Cyber Essentials


Background to Cyber Essentials

Cyber Essentials certification has been mandatory for suppliers* to the MOD since 1 January 2016.

Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect themselves against common cyber attacks. Poor cyber security can damage your reputation and cost you business whereas strong cyber security can boost your reputation and win you more business at home and overseas.

Based on the Cyber Security Breaches Survey 2017**, only one in ten businesses have a cyber security incident management plan in place despite just under half (46%) of all UK business identifying at least one cyber security breach or attack in the last 12 months. The report also highlighted that around 13% of UK business are attacked daily and this is more prevalent where the core business functionality is not online focused.

It is also estimated that security breaches will continue to increase in the next year. The survey found 59% of respondents expected to see more security incidents. Businesses need to ensure their defences keep pace with the threat.


Buy NowDownload Free Scheme Summary  Sample Questionnaire

*Applicable to all new MOD contracts which involve the transfer or creation of MOD identifiable information
**UK Gov, The Information Security Breaches Survey – Department of Business, Innovation & Skills




DCPP requirement for Cyber Essentials



The Defence Cyber Protection Partnership (DCPP) is a joint MOD/industry initiative initiated in 2012 and established in 2013. The DCPP since 2016 stated all suppliers bidding for new MOD requirements which include the transfer of ‘MOD identifiable information’ should achieve a Cyber Essentials Scheme (CES) certificate by the contract start date.

The DCPP recognises Cyber Essentials as the basis for good cyber security practice and has incorporated it as the foundation of the Cyber Security Model. The lowest DCPP requirement (‘Very Low’) requires only that the supplier achieves Cyber Essentials, with all other levels requiring Cyber Essentials Plus in addition to the DCPP-specific controls. It is recommended that all suppliers achieve compliance with Cyber Essentials in preparation for the implementation of the Cyber Security Model for Defence.

Cyber Requirements for Ministry of Defence suppliers and sub-contractors

The Ministry of Defence (MOD) is committed to ensuring Defence and its supply chain are appropriately protected from cyber threats. The Defence Cyber Protection Partnership (DCPP) includes Cyber Essentials within its Cyber Security Model (CSM) as a proportionate means for suppliers to demonstrate baseline security controls. The CSM applies to all MOD contracts and suppliers will be required to demonstrate that they have achieved the appropriate level of certification.

The Cyber Security Model makes it clear for defence suppliers that to win defence tenders they must meet the cyber security requirements based on the risk profile of the contracts being published through DCI.

The Cyber Essentials scheme represents a small yet essential part of defending against cyber threats. You can learn more about the DCPP and the CSM model with our free DCI Cyber CSM Overview guide.


Requirements for ‘Very Low’ risk contracts

The following requirements apply to all suppliers bidding for defence MOD contracts which have been categorised by Risk Assessment as Very Low risk:

Suppliers must hold valid Cyber Essentials certification;

• by the contract start date;

• and, this must be renewed annually;

• The scope of the certification should cover the supplier’s relevant operations and network boundary which will be used to deliver the MOD contract.


Requirements for ‘Low’, ‘Moderate’ and ‘High’ risk contracts

The following requirements apply to all suppliers bidding for MOD contracts which have been categorised by Risk Assessment as Low, Moderate or High risk: Suppliers must hold valid Cyber Essentials PLUS certification;

• by the contract start date;

• and, this must be renewed annually;

• The scope of the certification should cover the supplier’s relevant operations and network boundary which will be used to deliver the MOD contract.

Cyber Essentials in Defence Procurement


The UK defence market is worth over £20 billion per annum and Cyber Essentials can support your business in its efforts to become a supplier to the defence sector.

Any supplier bidding for a contract that involves the transfer of MOD identifiable information needs to be Cyber Essentials certified.

In a speech at the Institute of Directors in March 2017, Minister for Digital and Culture Matt Hancock said: “I mentioned the Government already requires many of its suppliers to hold a Cyber Essentials certificate. We’ll be strengthening this requirement to ensure even more of our contractors take up the scheme.”


Whats the difference between Cyber Essentials & Cyber Essentials Plus?

The complete Cyber Essentials scheme is made up of two progressive stages – Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials is the first stage and is a foundation level certification that provides a clear statement of the basic controls your organisation should have in place to mitigate the risk from common cyber threats.

Cyber Essentials Plus is the second stage, and is a more rigorous test of your organisation’s cyber security systems where our cyber security experts carry out on-site vulnerability tests to ensure that your organisation is protected against basic hacking and phishing attacks.

The difference between the two is the on-site vulnerability tests that are carried out for Cyber Essentials Plus certification. All organisations seeking certification must complete the first stage (Cyber Essentials), but some organisations, depending on their structure and the severity of the risks they face, will need to complete Cyber Essentials Plus.

Cyber Essentials Plus is commonly seen as the demonstration of an organisation’s IT maturity. We would recommend Cyber Essentials Plus if your organisation has over 250 members of staff, each with one or more connected devices.

How do I get Cyber Essentials?


Obtaining Cyber Essentials certification through DCI is very straightforward. It takes just three simple steps:

  • Purchase your chosen level of certification – Cyber Essentials or Cyber Essentials Plus
  • Complete your Cyber Essentials questionnaire in full and upload for review by ID Cyber Solutions
  • Once your self-certified questionnaire submission is approved, the awarding body, QG Business Solutions Ltd, will post out your certificate

When you receive your Cyber Essentials certificate you will also receive the relevant Cyber Essentials branding to use on collateral such as tender bids for one of the many defence contracts available through DCI.

Buy Now Learn More

How long does it take to obtain Cyber Essentials certification?

The process to become Cyber Essentials certified is straightforward and only takes a few days to complete.

After ordering Cyber Essentials or Cyber Essentials Plus, you will receive login details for the members’ area of the site where you will find the self-assessment form. Filling out this form is relatively straightforward and will only take a couple of hours to complete. You are also supported throughout the process, either via the help buttons on the questionnaire or via the contact form.

Once the self-assessment form has been completed, you submit it electronically through the members’ area and will receive confirmation of receipt. After submission, it will take our team a few days to assess your answers. Once we have reviewed your application, you will be contacted by a member of our team to discuss the next steps in the process.

If you require Cyber Essentials urgently, you can opt for our Fast Track service for only £600 ex VAT. With Fast Track our team will get you through certification within 24- ensuring you can be fully certified before submitting a bid for a defence tender.