Cyber Essentials Plus
Without Cyber Essentials certification, your firm is excluded from UK government contracts involving sensitive data and faces higher insurance premiums.
Cyber Essentials is a UK government-backed scheme operated by the National Cyber Security Centre (NCSC) through the IASME Consortium. It defines five technical controls that, when properly implemented, protect against the most common internet-based attacks.
Cyber Essentials Plus adds a hands-on technical verification conducted by an accredited assessor, who tests the controls in your live environment. The Plus certification is increasingly required for UK government contracts, defence supply chain participation, and as a baseline expectation for regulated industries.
The five control themes - firewalls, secure configuration, user access control, malware protection, and security update management - map directly to Microsoft 365 and Intune capabilities. StremarControl engineers and operates the Microsoft-native controls required for Cyber Essentials compliance, implementing these controls as enforceable policies rather than manual configurations and maintaining compliance assurance between annual assessments.
Why This Matters Now
Cyber Essentials is not optional for UK government supply chain participants, it is a mandatory requirement for contracts involving the handling of certain sensitive or personal information. The Ministry of Defence, NHS, and most local authorities now require CE or CE+ as a minimum. Beyond procurement, CE+ certification demonstrates to clients and insurers that your organisation has implemented baseline technical controls that defeat the most common attack vectors. For M365 tenants, the five control themes map directly to Intune compliance policies, Defender configurations, and Conditional Access - making the certification achievable and maintainable through programmatic enforcement.
Framework Metadata
Scope & Applicability
Cyber Essentials applies to any UK organisation seeking to demonstrate baseline cybersecurity hygiene. The scope covers all internet-facing IT infrastructure, including cloud services like Microsoft 365. For CE+, the assessor selects a sample of devices for hands-on technical verification. Organisations must include all devices that access organisational data - laptops, desktops, mobile phones, and tablets. Servers providing services to untrusted users must also be in scope. Cloud services must be configured according to the provider's security recommendations.
Core Obligations
Firewalls
Ensure all devices that connect to the internet are protected by a properly configured firewall or equivalent network device. Default passwords must be changed.
Secure Configuration
Remove unnecessary software, change default settings, and disable auto-run. Systems must be configured to minimise vulnerabilities.
User Access Control
Control access to systems through user accounts with appropriate privileges. Use MFA where available. Remove or disable accounts that are no longer needed.
Malware Protection
Protect against malware using at least one of: anti-malware software, application whitelisting, or sandboxing.
Security Update Management
Keep all software up to date. Apply critical and high-severity patches within 14 days of release.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Firewalls
Windows Firewall profiles enforced via Intune endpoint security policies. Network protection enabled in Defender for Endpoint. Attack surface reduction rules blocking known attack vectors.
Intune firewall policy compliance report, Defender network protection logs, ASR rule audit.
Secure Configuration
Intune Security Baselines applied across all managed endpoints. Configuration profiles disable auto-run, enforce screen lock, restrict removable media. CIS Benchmark alignment validated.
Security baseline compliance report, device configuration status, non-compliant device list with remediation status.
User Access Control
Conditional Access enforcing phishing-resistant MFA (FIDO2/WHfB). Entra ID role assignments follow least-privilege. Stale account detection and automated disablement after 90 days inactivity.
MFA registration report, stale account audit, Conditional Access evaluation logs, privilege escalation alerts.
Malware Protection
Defender for Endpoint with real-time protection, cloud-delivered protection, and automatic sample submission. Tamper protection enabled to prevent disablement.
Defender health report, threat detection summary, tamper protection status audit.
Patch Management
Windows Update for Business with Intune update rings: pilot (7 days), broad (14 days), critical (expedited to 48 hours). Third-party patch management via Intune Win32 app deployment.
Update compliance report, patch deployment timeline, devices outside SLA report.
Implementation Timeline
Related Frameworks
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
Ready to get Cyber Essentials-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Cyber Essentials requirements, close gaps, and produce audit-ready evidence.