT Governance Ltd – to carry out Cyber Essentials and Cyber Essentials Plus certifications.
What is the Cyber Essentials Readiness Tool?
The Cyber Essentials Readiness Tool, developed by IASME on behalf of the NCSC (National Cyber Security Centre), is an interactive questionnaire that helps you evaluate your current cyber security posture against the scheme’s requirements and identify what you need to do to qualify for certification.
You’re asked a series of questions about your organisation’s IT setup, policies and controls. Based on your responses, the tool generates a Readiness Action Plan that highlights any areas that need attention before you apply for certification.
Why use the Cyber Essentials Readiness Tool?
Many organisations want to improve their cyber security but don’t know where to start. The Readiness Tool addresses this by:
- Breaking down the Cyber Essentials requirements into manageable sections
- Explaining key concepts in accessible language
- Providing sector-specific guidance (e.g. for education providers)
- Offering practical next steps if you answer “no” or “I’m not sure” to any question
- Generating a downloadable action plan for internal use
So, whether you’re a sole trader or a large organisation, the tool helps you understand how Cyber Essentials applies to your environment and what you need to do to meet its requirements.
What does the tool cover?
The Readiness Tool is divided into 12 sections, each focusing on a different aspect of your organisation’s cyber security controls
1. About your organisation
The tool begins by collecting basic information about your business, including:
- Whether you are an education provider
- Your organisation size and sector
- The number of home workers
- Your location
- Whether you’ve held Cyber Essentials certification before
This information is used to tailor the guidance you receive later in the process.
2. Scope of your evaluation
Cyber Essentials assessments must define a clear scope – that is, which parts of your IT infrastructure are covered by your certification. The tool asks:
- Whether your scope includes your whole organisation (which is preferred)
- Whether it includes end-user devices (e.g. laptops, tablets, smartphones)
If your scope excludes certain systems (e.g. unsupported legacy software), you must be able to explain how they are segregated.
3. Hardware inventory
You are asked whether:
- You maintain an asset register
- The register includes all hardware (e.g. laptops, smartphones, firewalls)
- You use thin clients
- You own or rent servers
Maintaining an accurate asset register is fundamental to any security programme. Without knowing what you own, you can’t secure it.
4. Software and firmware
This section explores your software and firmware environment:
- Do you have an inventory of all installed software and firmware?
- Do you use any unsupported software?
- Are automatic updates enabled?
- Do you use virtualisation infrastructure?
Only supported software and firmware should be in use. Unsupported systems are a common attack vector and are not permitted under Cyber Essentials.
5. Firewalls and boundary devices
This section asks whether:
- You have a firewall or router with firewall functionality in place
- Default passwords have been changed to strong alternatives
- You know how to change your firewall password if necessary
These controls are part of Cyber Essentials’ first core requirement – securing internet-connected devices at the boundary.
6. Accessible Internet services
You’re asked whether any services within your organisation are accessible externally via the Internet, such as VPNs or email servers. If so, you must be able to:
- Justify the business need
- Ensure the configuration is secure
- Restrict access through measures such as IP whitelisting or multi-factor authentication
Unsecured services exposed to the internet are a common entry point for attackers.
7. Cloud services
Most organisations use Cloud services such as Microsoft 365 or Google Workspace. The tool asks:
- Whether you have a list of all Cloud services used
- Whether MFA is enabled for all user accounts
- Whether you understand the shared responsibility model for each service
Cyber Essentials applies fully to Cloud environments, so you are responsible for how services are configured and accessed.
8. Secure configuration
This section focuses on default settings and device hardening. Questions include:
- Have you removed unused software?
- Are all user accounts legitimate and necessary?
- Is AutoRun/AutoPlay disabled on all devices?
- Are mobile devices protected with PINs, passwords or biometrics?
Default configurations often prioritise ease of use over security. Cyber Essentials requires them to be reviewed and updated.
9. Password management
Good password hygiene is critical. The tool asks:
- Whether default passwords have been changed
- Whether you have a password policy that includes guidance on uniqueness and strength
- Whether all users have unique login credentials
- Whether you support users in creating and maintaining secure passwords
- Whether you protect against brute-force attacks
Although passwordless authentication is emerging, Cyber Essentials remains focused on secure password use for now.
10. Malware protection
You must have measures in place to protect against malicious software. The tool offers three recognised approaches:
- Installing malware protection software (e.g. antivirus)
- Using application whitelisting
- Restricting software installations to an approved list
All devices used for business must be protected using one or more of these methods.
11. User accounts
The tool asks whether:
- You follow a defined process for creating user accounts
- You track joiners and leavers
- You control who is given administrator accounts
- You ensure that administrator accounts aren’t used for day-to-day work
Access rights should be limited to what users need. This helps reduce the impact of a compromised account.
12. Backing up data
Finally, you’re asked whether your organisation backs up its data. While not a formal requirement of Cyber Essentials, having a reliable backup strategy is strongly recommended.
Backups protect you from data loss caused by ransomware, accidental deletion or hardware failure. The tool advises implementing a system that meets your business needs and recovery objectives.
What’s the end result?
Once you complete the questionnaire, you are presented with a tailored readiness report. This report outlines:
- Which controls you already meet
- Which areas need improvement
- Suggested next steps for each identified gap
You can save, print or download this action plan for reference.
If you’re ready to proceed, you can then access the official Cyber Essentials SAQ (self-assessment questionnaire) and begin preparing for certification.
Ready for certification?
If you’ve completed the questionnaire to your satisfaction and need help bringing your security practices up to standard, we have everything you need.
We’re one of the founding Cyber Essentials certification bodies and remains one of the largest in the UK. We can offer practical advice on your Cyber Essentials implementation and/or certification project, as well as more in-depth discussion and additional support – whatever your needs.
About us
- IT Governance is one of the founding Cyber Essentials certification bodies and one of the largest in the UK, issuing more than 9,000 certificates.
- Our Cyber Essentials services have received a ‘World-Class’ NPS (Net Promoter Score) of +100.
- With a large team focused on Cyber Essentials, we offer same-day turnaround on your certificates.
- We have a 98% customer success rate.
- We offer everything you need to get Cyber Essentials certification, such as documentation, scanning and assessments.
- One-to-one support included as standard in all our packages.
- End-to-end support – we deliver all the technical tests and assessments ourselves, conducted by our experienced technical testers.
- Tailored solutions – our unique fixed-price bundles provide expert support and compliance tools at affordable rates.
- Credentials – our consultants are qualified cyber security practitioners.
- Unrivalled expertise – we have the knowledge and insight to help you take the next steps beyond Cyber Essentials.
The post Are You Ready for Cyber Essentials? appeared first on IT Governance Blog.
