How to Get Cyber Essentials Certified: A Step-by-Step Guide for Councils
Cyber Essentials certification is achievable for every council — regardless of the size or complexity of the IT estate. The key is structured preparation: understanding what is in scope, assessing current control maturity against the five requirements, remediating gaps systematically, and then completing the self-assessment questionnaire with confidence.
Cyber Essentials certification demonstrates the baseline controls that protect against the majority of common cyber attacks targeting UK organisations.
Step 1: Define Your Scope
Scoping is the most important decision in the Cyber Essentials process. The scope must cover all devices that can access your internet-connected services. For most councils, this means all council-managed PCs, laptops, servers, and mobile devices. Cloud services used by the council are in scope. Third-party managed devices accessing council systems may also be in scope.
Step 2: Assess Against the Five Controls
Assess your current posture against each of the five Cyber Essentials technical controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Identify gaps and create a remediation plan. Common gaps for councils include: unsupported operating systems on legacy hardware, weak password policies, and inconsistent patch management.
Step 3: Remediate Gaps
Common remediation actions for councils include: replacing or isolating legacy systems running unsupported operating systems, implementing MFA on all accounts, deploying centralised patch management, and removing local administrator rights from standard user accounts. Some councils scope out legacy systems initially to achieve certification while managing longer-term remediation.
Frequently Asked Questions
Can a council scope out legacy systems to achieve Cyber Essentials?
Yes — it is acceptable to scope out systems from Cyber Essentials certification, but scoped-out systems must be isolated from the in-scope estate. A legacy revenues and benefits system running an unsupported operating system can be scoped out if it is on an isolated network segment with no access to the internet or in-scope systems. Document your scoping decisions carefully.
Get support achieving Cyber Essentials for your council
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.