Department for Science, Innovation and Technology (DSIT): Process and impact evaluations of the Cyber Essentials Scheme

In 2022, DSIT commissioned us to undertake a process evaluation and (subsequently in 2023) an impact evaluation of its flagship UK Cyber Essentials scheme.

The process evaluation explored whether the current Cyber Essentials implementation approach was working, and if the scheme was meeting its objectives. The research identified the most common drivers for organisations to adopt Cyber Essentials, the cost and time involved in Cyber Essentials certification (and how this varies by organisation type and size). The impact evaluation assessed whether Cyber Essentials has had a positive impact to date on increasing the cyber resilience of the UK economy; benefits and potential consequences for organisations which do and do not have certification; and the extent to which Cyber Essentials offers value for money and is an effective use of resources.

Both evaluations involved detailed desk research, stakeholder engagement via in-depth interviews, large-scale surveys of Cyber Essentials certified businesses, and comparison surveys of organisations that had never obtained certification. The impact evaluation involved development of a logic model and framework as a basis for testing assumptions, and the published impact report includes case studies of how different types of organisations have pursued their Cyber Essentials journey, and the difference this has made.

Our recommendations covered such themes as the scheme’s onward promotion to help organisations appreciate why a cyber security solution such as Cyber Essentials is important; and how DSIT in conjunction key partners could maximising the effectiveness of the scheme, notably by playing an important role in supply chain assurance.