Cyber Essentials
DashboardSign Out

Course overview

A comprehensive journey that helps you navigate uncertainty and make choices aligned with your values and goals.

10 modules
61 lessons
14 hr 50 min
Start the course
Part 1

Module 1 - Getting Started

Start your Cyber Essentials journey by understanding the scheme, the five controls, and how to avoid common mistakes before you begin.

  1. What is Cyber Essentials?

    Understand what Cyber Essentials is, who it is for, and what certification means for your organisation.

    14:36
  2. The five controls

    Get a practical overview of the five Cyber Essentials technical controls and how they shape your assessment.

    14:36
  3. Why certification matters

    Learn why Cyber Essentials certification matters commercially, operationally, and for stakeholder confidence.

    14:36
  4. How the assessment works

    Follow the end-to-end assessment process so you know what to prepare and what happens at each stage.

    14:36
  5. Cyber Essentials vs Cyber Essentials Plus

    Compare Cyber Essentials and Cyber Essentials Plus to choose the right path for your organisation.

    14:36
  6. Common Cyber Essentials mistakes that cause failure, delay or rework

    Avoid the most common mistakes that cause failed answers, rework, or delays during certification.

    14:36
Part 2

Module 2 - Organisation Details

Set up the organisation details correctly so your application is accurate, eligible, and aligned to what the assessor expects.

  1. Name, legal entity and certificate identity

    Capture the correct legal entity and certificate details so your application identity is accurate from the start.

    14:36
  2. Employees, addresses, sector and website details

    Prepare essential organisation profile data including workforce, locations, sector, and public-facing details.

    14:36
  3. Multiple legal entities and when one assessment is not enough

    Understand when separate legal entities need separate assessments and how to avoid scope confusion.

    14:36
  4. Renewal, reasons for applying and optional scheme questions

    Complete renewal and application context questions clearly so assessors can evaluate your submission quickly.

    14:36
  5. Cyber insurance questions

    Answer cyber insurance-related questions accurately and understand how they connect to Cyber Essentials declarations.

    14:36
Part 3

Module 3 - Scope, Subsets and Inventory

Define scope properly by deciding what is included, documenting networks and services, and confirming ownership of IT responsibilities.

  1. Whole organisation or partial scope

    Decide whether to certify the whole organisation or a defined subset, and document that scope clearly.

    14:36
  2. Sites, networks and internet connections

    Identify sites, networks, and internet connections that must be represented correctly in your CE response.

    14:36
  3. Home and remote workers

    Account for home and remote workers so all relevant users and connection paths are included in scope.

    14:36
  4. Network equipment

    List network equipment accurately and avoid common inventory errors that weaken assessment evidence.

    14:36
  5. Laptops, desktops and virtual desktops

    Record laptops, desktops, and virtual desktops properly so endpoint scope is complete and defensible.

    14:36
  6. Thin clients, servers and virtual servers

    Include thin clients, servers, and virtual servers with clear ownership and boundary definitions.

    14:36
  7. Tablets and mobile devices

    Handle tablets and mobile devices correctly, including BYOD and cloud access considerations.

    14:36
  8. Cloud services

    Classify cloud services consistently across SaaS, PaaS, and IaaS so scope statements stay accurate.

    14:36
  9. Who manages the IT

    Define internal and outsourced IT responsibilities so accountability and evidence ownership are clear.

    14:36
Part 4

Module 4 - Firewalls

Work through firewall and internet boundary requirements so you can evidence secure setup, controlled access, and rule management.

  1. What firewalls are protecting

    Understand which systems firewalls protect and how boundary controls map to Cyber Essentials requirements.

    14:36
  2. Default passwords, firewall admin accounts and remote administration access

    Secure firewall administration by removing default credentials and tightly controlling remote admin access.

    14:36
  3. Inbound connections, port forwarding and firewall rule justification

    Control inbound connections and port forwarding with clear technical justification and risk awareness.

    14:36
  4. Firewall rule reviews

    Run regular firewall rule reviews to remove obsolete access and keep security boundaries effective.

    14:36
  5. Software firewalls on laptops, desktops and remote-worker devices

    Apply software firewall requirements to user devices, especially laptops and remote endpoints.

    14:36
  6. Firewall evidence, common failures and final A4 answer review

    Prepare firewall evidence and final checks that reduce common assessor queries and prevent avoidable failures.

    14:36
Part 5

Module 5 - Secure Configuration

Implement secure configuration controls by removing insecure defaults and locking down devices, software, and user access settings.

  1. Secure configuration

    Start secure configuration by removing default settings and high-risk options before they become weaknesses.

    14:36
  2. Unnecessary accounts

    Identify and remove unnecessary accounts so only required users and privileges remain active.

    14:36
  3. Default and guessable passwords

    Eliminate default and guessable passwords by enforcing stronger credential standards and controls.

    14:36
  4. Unnecessary software, services and system utilities

    Reduce attack surface by uninstalling unnecessary software, services, and system utilities.

    14:36
  5. Auto-run and automatic execution

    Disable auto-run style behaviour that can execute untrusted files without explicit user approval.

    14:36
  6. Authentication before access

    Ensure users authenticate before accessing organisational services, data, or managed environments.

    14:36
  7. Device unlocking

    Strengthen device unlock controls with PIN/password/biometric policies and lockout safeguards.

    14:36
  8. Secure configuration evidence, common failures and final review

    Compile secure configuration evidence and perform final review checks before submission.

    14:36
Part 6

Module 6 - User Access Control

Apply user access control in practice with joiner/mover/leaver processes, strong authentication, and controlled administrator privileges.

  1. User access control

    Apply least-privilege user access principles so accounts and permissions match real business need.

    14:36
  2. Creating and approving user accounts

    Set up account creation and approval workflows for joiners, movers, contractors, and temporary users.

    14:36
  3. Removing and disabling accounts

    Remove or disable leaver and dormant accounts promptly to prevent unnecessary residual access.

    14:36
  4. Multi-factor authentication

    Implement multi-factor authentication where required, including cloud services and privileged access paths.

    14:36
  5. Password-based authentication

    Enforce robust password-based authentication controls and supporting user guidance.

    14:36
  6. Administrator accounts

    Separate administrative access from standard user access and control privileged account lifecycle tightly.

    14:36
  7. Final user access control review

    Complete final access-control assurance checks and gather evidence for assessment confidence.

    14:36
Part 7

Module 7 - Devices and Software

Build and maintain a complete device picture, including approved software and BYOD controls, to support accurate CE answers.

  1. Building and maintaining the device inventory

    Build and maintain an accurate device inventory so all in-scope assets are visible and governed.

    14:36
  2. Approved and permitted software

    Define approved software rules so only permitted applications are used across managed devices.

    14:36
  3. Mobile devices, app stores and untrusted software

    Control mobile software sources and app installation risks across phones and tablets.

    14:36
  4. BYOD

    Implement practical BYOD controls that protect organisational data on personally owned devices.

    14:36
  5. Device lifecycle

    Manage device decommissioning and disposal securely, including account and data removal steps.

    14:36
Part 8

Module 8 - Malware Protection

Choose and operate the right malware protection approach for your environment, then gather evidence to support your CE submission.

  1. Malware protection

    Choose the malware protection method that best fits your environment and Cyber Essentials obligations.

    14:36
  2. Anti-malware software

    Configure and maintain anti-malware controls, updates, and blocking measures to meet CE expectations.

    14:36
  3. Application allow listing

    Apply allow-listing correctly so only trusted, approved applications can run.

    14:36
  4. Application sandboxing

    Use application sandboxing and platform controls appropriately on supported device types.

    14:36
  5. Final malware protection review

    Run final malware protection validation and evidence checks before submitting answers.

    14:36
Part 9

Module 9 - Security Update Management

Meet security update requirements by owning patching, tracking software status, and handling unsupported systems safely.

  1. Security update management

    Understand the 14-day update rule and build a workable process for vulnerability remediation.

    14:36
  2. Software inventory and update ownership

    Create clear ownership for software inventory and patching across operating systems and applications.

    14:36
  3. Applying updates within 14 days

    Operate a repeatable patch workflow that handles exceptions while meeting CE timelines.

    14:36
  4. Unsupported software

    Manage unsupported software risk through isolation, replacement plans, and transparent declarations.

    14:36
  5. Final security update management review

    Complete final update-management checks so your submission is technically accurate and auditable.

    14:36
Part 10

Module 10 - Final Readiness and Submission

Bring everything together for submission by closing gaps, validating evidence, and planning ongoing Cyber Essentials recertification.

  1. Final scope review

    Perform a final scope validation to confirm your answers match real systems, services, and responsibilities.

    14:36
  2. Final evidence pack

    Assemble an evidence pack that maps clearly to each control and supports assessor review.

    14:36
  3. Completing the Cyber Essentials questionnaire

    Complete the questionnaire with clear, consistent responses that minimise clarifications and rework.

    14:36
  4. Final remediation sprint

    Run a focused remediation sprint to close high-impact gaps before final submission.

    14:36
  5. Final course close

    Close the course with a practical recertification plan so controls stay effective year-round.

    14:36