What Is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme, managed by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium. It sets out five technical controls that organisations must implement to protect themselves against the most common internet-borne cyber threats — with password management being one of the core requirements.

The scheme has two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified). Both levels require the same password controls on paper, but Cyber Essentials Plus includes hands-on technical verification by a certifying body. For UK businesses bidding on government contracts, Cyber Essentials certification is mandatory for most central government procurement.

In 2025, over 200,000 UK organisations held Cyber Essentials certification. Certification costs range from £300-500 for a standard self-assessment and £1,200-2,500 for Cyber Essentials Plus with technical audit.

Password Requirements in the Cyber Essentials Framework

Cyber Essentials structures password requirements under its core control — Secure Configuration. The specific password requirements map to the IASME Cyber Essentials Requirements document (version 3.1, effective from March 2025).

1. Unique User Accounts

Every user must have their own individual account. Shared accounts, generic administrator accounts, and group logins are not permitted. Service accounts used by applications are exempt but must use strong, managed passwords stored in a secure vault.

2. Strong Password Policy

Your organisation must have a documented password policy that reflects good practice. While Cyber Essentials does not mandate a specific minimum length, the NCSC's Password Guidance recommends a minimum of 12 characters, no mandatory complexity rules, no periodic rotation, and password managers for generating and storing passwords.

3. No Default Passwords

All default passwords on networked devices — firewalls, routers, switches, printers, servers — must be changed before deployment. This is the most common finding in failed Cyber Essentials assessments.

4. Administrative Access Controls

Administrator accounts must use multi-factor authentication for internet-facing services. Administrative accounts should not be used for day-to-day activities.

5. Password Manager Encouragement

The IASME Cyber Essentials framework explicitly references password managers as good practice. They solve the fundamental tension in password policy: users cannot remember 20+ unique 12-character passwords.

Cyber Essentials vs Cyber Essentials Plus Password Differences

The password requirements are identical between the two levels. The difference is verification: self-assessment requires a signed declaration, while Plus involves technical verification that your password policy is actually enforced — not just documented.

How to Implement Cyber Essentials Password Controls in Practice

For Microsoft 365: Use Azure AD Password Protection to block common passwords, Conditional Access to enforce MFA for administrative accounts, and domain policy to set minimum password length.

For Google Workspace: Admin Console provides minimum password length enforcement, MFA enforcement, and account recovery verification.

For On-Premises Active Directory: Group Policy is the primary enforcement mechanism. Use Fine-Grained Password Policies (FGPP) to apply different policies to privileged vs standard accounts. Remove mandatory password expiry per NIST and NCSC guidance.

Aligning Cyber Essentials with NIST and ISO 27001

Cyber Essentials aligns fully with NIST SP 800-63B's recommendations on password rules. It provides the practical implementation guidance that ISO 27001's controls framework leaves open. Cyber Essentials adds the specific requirement for no default passwords and unique user IDs.

Common Certification Gaps

• Default passwords on network equipment (printers, switches, Wi-Fi)
• Generic admin accounts shared across IT team
• Password policy documented but not technically enforced
• Service account passwords not rotated
• MFA not applied to internet-facing admin portals

Key Takeaways

Cyber Essentials password requirements are straightforward and align with modern NIST and NCSC guidance. The framework requires unique user accounts, no default passwords, strong password policies aligned with NCSC recommendations, and MFA for internet-facing administrative access.