Cyber Essentials For SMEs
Cyber Essentials is a useful baseline for UK organisations. Secure Complete is designed to support readiness across the five controls, but it does not guarantee certification or include Cyber Essentials Plus by default.
Quick answer
Cyber Essentials is the UK government-backed minimum cyber security standard recommended by the NCSC. Secure Complete helps maintain readiness evidence across firewalls, secure configuration, user access control, malware protection, and security update management; certification fees and formal assessment are separate unless a proposal explicitly includes them.
Key takeaways
- Cyber Essentials focuses on five practical technical control areas.
- Preparation is easier when devices, users, admin access, and update status are already documented.
- Secure Complete supports readiness and evidence, but certification outcomes must not be treated as guaranteed.
How Secure Complete maps to the five controls
| Cyber Essentials control | How Secure Complete helps | Readiness evidence |
|---|---|---|
| Firewalls | Endpoint firewall checks, basic router or cloud firewall review, exposed admin service review, and recommendations for risky rules | Firewall status notes, exposed service notes, and documented recommendations |
| Secure configuration | Device baseline, encryption checks, local admin review, default account review, browser/security settings, and M365 or Google Workspace baseline hardening | Baseline notes, exception list, admin review, and hardening actions |
| User access control | Joiner/leaver workflow, inactive account review, admin account review, MFA review, least-privilege recommendations, and third-party admin tracking | User lists, admin roles, MFA status, leaver records, and access exceptions |
| Malware protection | Endpoint protection active/status monitored across managed devices with alert or status review | Endpoint protection status and managed device coverage notes |
| Security update management | OS/application patch policy, patch status review, unsupported software reporting, and monthly patch evidence | Patch status, supported software list, unsupported software notes, and exceptions |
What to prepare first
- List in-scope devices, operating systems, and owners.
- Confirm supported software and remove or replace unsupported software where appropriate.
- Review admin accounts and privileged access.
- Confirm MFA or stronger sign-in controls for key cloud services.
- Check malware protection or endpoint protection status.
- Review patch status and exceptions.
- Document joiner and leaver processes.
- Collect policy notes for personal device use if it applies.
Where Secure Complete can help
Device and software records
Secure Complete can help maintain the practical records needed to understand scope and readiness, including device assignment, managed status, update status, and endpoint protection status.
Access review
User access control becomes easier when joiner, mover, and leaver steps are already documented and admin access is reviewed regularly.
Patch rhythm
Security update management needs a repeatable process, not a one-off scramble before assessment.
Annual evidence pack
Secure Complete includes an annual evidence pack for readiness conversations, alongside monthly security scorecards and quarterly security reviews.
Important limits
Secure Complete is Cyber Essentials readiness support, not a certification guarantee. The business still needs accurate scope, evidence, decisions, and truthful answers.
Cyber Essentials certification fees are separate unless a proposal explicitly includes them, and certification should be completed through an appropriate certification body.
Cyber Essentials Plus is separately scoped because it depends on testing scope, network complexity, and assessment route. Kindura's public packages should not imply in-person Cyber Essentials Plus assessment activity or a guaranteed pass.
Sources and further reading
Related resources
Checklist
The SME IT Operations Checklist
A practical monthly checklist for keeping devices, access, updates, support, reporting, and supplier ownership visible in a growing SME.
Explainer
What Is Device Management And Why Does It Matter?
A plain-English explainer for SMEs on device inventories, ownership, updates, access, protection status, lifecycle planning, and leaver recovery.
Guide
Microsoft 365 Security Basics For Small Businesses
A practical guide to Microsoft 365 security basics for SMEs, including MFA, admin access, email protection, sharing, devices, and access review.