MoD – Cyber Essentials Scheme CES and CES+


MoD is backing the Cyber Essentials Scheme – 1st January 2016

In a move to protect the MoD from cyber threats and protect their data, all defence contracts are now measured against two criteria: severity and probability of impact. Depending on how they measure against those two criteria, they are categorised into one of four risk levels: Very Low, Low, Moderate and High. Depending on the level of risk assigned, the organisation will then be required to achieve either Cyber Essentials Scheme (CES) or Cyber Essentials Scheme Plus (CES+).

The Risk Levels:

The following section outlines the four risk levels and the associated assessment criteria.

Very Low Risk

“Cyber risk to MoD from contract deemed basic and untargeted.”

  • Assessment Criteria – Cyber Essentials scheme (CES) Certification Required.

Low Risk

“Cyber risk to MoD from contract deemed basic: more targeted, attackers semi-skilled but not persistent.”

  • Assessment Criteria – Cyber Essentials plus (CES+) Certification Required.

Moderate Risk

“Threats will be tailored and targeted. Objective gaining access to a specific asset or enable a denial of service.”

  • Assessment Criteria – Cyber Essentials plus (CES+) Certification Required.

High Risk

“Projects may be faced with advanced persistent threats (APT). Attackers at this level will typically be well organised, highly sophisticated, well-resourced and persistent.”

  • Assessment Criteria – Cyber Essentials plus (CES+) Certification Required.


A small number of contracts will be assigned the categorisation of ‘Not Applicable’, this is where items are procured regularly and the allocation is not known yet. There are also other standards which may have to be met when undertaking Low, Moderate and High risk contracts, further information on this can found here.

Key Information

All MoD contractors and sub-contractors are now required to have Cyber Essentials Scheme Certification or Cyber Essentials plus Scheme Certification. It is also important to be aware that this extends to all defence procurements, suppliers and subcontractors even if they are not working directly with/for the MoD.

After 1st January, all suppliers will be required to have a Cyber Essentials certificate at the latest by the contract start date and thereafter renewed annually.

It is important to understand that organisations have to complete CES before CES+ can be undertaken.

Get in Touch

7 Elements is an accredited certification body for Cyber Essentials, more information on the scheme can be found here. As an independent technical information assurance consultancy, 7 Elements is well suited to assist your organisation in gaining a Cyber Essentials Certification.

As the scheme is designed to be available to all sizes of organisations, our pricing is cost effective.

To discuss your Cyber Essentials needs please contact us.