At thoughtbot, we recently received our annual Cyber Essentials (CE) recertification—a UK government–backed cybersecurity standard that covers fundamental protections like firewalls, secure configuration, access controls, OS updates, patch management (and protection against social engineering).
CE is often described as a baseline security certification, and it is. But it’s much more than that.
🔒 Trust
Trust is built, or broken, through consistent interactions, and the systems, tools, and processes we use every day. Earning Cyber Essentials certification is one of the ways we:
- Show care for our teammates and clients
- Proactively defend what we create and share
- Reinforce a culture of transparency and responsibility
- Guard against some of the most common cybersecurity vulnerabilities
Every organization working in software or tech should meet a basic, but resilient, security standard. If your clients aren’t asking for it yet, we encourage you to take the lead. This standard isn’t only about compliance. It’s crucial to working well together and protecting those who depend on you.
🚀 Behind the Certification: Our Approach to Success
thoughtbot builds digital products and partnerships across the globe, and our team is fully distributed. Although recertification is annual, maintenance is continuous. We’re able to meet this standard because we treat security as a team effort.
Team buy-in and commitment
It only works if everyone agrees that security is a shared responsibility. We’ve built this culture through open conversations, internal education, ongoing collaboration, adherence to our handbook policies, and leveraging the right tools.
Tools
We use the endpoint security tool Kolide to detect potential issues, and our internal ticketing system to ensure teammates promptly resolve them, so we all maintain healthy device hygiene year-round.
Support
We love working with Cyber Security Specialists (CSS), a UK-based cyber advisor consultancy whose approach aligns with ours. They are thoughtful, responsive, and friendly experts who are great at working both synchronously and asynchronously.
Just as we guide our clients with structure and support, CSS does the same for us. If something in the process feels hazy or unfamiliar, they offer practical advice and a steady, personal approach that makes moving forward feel doable.
📘 You Should Get Certified: A Step-by-Step Guide
Whether you’re a startup, a nonprofit, a growing consultancy, or an established company looking to modernize your security practices, Cyber Essentials is one of the clearest, most meaningful ways to raise your bar.
Read
- Cyber Essentials overview (IASME)
- Cyber Essentials Question Set / Self-Assessment Preparation Booklet
- Requirements Guide / Requirements for IT Infrastructure v3.2 (NCSC)
Answer
There are around 90 questions about your current cybersecurity protections.
Ask for help as needed
CE maintains a list of cyber advisors who can support you throughout the process. That’s how we found Cyber Security Specialists (CSS), who also serves as a certification body.
Secure an assessor
Choose an assessor or certification body to evaluate your submission.
Submit your responses
Most assessors can set up your access to the assessment response portal. If your security measures meet the baseline requirements, you’ll be approved for certification. If not, you’ll receive feedback on what needs improvement.
❤️ You Can Do It
Cybersecurity can feel like an overwhelming space—but this is one clear, manageable step forward.
Your team deserves it. Your clients benefit from it. The integrity of your work depends on it.
You can get Cyber Essentials certified. Reach out if you have questions or would like to connect. Let’s do good work together. We’re cheering you on. 🎉