Build your Cyber Essentials bundle —
pick any 5 of 12

What employees may and may not do on company systems and networks. Foundational for cyber-insurance applications.

Rules for employee-owned devices accessing company data. Required if any staff use personal phones or laptops for work.

Security expectations for employees working off-premises. Covers VPN, home networks, unsanctioned cloud storage, and physical screen exposure.

Account credential and authentication standards. Covers complexity, rotation, shared accounts, and multi-factor authentication requirements.

How long data lives, in what form, and how it is securely destroyed. Required for CCPA, HIPAA-adjacent, and most cyber-insurance questionnaires.

Vetting and ongoing oversight of third-party software and service providers. Covers SaaS tools, payment processors, and IT contractors.

What the organization does when something breaks or gets breached. Defines roles, escalation paths, and notification timelines.

Keeping the business running through data loss and system failure. Covers backup frequency, offsite storage, and recovery time objectives.

Governance of company-owned mobile devices — distinct from BYOD. Covers MDM enrollment, remote wipe, and acceptable use on company phones and tablets.

Phishing defense, approved channels by data type, and secure email handling. Covers wire-fraud awareness, encryption, and prohibited attachments.

Office access control, visitor policy, clean-desk, and paper record handling. Covers key card management, after-hours access, and camera placement.

Provisioning and deprovisioning access, equipment, and acknowledgements. Prevents credential sprawl when employees join or leave.