Cyber Essentials — The UK Government Baseline
| Control | What It Requires | How ClickMasters Implements |
|---|---|---|
| Firewalls | Network boundary firewalls configured to block unnecessary connections | AWS Security Groups + VPC NACLs — no unnecessary inbound ports open |
| Secure configuration | Systems and software configured securely — no default passwords | Hardened AMIs, no default credentials, SSM Parameter Store for secrets |
| User access control | MFA for admin accounts, least privilege, unique accounts per user | AWS IAM with MFA enforced, RBAC in all applications |
| Malware protection | Anti-malware on all endpoints and servers | AWS GuardDuty, AWS Inspector, endpoint AV on developer machines |
| Patch management | Security patches applied within 14 days | Dependabot for dependencies, AWS Patch Manager for OS patches — automated |
ISO 27001 — The International Standard
| ISO 27001 Domain | Key Controls | UK Relevance |
|---|---|---|
| A.5 — Information Security Policies | Security policy documentation, management review | FCA SYSC 13: documented IT security policy required |
| A.6 — Organisation of Information Security | Roles and responsibilities, segregation of duties | SM&CR: named individuals responsible for security |
| A.8 — Asset Management | Asset inventory, data classification | UK GDPR Article 30: ROPA includes data classification |
| A.9 — Access Control | Access control policy, user provisioning, MFA | Cyber Essentials overlap — audited in ISO 27001 |
| A.12 — Operations Security | Change management, vulnerability management | FCA PS21/3: change management evidence required |
| A.13 — Communications Security | Network security, data-in-transit encryption | Cyber Essentials overlap + TLS requirements |
| A.16 — Incident Management | Incident response, breach notification | UK GDPR: 72hr ICO notification + FCA incident reporting |
| A.17 — Business Continuity | DR planning, BCP testing, RTO/RPO | FCA PS21/3: operational resilience testing |
| A.18 — Compliance | Legal compliance, security reviews | UK GDPR, FCA, NHS DTAC compliance evidence |
When Each Certification Is Required
| Scenario | Cyber Essentials | Cyber Essentials Plus | ISO 27001 |
|---|---|---|---|
| UK Government contract handling personal data | ✅ Required | Often specified | Often required alongside |
| NHS App Library listing (DTAC Domain 3) | ✅ Minimum | ✅ Preferred | Accepted — accelerates procurement |
| FCA operational resilience evidence (PS21/3) | Supporting | Supporting | ✅ Strong — ISMS addresses all PS21/3 domains |
| Large enterprise (FTSE 250+) SaaS procurement | Expected | Better | ✅ Often required — security questionnaire standard |
| International market (EU, US) | UK-specific — less relevant | UK-specific | ✅ Globally recognised |
| VC-backed startup Series B due diligence | Expected | Better | ✅ Increasingly required at Series B+ |
| Lloyd's of London coverholder | Expected | Better | ✅ Lloyd's security requirements |