UK government contractors must comply with Cyber Essentials

News by Doug Drinkwater

The British government will demand that all its suppliers comply with the five cyber security requirements set out by the Cyber Essentials scheme from October 1.

The Cabinet Office announced the news on its website today, which detailed that suppliers must be compliant with such controls if they are to bid for government contracts which involve the handling of sensitive and personal information and the provision of certain technical products and services.

Cyber Essentials comprises two levels of certification; Cyber Essentials (a self-assessment questionnaire which is then verified by an independent certification body to assess whether the required standards have been achieved) and Cyber Essentials Plus (which involve external testing of the company's cyber security practices). Costs vary and organisations must recertify once a year to retain their certification.

Launched in June, it comprises five key controls and early adopters include companies such as BAE Systems, Barclays, Hewlett-Packard (which has issued instructions to its own supply chain by press release) and Vodafone.

The accreditation forms part of the UK's National Cyber Security Programme.

Cabinet Office minister Francis Maude said in a statement that the certification shows that companies take cyber security seriously.

“It's vital that we take steps to reduce the levels of cyber security risk in our supply chain,” he said. “Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber-attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Gaining this kind of accreditation will also demonstrate to non-government customers a business's clear stance on cyber security.

"Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so."

Alan Calder is CEO of IT Governance, one of the certification bodies for the scheme, and says that it's good to see Cyber Essentials emerging as the default minimum standard for cyber security.

“I'm delighted that the government has confirmed what it has been indicating that it would do - Cyber Essentials is genuinely the minimum level of cyber security that every organisation should have in place - and we, as an accredited certification body under the scheme, are already working with a large number of companies that have sought certification ahead of this announcement,” he said in an email to

Amar Singh, interim CISO and currently behind the GiveADay cyber security initiative, was more mixed on the news however, saying that there's a danger accredited companies become complacent after undergoing the ‘tick box exercise'.

“It is a good thing but maybe gives a false sense of security…that you've got the certification and everything will be fine.”

He added: “There needs to be more clarity that it's a tiny step, a tick box exercise” before equating the self-assessment as a student assessing their own homework.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews