Cyber Essentials is a UK government-backed certification showing an organisation has implemented five baseline security controls — firewalls, secure configuration, access control, malware protection and security update management. When a hosting provider holds it, it demonstrates baseline security hygiene in that provider's own organisation; it is not a guarantee against breaches, not an audit of your deployment, and not a certification your institution inherits.
What Cyber Essentials covers
The scheme, operated under the UK's National Cyber Security Centre, assesses five technical control themes:
- Firewalls and internet gateways
- Secure configuration of devices and software
- User access control
- Malware protection
- Security update management (patching)
Why it matters when choosing suppliers
Education institutions increasingly ask suppliers for Cyber Essentials in procurement because it is a verifiable, renewed baseline: an organisation that maintains it is demonstrably doing security fundamentals rather than merely asserting them. Education Host holds Cyber Essentials certification as a company.
What it does not mean
Honest suppliers are as clear about the limits as the badge:
- It is not a guarantee that incidents cannot happen
- It certifies the supplier's organisation — your institution does not inherit certification by buying from a certified supplier
- It is a baseline, not a substitute for deeper assurance such as ISO 27001
- It does not by itself demonstrate GDPR compliance
Company certification vs data-centre certification
One distinction worth checking with any host: Education Host's Cyber Essentials is our company certification, while certifications such as ISO 27001, ISO 22301, PCI DSS and SOC 2 associated with our hosting are held by the data-centre facility (6DG Birmingham Central, operated by Six Degrees). Both layers matter; asking who holds what is a fast test of a supplier's honesty.

