UK Cyber Essentials is a cybersecurity certification program designed to help organizations safeguard against cyber threats. It is endorsed by the National Cyber Security Centre (NCSC) of the United Kingdom Government. Built around five essential technical controls, it involves a self-assessment certification process overseen by IASME, the official certification partner.
As part of the certification process, organizations must complete a self-assessment questionnaire, which needs to be reviewed and signed by a board member or a competent authority from the organization. Once signed, the assessment must be submitted to a certification body licensed by IASME for review and certification. The certification remains valid for 12 months, requiring annual renewal to ensure ongoing compliance.
ManageEngine: Leading by Example with Cyber Essentials Certification
We’re proud to share that ManageEngine is certified under the UK Cyber Essentials framework. This certification reflects our commitment to upholding the same cybersecurity standards we advocate, demonstrating our dedication to robust security practices and leading by example.
Benefits of UK Cyber Essentials Certification:
According to IASME, the key benefits of obtaining Cyber Essentials certification include:
- Demonstrate Cybersecurity Commitment: Prove to customers, partners, and stakeholders that cybersecurity is a top priority in your organization.
- Stay Ahead of Cyber Risks: Regular assessments ensure your systems align with a recognized cybersecurity framework, helping you proactively address new and emerging threats.
Three Reasons Why Endpoint Central Is Poised to Help You Achieve UK Cyber Essentials Certification:
Secure Configurations – Assured Protection
Endpoint Central empowers your organization to uphold strong cyber hygiene through robust security measures. From data encryption to preventing unauthorized privilege escalation, blocking data leaks, and managing USB access, Endpoint Central ensures your systems remain secure, compliant, and resilient against evolving cyber threats.
Seamless Updates Across All Devices
Stay ahead of vulnerabilities with Endpoint Central's comprehensive patch management. It supports updates for Windows, Mac, and Linux devices, along with over 1,000 third-party applications. Beyond traditional endpoints, it streamlines mobile device updates—covering Apple, Android, and both store and in-house applications—ensuring every device stays secure and up-to-date.
Total IT Visibility with Endpoint Central
Gain complete visibility into your IT infrastructure with Endpoint Central's advanced asset management tools. Proactively monitor, manage, and secure your assets while leveraging powerful anti-malware capabilities. With features like one-click data restoration and endpoint quarantine, Endpoint Central minimizes business disruptions, keeping your operations seamless and resilient.
Two Levels of Cyber Essentials Certification
Organization could choose the level that best aligns with your organization's cybersecurity needs and assurance requirements.
-
Cyber Essentials: A basic level certification based on self-assessment and verification of the five key technical controls.
-
Cyber Essentials Plus: Includes a hands-on technical audit of your IT systems to verify the proper implementation of the required controls.
The latest version of Cyber Essentials: Requirements for IT Infrastructure (v3.1) emphasizes the importance of asset management in effectively implementing the five key technical controls, even though it is not officially listed as one of them. Drawing from NCSC's guidance on asset management, we’ve outlined how Endpoint Central is uniquely equipped to support your organization in achieving efficient and comprehensive asset management. Click here to learn more
Similarly, the latest version of Cyber Essentials: Requirements for IT Infrastructure (v3.1) includes Bring Your Own Device (BYOD) within its scope. This means organizations seeking UK Cyber Essentials certification must ensure that BYOD devices are effectively managed and secured in alignment with the framework's requirements. Referencing NCSC's guidance on BYOD management, Endpoint Central is well-equipped to help your organization establish robust controls for BYOD security and compliance. Click here to learn more.
The table below provides a detailed overview of how Endpoint Central is strategically positioned to help your organization effectively implement and excel in each of the five key technical controls.
Controls
|
Description (as mentioned in Cyber Essentials: Requirements for IT Infrastructure v3.1)
|
How Endpoint Central helps
|
Firewall
|
Requirements
You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality).
Information: Most desktop and laptop operating systems now come with a software firewall preinstalled; we advise that these are turned on in preference to a third-party firewall application.
For all firewalls (or network devices with firewall functionality), your organization must:
- Change default administrative passwords to a strong and unique password (see password based authentication) – or disable remote administrative access entirely
-
Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by one of the following controls:
i) Multi-factor authentication
ii) an IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach
-
Block unauthenticated inbound connections by default
-
Ensure inbound firewall rules are approved and documented by an authorized person, and include the business need in the documentation
-
Remove or disable unnecessary firewall rules quickly when they are no longer needed.
Make sure you use a software firewall on devices which are used on untrusted networks, such as public wifi hotspots.
|
Endpoint Central comes handy for admins to configure Windows Firewall for the end-users.
|
Secure Configuration
|
Requirements
Computers and network devices
Your organization must proactively manage your computers and network devices. You must regularly:
-
Remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used)
-
Change any default or guessable account passwords (see password-based authentication)
-
Remove or disable unnecessary software (including applications, system utilities and network services)
-
Disable any auto-run feature which allows file execution without user authorization (such as when they are downloaded)
-
Ensure users are authenticated before allowing them access to organizational data or services
-
Ensure appropriate device locking controls for users that are physically present
Device unlocking credentials
If a device requires a user’s physical presence to access a device’s services (such as logging on to a laptop or unlocking a mobile phone), a credential such as a biometric, password or PIN must be in place before a user can gain access to the services.
You must protect your chosen authentication method (which can be biometric authentication, password or PIN) against brute-force attacks. When it's possible to configure, you should apply one of the following:
-
‘Throttling' the rate of attempts, so that the number of times the user must wait between attempts increases with each unsuccessful attempt. You shouldn’t allow more than 10 guesses in 5 minutes
-
Locking devices after more than 10 unsuccessful attempts.
-
When the vendor doesn't allow you to configure the above, use the vendor’s default setting.
Technical controls must be used to manage the quality of credentials. If credentials are just to unlock a device, use a minimum password or PIN length of at least 6 characters. When the device unlocking credentials are also used for authentication, you must apply the full password requirements to the credentials described in ‘user access controls.’
|
Revoke administrative rights to unintended users and enforce the principle of least privilege using Endpoint Central.
Admins can prohibit users from installing unnecessary software and can create list of software which are allowed/ blocked in their IT environment.
Endpoint Central also can block executables feature, preventing the files from automatically getting executed. Endpoint Central also empowers admins to control the Child processes arising out of other applications. To ensure safe access to corporate application, Endpoint Central leverages enterprise SSO using kerberos protocol. Endpoint Central also leverages Certificate Based Authentication using SCEP
Endpoint Central enables administrators to set passcode policies for mobile devices running on Android, Apple, and Windows, ensuring end-users create strong passcodes for their devices. The policy enables admins to configure maximum number of failed passcode attempts, maximum idle time allowed before auto-lock and many other configurations.
|
Security Update Management
|
Requirements
You must make sure that all software in scope is kept up to date. All software on in-scope devices must:
-
Be licensed and supported
-
Removed from devices when it becomes unsupported or removed from scope by using a defined sub-set that prevents all traffic to / from the internet
-
Have automatic updates enabled where possible
-
Be updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
i) The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
ii) The update addresses vulnerabilities with a CVSS v3 base score of 7 or above
iii) There are no details of the level of vulnerabilities the update fixes provided by the vendor
Please note: For optimum security, we strongly recommend (but it’s not mandatory) that all released updates are applied within 14 days of release.
*It's important that updates are applied as soon as possible. 14 days is considered a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.
Information: If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with a CVSS 3.0 score of 7 or above or are identified by the vendor as 'critical or high risk'. Caution: Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues then it must be installed within 14 days.
|
Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console. Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected. Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more. Endpoint Central provides a unified console for ITops and SecOps to manage and secure endpoints. Endpoint Central has role based access control so that security functions of the IT can be assigned to independent security experts.
Endpoint Central has a vulnerability age matrix and vulnerability severity summary, which can provide rich insights about the impact of patch implementation. Besides, Endpoint Central also provides comprehensive reports on vulnerable systems and missing patches in your IT. Endpoint Central also provides for testing and approving patches so that IT admins can test the patches within a small group of computers and later deploy them into your whole organization Endpoint Central provides comprehensive Patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS. Endpoint Central's SLA for patches:
-
Third-party updates are supported within 6-9 hours from vendor release.
-
Security updates are supported within 12-18 hours from vendor release.
-
Non-security updates are supported within 24 hours from vendor release.
|
User Access Control
|
Requirements
Your organisation must be in control of your user accounts and the access privileges that allow access to your organisational data and services. It’s important to note that this also includes third party accounts – for example, accounts used by your support services.
You also need to understand how user accounts authenticate and manage the authentication accordingly.
This means your organization must:
-
Have in place a process to create and approve user accounts
-
Authenticate users with unique credentials before granting access to applications or devices (see password-based authentication)
-
Remove or disable user accounts when they’re no longer required (for example, when a user leaves the organisation or after a defined period of account inactivity)
-
Implement MFA, where available – authentication to cloud services must always use MFA
-
Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
-
Remove or disable special access privileges when no longer required (when a member of staff changes role, for example)
Password-based authentication
All user accounts require the user to authenticate. Where this is carried out using a password, you should put in place the following protective measures:
Passwords are protected against brute-force password guessing by implementing at least
one of:
-
Multi-factor authentication (see below)
-
Throttling' the rate of attempts, so that the number of times the user must wait
-
between attempts increases with each unsuccessful attempt – you shouldn’t allow
-
more than 10 guesses in 5 minutes
-
Locking accounts after no more than 10 unsuccessful attempts
Use technical controls to manage the quality of passwords. This will include one of the
following:
-
Using multi-factor authentication (see below)
-
A minimum password length of at least 12 characters, with no maximum length restrictions
-
A minimum password length of at least 8 characters, with no maximum length
-
restrictions and use automatic blocking of common passwords using a deny list.
Support users to choose unique passwords for their work accounts by:
-
Educating people about avoiding common passwords, such as a pet's name, common keyboard patterns or passwords they have used elsewhere. This could include teaching people to use the password generator feature built into some password managers.
-
Encouraging people to choose longer passwords by promoting the use of multiple words (a minimum of three) to create a password (such as the NCSC’s guidance on using three random words)
-
Providing usable secure storage for passwords (for example a password manager or secure locked cabinet) with clear information about how and when it can be used.
-
Not enforcing regular password expiry
-
Not enforcing password complexity requirements
You should also make sure there is an established process in place to change passwords promptly if
you know or suspect a password or account has been compromised.
Multi-factor authentication (MFA)
As well as providing an extra layer of security for passwords that aren’t protected by the other technical controls, you should always use multi-factor authentication to give administrative accounts extra security, and accounts that are accessible from the internet.
The password element of the multi-factor authentication approach must have a password length of at least 8 characters, with no maximum length restrictions.
There are four types of additional factor to consider:
-
a managed/enterprise device
-
an app on a trusted device
-
a physically separate token
-
a known or trusted account
Additional factors should be chosen so that they are usable and accessible. You might need to carry out user testing to decide what is best for your users. For more information see NCSC’s guidance on MFA.
|
Revoke administrative rights to unintended users and enforce the principle of least privilege using Endpoint Central.
Endpoint Central enables administrators to set passcode policies for mobile devices running on Android, Apple, and Windows, ensuring end-users create strong passcodes for their devices. The policy enables admins to configure maximum number of failed passcode attempts, maximum idle time allowed before auto-lock and many other configurations.
Zoho offers Zoho OneAuth for Multi Factor Aunthentication requirements.
Zoho also offer Zoho Vault - An enterprise password manager.
|
Malware Protection
|
Requirements
You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products, these options are built into the software supplied. Alternatively, you can purchase products from a third-party provider. In all cases the software must be active, kept up to date in accordance with the vendors instructions, and configured to work as detailed below:
Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers)
If you use anti-malware software to protect your device it must be configured to:
-
Be updated in line with vendor recommendations
-
Prevent malware from running
-
Prevent the execution of malicious code
-
Prevent connections to malicious websites over the internet.
Application allow listing (option for all in scope devices)
Only approved applications, restricted by code signing, are allowed to execute on devices. You must:
-
Actively approve such applications before deploying them to devices
-
Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature.
|
Endpoint Central has a built-in next gen antivirus engine (currently available as early access) that proactively detects cyber threats lke malware with its AI-assisted, real-time behavior detection and deep learning technology.
Apart from real-time malware detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats. If the next gen antivirus engine detects a suspicious behavior / malware in endpoints, it can quarantine those endpoints and, after a thorough forensic analysis, can be deployed back into production.
Endpoint Central also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service. If a file is infected with ransomware, it can be restored with the most recent backup copy of the file. Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications
|
Recommended reads/ links:
-
ISO compliance made easy with Endpoint Central
-
Meeting PCI DSS requirements is no longer a challenge for financial institutions.
"We at the Bank of Holden have met patch management and secured controls required for Federal Compliance by implementing ManageEngine Endpoint Central. Our workstations are now more organized, manageable, and secure than we could have ever imagined possible"
Steven Deines,
Bank of Holden