Cyber Essentials Questions Answered: Technical Requirements, BYOD Compliance and the Future of the Scheme

Amarjit Sandhu
|
Cyber Security Analyst at URM
|
PUBLISHED on
01
May
2025

Cyber Essentials is a UK government-backed certification scheme, developed by the National Cyber Security Centre (NCSC), that provides a framework of technical security controls designed to protect organisations against 80% of the most common cyber threats.  Certification to Cyber Essentials and to Cyber Essentials Plus (the scheme’s externally audited certification) not only enables organisations to strengthen their security posture, but also to assure key stakeholders and prospective clients that appropriate measures are in place to safeguard their sensitive information.

In this blog, Amarjit Sandhu, a Cyber Security Analyst at URM, answers key questions about Cyber Essentials (CE) and Cyber Essentials Plus (CE+), the scheme’s requirements, and how CE may develop in the coming years.

Technical Queries

What are the requirements for laptops in relation to firmware/driver updates?

Whilst CE previously required that firmware be kept up to date, and the Question Set contained a specific question to confirm this, this is no longer included in the current Question Set.  As such, there is no specific requirement to state firmware levels or whether firmware is up to date, and this is also the case for driver updates.  However, when you patch your devices, some patches will be via firmware and driver updates, and the vulnerability scanning performed for CE+ will identify out-of-date firmware and drivers.  So, while there is not a dedicated question for firmware and driver updates, they are still indirectly required for compliance.  

Do iPhones and Android phones require any antivirus to ensure that a ‘malware protection mechanism is active on all devices in scope’?

There is, currently, no IASME approved malware solution for iPhones or Android phones.  Instead, you are recommended to implement other mechanisms to protect these devices against malware, such as a mobile device management (MDM) or mobile application management (MAM) solution.  These tools allow you to monitor the software running on the devices and prevent the installation or execution of unauthorised applications.  

If you are unable to implement these solutions, you can also enforce malware protection of iPhones and Androids via a policy that specifies the requirements for acceptable use of such devices (e.g., users can only install applications from the App Store or Google Play Store) and the consequences of nonconformance (e.g., disciplinary action or termination of employment).  

How do you determine what is a cloud service and needs to be considered in-scope?

IASME considers a cloud service to be anything that is provided as a service, i.e., infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), etc.  This is based on the greater risk to your organisation associated with accessing these services if they were to be compromised, as opposed to the risk associated with creating an account for a website to purchase products it sells, for example, which would not be considered a cloud service and therefore would not be in scope.

How do you handle eSIMS?

As CE is concerned with your devices and networks, eSIMS should not be treated any differently to a regular sim and do not have any unique requirements for compliance.

Bring Your Own Device (BYOD) and Personal Devices

Does CE require you to implement technical controls on BYOD?  

It is important to note that allowing BYOD does pose extra risks to your organisation, as this will generally be an easier target for attackers than company-owned devices.  

If you do need to allow BYOD, you are not required to have an agent or software installed on the personal devices to check or control them – this is ideal as it is the most secure approach, however it is not required for compliance with CE.  Instead, technical controls can be via an MDM or MAM solution or another control or policy that prevents non-compliant devices from connecting to your information or networks.  All technical controls applicable to company-owned devices are also applicable to BYOD, such as requirements for accounts, correct use of admin accounts, etc.

Does CE allow you to access emails via browser on a personal device?

If you access any organisational data (including emails) via a browser, CE requirements dictate that you cannot do this using an untrusted device.  So, if your organisation operates BYOD and you access emails with a registered BYOD, this would be compliant, but accessing emails from a personal device not within scope of the BYOD policy would be in breach of the scheme’s requirements.

Email platforms, such as Microsoft 365, often provide configuration options that allow you to restrict access to trusted devices only.  If your organisation does not have the ability to implement this, you can instead stipulate within policies that accessing organisational emails via untrusted devices is prohibited.

Cyber Essentials and Cyber Essentials Plus General Questions

What are the main areas you can cover yourself before engaging a third party to assist with achieving CE/CE+ certification?

This is highly dependent on the level of knowledge and expertise within your organisation.  In theory, if your organisation has staff members who know how to patch and configure devices, you would not need any assistance.  However, even if you do have this in-house expertise, it is often beneficial to work with a third party to help you fill out the application and respond to the questionnaire.  It is not always clear what information each question is asking you to provide, and, as such, your CE assessment is more likely to be successful if you are supported by a third party with a comprehensive understanding of the scheme and its requirements.

If you are certified to ISO 27001, what additional controls or policies are required for compliance with CE/CE+?

This will depend on the nature of your information security management system (ISMS) and how it has been implemented.  There are not any specific, additional controls that are required for CE compliance that are not required by ISO 27001, and many requirements you have in place for conformance to the Standard, such as your password policy and keeping software up to date, will also be applicable to CE.  

However, one area that causes issues fairly frequently is the risk-based approach taken by ISO 27001, which allows you to accept risks if they are within your organisation’s risk tolerance, in contrast with the more binary approach and compulsory requirements of CE.  For example, your organisation could accept the risk associated with unpatched software or implement another mitigation for the risk it presents and still be ISO 27001 conformant.  Meanwhile, to be compliant with CE, you would need to ensure software is patched, regardless of whether unpatched software is within your organisation’s risk tolerance, or you have another mitigation.

To what extent is CE recognised and taken up outside of the UK?

A surprising number of organisations look to obtain CE certification that are not based in the UK.  Certification to the scheme is open to non-UK-based organisations, and we at URM are assisting a growing number of organisations from various regions around the world to achieve CE compliance .

The Future of Cyber Essentials

What is the future of CE?

Based on the approach IASME and the NCSC have taken to updating CE since its launch in 2014, it is likely that changes will continue to be small and introduced over time, instead of significant overhauls of the scheme being introduced at once.  This approach enables organisations to keep pace with the scheme’s requirements and remain compliant as new versions of the Question Set are released.

Could artificial intelligence (AI) play a role in CE+ in the future?  

Tools are already being used from both the blue teaming (defensive) and red teaming (attack) perspectives of the CE+ technical audit which leverage AI, with many tools used to protect or attack having AI components. Looking to the future, it is likely that an increasing number of products used for CE+ will include an AI component.  However, it is less likely that in the immediate future specific questions will be introduced to the Question Set regarding the management of AI security.

How URM can Help

If your organisation would benefit from tailored Cyber Essentials support to achieve certification, URM can leverage its extensive experience with and knowledge of the scheme to ensure the certification process is as seamless and successful as possible.  Having facilitated hundreds of successful Cyber Essentials and Cyber Essentials Plus certifications as an accredited certification body, and as an Assured Service Provider under the NCSC’s Cyber Advisor Scheme, URM is ideally positioned to help improve your cyber security and assist you to implement the Cyber Essentials security controls.  

Our experienced assessors can conduct a gap analysis of your existing policies and controls to establish your current level of compliance with the scheme and provide options for remediation of any non-compliant areas. Following this, when you are ready for assessment, we can offer a Cyber Essentials application review service.   This involves a member of our team working through a Cyber Essentials checklist with you before you complete your self-assessment questionnaire (SAQ) to ensure you understand and are able to compliantly answer the questions, or checking your completed SAQ before formal submission.  

If you are looking to achieve Cyber Essentials Plus certification, we can also offer a pre-assessment service where URM’s assessor performs a smaller scale (but still meaningful) technical review of your systems, providing you with recommendations to close any compliance gaps and therefore increase your chances of success during the external audit.

Amarjit Sandhu
Cyber Security Analyst at URM
Amarjit Sandhu is a Cyber Security Analyst at URM and an IASME certified Cyber Essentials and Cyber Essentials Plus Assessor.
Read more

Do you need any help applying for Cyber Essentials Certification?

URM can offer a range of support services when applying for Cyber Essentials Certification. Check our offer!
Thumbnail of the Blog Illustration
Cyber Security
Published on
5/3/2024
Complying with Cyber Essentials and Cyber Essentials Plus

URM’s blog answers key technical questions about Cyber Essentials and Cyber Essentials Plus, what’s in scope, CE compliant use of BYOD, and more.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
17/4/2025
Cyber Security and Resilience Bill Policy Statement – What to Expect

URM’s blog explains the measures the Bill will introduce, the entities it will bring into regulatory scope & what the Bill could mean for your organisation.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
12/12/2024
Mitigating Cyber Risks: Why Cyber Essentials Matters More Than Ever

URM’s blog highlights the growing threat to cyber security in the UK and the importance of the Cyber Essentials scheme in mitigating these risks.

Read more
We wanted to thank our QSA for his continued assistance with our PCI audit. It was a pleasure to meet and work with him over the course of the audit and we look forward to seeing him again when the next one comes around.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.