In 2024, the National Cyber Security Centre (NCSC) celebrated a decade of its baseline cyber security certification, Cyber Essentials (CE).
While the NCSC has touted the scheme’s benefits, CEO Richard Horne has nonetheless been explicit about the “widening gap” between the UK’s cyber defences and the threats faced. This comes amid a heightened level of physical threat from state actors, including via sabotage and espionage, as well as greater awareness of state threats to research and innovation.
This changing threat picture cast greater attention on the work of the National Protective Security Authority (NPSA), the UK’s national technical authority for physical and personnel protective security.
The elevated threat raises the question of whether the NPSA should follow the NCSC’s suit and develop its own baseline protective security certification as an equivalent to CE. However, to address the threat and build genuine resilience, we believe the UK needs an approach that goes beyond baselines and is informed by risk.
Is there a baseline level of protective security?
The CE certification was launched in 2014. It outlines a baseline level of security that is intended to be universally applicable and risk agnostic. The NCSC asserts that CE is “suitable for all organisations, or any size, in any sector”. CE is assessed without reference to the organisation or its risk profile because the CE controls are aimed at commodity attacks that are ubiquitous for Internet-connected organisations.
After 10 years the number of organisations certified under CE continues to increase year-on-year. The NCSC also has plans to expand the scheme further to better address supply chain risks. These achievements notwithstanding, there have been suggestions that the adoption of CE has been lower than expected, with one report stating that uptake remains below 1% of eligible organisations.
The argument for a baseline cyber security certification is a good one; strengthening the cyber security of individual organisations leads to a more resilient ecosystem and is a public good. The controls involved in CE are sufficiently universal that there is no need for application to refer to an organisation’s specific risk assessment.
However, there are reasons to question whether a CE-equivalent baseline security certification for protective security could be effective.
First, it is harder to identify a single shared ‘baseline’ level of protective security. CE is focused on five core security controls applicable to any organisation. It is not clear that a similar baseline set of controls could be constructed to simultaneously address areas as diverse as physical security, insider threat, or the security of research collaboration.
Second, the CE controls would almost certainly be duplicated in any protective security certification. This might deter organisations that already have CE from seeking the new certification – at a time when relatively few organisations have CE.
Third, the creation of separate NCSC and NPSA baseline certifications would reinforce silos between different aspects of security. We should be moving towards an approach in which organisations adopt a proportionate approach to security that addresses threats regardless of their means of realisation.
An attempt to mirror CE in the protective security space therefore risks falling between two stools; being overly strenuous for most organisations, while insufficient to tackle genuine threats. At the same time, it risks reinforcing an unhelpful physical-cyber divide in many organisations’ approach to security.
Building resilience against threats
CE remains relevant at a technical level, but the way it is framed increasingly appears as a hold over from an earlier geopolitical age.
The cyber security industry often portrays its work as primarily technical and unobjectionable. Cyber threats can be presented as impersonal – an inevitable consequence of being online. The NCSC refers to CE as “basic cyber hygiene” and similar metaphors from public health or ecology are regularly deployed to ‘de-securitise’ these security controls.
In contrast, the UK has become increasingly explicit about the deteriorating threat environment and the necessity of a concerted response. That messaging is likely to accelerate as the UK government builds the public case necessary for a significant increase in defence spending.
This would also align with the UK’s widening national conversation on resilience across domains and sectors. The forthcoming Cyber Security and Resilience Bill (CSRB) is an example of this trend. Although the CSRB is primarily targeted at bolstering cyber defences for critical services, it is part of a set of parallel efforts on physical security, economic stability, and community preparedness that aim at a holistic approach to threats.
The UK Government’s Resilience Framework outlines an all-hazards approach, covering everything from extreme weather and pandemics to supply chain disruptions and CNI failures, and emphasises preparation and prevention across society. A new National Security Council on resilience has also been created, chaired by the Chancellor of the Duchy of Lancaster and is made up of the Secretaries of State for a wide range of sectors. A separate ‘physical security’ certification scheme would run contrary to the trend towards a holistic approach to resilience.
A unified risk-based security certification
Rather than developing separate certifications, a better option would be a unified security resilience certification for at-risk organisations. This model would complement established baselines like CE.
Unlike the baseline approach of CE, the starting point for the new certification would be a credible organisational security risk assessment. This assessment would be integrated, bridging security domains such as cyber, physical, and personnel security.
Beyond this the framework would be modular, reflecting the absence of a single organisation-agnostic baseline in protective security. The scheme would certify that the organisation had taken proportionate protective security measures in response to its own risk assessment.
Achieving this standard would require substantial effort and would not be appropriate for most organisations. The certification process would necessarily be more in-depth than the process for CE. Nonetheless, by leveraging unified risk profiling and cross-sector collaboration between the NCSC and NPSA, this approach would enable organisations to go beyond compliance checklists to achieve genuine, outcome-focused resilience.
This certification would be accompanied by an awareness campaign that is frank about the geopolitical threat faced by at-risk organisations. It would be important to make clear that this is not ‘business as usual’.
This approach would reduce certification fatigue while delivering a robust, adaptive defence posture. It aligns with forthcoming resilience legislation, and with a broader national view of resilience as a desirable achievement in an increasingly turbulent geopolitical landscape.
Neil Ashdown is head of research for Tyburn St Raphael, a security consultancy.
Tash Buckley is a former research analyst at RUSI and a security educator and lecturer, researching cyber power and the intersection of science, technology innovation, and national security.
