Cyber Essentials and Backup: What UK MSPs Need to Know

16 April 2026 BOBcloud

Cyber Essentials is the UK government-backed certification scheme designed to protect organisations against the most common cyber threats. For MSPs, it's become an increasingly important part of the conversation with clients — both because more clients are pursuing certification, and because government contracts now require it.

Backup sits at the intersection of Cyber Essentials in ways that aren't always obvious. Understanding the relationship between the two will save you and your clients time during the certification process and help you build a backup architecture that actually supports the certification rather than complicating it.

What Cyber Essentials Actually Covers

Cyber Essentials focuses on five technical controls:

  • Firewalls and internet gateways
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

Backup is not one of the five controls. This surprises some people — and leads to the mistaken assumption that backup is therefore irrelevant to Cyber Essentials. It isn't.

Cyber Essentials Plus, the audited version of the certification, includes a broader technical assessment. And even at the basic level, several of the five controls have direct implications for how backup systems should be configured.

Where Backup Intersects with Cyber Essentials

Malware protection and ransomware resilience. The malware protection control requires organisations to have active protection against malicious software. Ransomware is the primary concern, and assessors increasingly expect to see evidence that backup exists and is protected — specifically that backup data cannot be encrypted or deleted by ransomware that compromises the main environment.

This means backup credentials should not be accessible from the devices being backed up. Cloud backup accounts should use separate authentication, ideally with multi-factor authentication enabled, so that a compromised endpoint cannot reach the backup system.

Immutable backup. While not explicitly required by Cyber Essentials, immutable backup — where backup data is stored in a write-once format that cannot be modified or deleted — is increasingly seen as best practice in the context of certification. Some assessors and cyber insurers will ask about it specifically.

User access control. Backup admin access should be governed by the same principles as the wider access control framework. Backup management consoles should not be accessible with default credentials, and admin access should be limited to specific named users with appropriate roles.

Secure configuration. Backup agents installed on endpoints need to be kept up to date as part of the general patch management and secure configuration posture. Outdated backup agents sitting on endpoints can themselves become a vulnerability.

Cyber Essentials Plus and Backup

Cyber Essentials Plus involves an on-site (or remote) technical assessment rather than just a self-assessment questionnaire. Assessors will examine the actual configuration of systems, not just what's been declared.

During a Cyber Essentials Plus assessment, the assessor may:

  • Check that backup software and agents are up to date as part of the patch management review
  • Verify that backup credentials are not stored in plaintext or accessible from compromised endpoints
  • Ask about recovery testing — while not a formal requirement, the absence of any testing process is a red flag
  • Check that backup data stored locally is not accessible from user accounts that shouldn't have access to it

The practical implication is that backup systems need to be built with the same rigour as other parts of the security architecture, not treated as an afterthought.

What Good Looks Like for a Certified Client

A client pursuing Cyber Essentials — and certainly Cyber Essentials Plus — should have:

Segregated backup credentials. The account used to manage backup should not be the same account used for day-to-day operations. Ideally, backup management credentials use MFA and are not stored on any endpoint.

Offsite or cloud backup with separate authentication. If backup data is stored in the cloud, the cloud account should be separate from the organisation's main Microsoft 365 or Google Workspace account, with its own credentials and MFA.

Regular tested backups. Backup jobs should run on a defined schedule and completion should be monitored. At minimum, the client should be able to confirm that backups are completing and that a restore has been tested within the last 12 months.

Protection from ransomware. Some form of protection against backup deletion or encryption — whether through immutable storage, air-gapped copies, or access controls that prevent endpoint-level access to backup data.

Up-to-date backup agents. Backup software on endpoints and servers should be patched and kept current, consistent with the overall patch management posture.

The Opportunity for MSPs

Cyber Essentials creates a natural conversation opener for MSPs. Clients pursuing certification need to review their entire technical posture, and backup is almost always part of that review.

For clients who have informal or poorly documented backup, Cyber Essentials preparation is an ideal time to formalise the service — upgrade the backup architecture, document the retention policy, implement tested recovery, and add it as a proper managed service line item.

For clients who already have backup in place, the certification process is a good opportunity to audit what's actually configured versus what was intended, check that credentials are appropriately secured, and verify that backup agents are current.

Either way, the conversation is easier when framed around certification rather than around selling backup for its own sake. Most clients understand that certification requires certain things to be in place — your role is to help them get there.

Cyber Insurance and Backup

A related development worth mentioning: UK cyber insurance underwriters have significantly tightened their requirements over the past two years. Most policies now ask specifically about backup — whether it exists, whether it's tested, whether it's protected from ransomware, and whether it's stored offsite.

The questions cyber insurers ask are increasingly similar to what Cyber Essentials Plus assessors look for. An MSP who can document backup architecture, testing frequency, and ransomware protection is directly helping clients both with certification and with insurance — two conversations that are increasingly happening at the same time.

Where BOBcloud Fits

BOBcloud's backup platform is designed with the kind of segregated, cloud-based architecture that Cyber Essentials expects. Backup is managed through a separate console with its own credentials, cloud storage is UK-based, and the platform supports immutable storage options for clients who need them.

If you're helping clients through Cyber Essentials or Cyber Essentials Plus and need to formalise their backup posture, get in touch to talk through the options.