Cyber Essentials certification in Derby

A certified Derby IT provider and your local guide to getting certified too

L.E.A.D. IT Services holds IASME Cyber Essentials certification, the UK government-backed cyber security standard, and we help Derby businesses and organisations across the East Midlands achieve it too.

Talk to our team about getting certified

For our clients, this matters. When you entrust your IT infrastructure, business data, and day-to-day systems to an external provider, you need confidence that the organisation looking after them operates to a verified security standard. Our Cyber Essentials certification is independent, assessed proof that our systems, processes, and team meet the baseline the UK government considers essential for any organisation handling data and operating online.

It means the environment in which we manage your IT – our own devices, networks, user accounts, and software – is held to the same standard we help our clients achieve. You are not taking our word for it; you have the assurance of a government-backed accreditation behind it.

What is Cyber Essentials?

Cyber Essentials is a UK government-endorsed certification scheme that helps organisations protect themselves against the most common cyber threats. Developed by the National Cyber Security Centre (NCSC) and independently assessed through approved bodies such as IASME, it sets a clear, verifiable baseline of cyber security that every organisation, including Derby businesses of all sizes, should maintain.

To hold the certification, an organisation must demonstrate active control across five technical areas: secure firewall configuration, secure system settings, access control, malware protection, and up-to-date software patching. Together, these controls address the vast majority of internet-borne attacks, making Cyber Essentials a meaningful standard for any Derby or Derbyshire business looking to take cyber security seriously.

The five control areas: what is measured and what is required

To achieve Cyber Essentials certification, your organisation must demonstrate compliance across five technical control areas defined by the NCSC. Each area is assessed through a self-assessment questionnaire, verified by an approved certification body such as IASME. Here is what each control requires in practice.

Every device that connects to the internet must be protected by a correctly configured firewall or equivalent network boundary defence. This applies to office networks, cloud environments, and individual devices used remotely.

What is required:

A firewall must be in a place at the boundary between your network and the internet
Default passwords on all routers and firewalls must be changed
Rules must restrict inbound connections to only those that are necessary and documented
Administrative interfaces must not be accessible from the internet
Personal devices used for work must have a software firewall enabled

Computers, laptops, tablets, and smartphones must be configured securely before use, and unnecessary software and services must be removed or disabled. Default configurations from manufacturers are frequently insecure and must not be left unchanged.

What is required:

Default usernames and passwords must be changed on all devices and software
Software and services that are not needed for business use must be uninstalled or disabled
Auto-run features that execute code automatically from removable media must be disabled
A screen lock must be enforced on all devices after a period of inactivity
Only approved, licensed software may be installed on devices in scope

User accounts must be managed carefully, with access limited to what each person genuinely needs. Administrator-level accounts – which have the ability to make significant changes to systems, must be tightly controlled and used only when necessary.

What is required:

Every user must have a unique account — shared accounts are not permitted
Standard user accounts must be used for everyday tasks; admin accounts used only for administrative work
Administrator accounts must not be used to browse the web or read email
Access to accounts and data must be removed promptly when a user leaves or changes role
Multi-factor authentication (MFA) must be enabled for all cloud services and remote access
Passwords must meet minimum complexity requirements and must not be predictable or reused

All devices must be protected against malware – malicious software designed to damage, disrupt or gain unauthorised access to systems. This can be achieved either through traditional antivirus software or application allow-listing, depending on the environment.

What is required:

Anti-malware software must be installed and active on all applicable devices
Malware definitions must be updated at least daily, or the software must use real0time cloud-based protection
Anti-malware scans must run regularly and automatically
Where application allow-listing is used instead, only approved applications may execute
Sandboxing or behaviour-based detection is accepted as an alternative approach where it meets NCSC requirements

Software vulnerabilities are one of the most common entry points for attackers. All software on in-scope devices must be kept up to date, with security patches applied promptly after they are released by the vendor.

What is required:

Operating systems and all installed software must be licensed and actively supported by the vendor
Automatic updates must be enabled where possible, or a manual patching process must be in place
Critical and high-severity patches must be applied within 14 days of release
Software that is no longer supported by the vendor and cannot be patched must be removed from in-scope devices
All devices in scope – including mobile phones and tablets – must meet the same patching requirements

Why Cyber Essentials matters for Derby businesses

Cyber attacks are not reserved for large enterprises. Small and medium-sized businesses across Derby and Derbyshire are frequently targeted precisely because they are perceived as easier to breach. The NCSC estimates that Cyber Essentials controls can prevent around 80% of common cyber attacks – a significant, measurable reduction in risk for any local organisation.

Beyond protection, Cyber Essentials certification carries real commercial value for Derby businesses. It is increasingly expected as a condition of supplier qualification, public sector contract tendering, and cyber insurance eligibility. For organisations working with the NHS, local government, or larger supply chains across the East Midlands, it is often a prerequisite.

Cyber Essentials is a baseline we take seriously. It is not a badge for the website – it reflects how we actually configure, manage, and secure our systems. Derby businesses deserve to know that the IT provider looking after their infrastructure operates to a verified, government-backed standard.

– Lee Jepson, Director of IT, L.E.A.D. IT Services, Derby

LEAD IT Services Chris Edwards & Lee Jepson

What our certification means for you

When you work with L.E.A.D. IT Services, you are working with a Derby IT provider whose own systems, processes, and team have been independently verified to the Cyber Essentials standard. The controls that protect our infrastructure – and the client environments we manage across Derby and the wider East Midlands – have been assessed and confirmed.

It also means we understand the certification process from the inside. When we support a Derby business through Cyber Essentials, we are not reading from a checklist – we are drawing on direct, practical experience of what the standard requires and how to meet it efficiently.

Every business in Derby faces cyber risk, whether they have thought about it in those terms or not. Cyber Essentials gives local organisations a structured, government-backed way to address the most common vulnerabilities. We know the process we know the pitfalls, and we know how to get Derby businesses across the line without it becoming a distraction from everything else on their plate.

– Lee Jepson, Director of IT, L.E.A.D. IT Services, Derby

Common questions from Derby businesses about Cyber Essentials

Cyber Essentials is relevant to businesses of any size. For small businesses in Derby, it provides both meaningful protection and a credible signal to clients and partners that cyber security is taken seriously. Many Derby businesses also find it opens doors to contracts that require certified suppliers.

With the right preparation, most organisations can achieve Cyber Essentials certification within a few weeks. L.E.A.D. IT Services works with Derby businesses to identify and address gaps before the formal assessment, making the process as efficient as possible.

Cyber Essentials is a self-assessed questionnaire verified by an approved body. Cyber Essentials Plus includes the same controls but adds independent technical testing – including vulnerability scans and hands-on verification. For Derby businesses supplying the public sector or handling sensitive data, Plus is often the required level.

Yes. Cyber Essentials requires annual renewal. L.E.A.D. IT Services provides ongoing support to Derby clients to ensure their systems remain compliant and renewal is straightforward.

Your Cyber Essentials readiness programme, right here in Derby

Cyber Essentials certification is well within reach for Derby businesses of any size – but getting there requires the right preparation. L.E.A.D. IT Services offers a structured, locally delivered readiness programme that takes you from your current position to certified, with as little disruption as possible to your day-to-day operations. We assess where you stand, address what needs to change, and guide you through the formal assessment – so your Derby team stays focused on running the business.

Gap analysist against all five NCSC control areas

Self-assessment questionnaire guidance

Policy and documentation templates included

Technical remediation of identified vulnerabilities

Preparation for external IASME assessment

Annual renewal support included

Available for Cyber Essentials and Cyber Essentials Plus. Serving businesses in Derby, Derbyshire, Nottingham, and across the East Midlands. Suitable for supplier qualification, public sector tendering, and cyber insurance compliance.