Operlity gives small and medium businesses a structured platform to implement the five technical controls required for UK Cyber Essentials certification — so you can demonstrate a credible cybersecurity baseline to customers, partners, and government buyers without the complexity of enterprise-grade compliance programs.
Cyber Essentials is the UK government-backed cybersecurity certification scheme developed by the National Cyber Security Centre, designed to help organizations of all sizes protect themselves against the most common cyber threats. It focuses on five foundational technical controls — firewalls, secure configuration, user access control, malware protection, and patch management — that together address the vast majority of commodity cyber attacks. The current question set, "Willow," was released in January 2025 and reflects updated guidance on cloud services, passwordless authentication, vulnerability fixes, and home working.
Cyber Essentials certification comes in two tiers: the standard Cyber Essentials certification, which involves a self-assessment questionnaire verified by an independent certifying body, and Cyber Essentials Plus, which adds a hands-on technical verification of the five controls by an independent assessor. For small and medium businesses, standard Cyber Essentials certification is the most accessible and practical starting point — providing a credible, government-backed signal of cybersecurity competence that is increasingly required by UK public sector buyers and large enterprise customers as a condition of doing business.
Many SMBs know they need Cyber Essentials but don't know where to begin — which systems are in scope, which controls apply, and what evidence is required.
The five Cyber Essentials controls — firewalls, secure configuration, user access control, malware protection, and patch management — often reveal significant gaps in organizations that have grown without a formal security baseline.
The Cyber Essentials self-assessment questionnaire requires accurate, documented answers about technical configurations and security practices that many SMBs cannot answer confidently without structured preparation.
Cyber Essentials certification must be renewed annually; without continuous monitoring and evidence management, organizations find themselves scrambling to recertify each year.
SMBs that want to progress to Cyber Essentials Plus face the additional challenge of preparing for hands-on technical verification without understanding what assessors will look for.
| Cyber Essentials Control | Operlity Capability |
|---|---|
| Firewalls | Network security control implementation tracking with configuration evidence management |
| Secure Configuration | Asset inventory with configuration baseline tracking and deviation management |
| User Access Control | Identity management — user provisioning, access governance, and privileged account management |
| Malware Protection | Control implementation tracking with evidence management for endpoint protection configurations |
| Patch Management | Vulnerability management with patch status tracking, remediation ownership, and deadline management |
Define the boundary of your Cyber Essentials assessment — identifying all devices, software, and users in scope — so your certification accurately reflects your IT environment.
Conduct a structured gap assessment against the five Cyber Essentials controls — identifying what needs to be implemented or improved before your self-assessment submission.
Implement all five Cyber Essentials controls with structured tracking, ownership assignment, and evidence collection — maintaining a clear record of what has been done and what remains.
Create and maintain the security policies that support your Cyber Essentials controls — with documented approval workflows and workforce acknowledgement tracking.
Consolidate your evidence and review your self-assessment responses against your implementation records — so your submission is accurate, defensible, and supported by documented evidence.
Maintain your Cyber Essentials certification through continuous control monitoring and evidence management — so annual recertification is a structured, low-effort process rather than a recurring exercise in rediscovery.