CyFUN, Cyber Essentials, Cyber Essentials Plus, and the Essential 8: A Complete Small Business Guide
Here is the thing about cybersecurity frameworks: there are too many of them, they all sound similar, and none of them tell you what to actually do on Monday morning.
CyFUN. Cyber Essentials. Cyber Essentials Plus. The Essential 8. If you are a small business owner trying to make sense of these names, you are not alone. Every week, Irish SMEs ask us the same question: which one do we need?
This guide gives you a straight answer. No jargon. No vendor pitch. Just a clear explanation of what each framework is, where they overlap, and — most importantly — what your business should do first.
Why Most Small Businesses Get Breached
Before we compare frameworks, let us be clear about something. Most small businesses are not breached because of sophisticated, nation-state-level hacking. They are breached because of entirely preventable failures.
The five most common causes of small business cyber incidents are weak or reused passwords, unpatched software with known vulnerabilities, excessive admin privileges given to too many people, the absence of multi-factor authentication (MFA), and staff clicking on phishing links that could have been blocked.
Every single framework covered in this guide is designed to address those exact five problems. That is not a coincidence. It is the most important insight in this entire article: the frameworks repeat the same controls because those controls work.
Understanding that repetition is the key to not wasting time on compliance theatre.
The Four Frameworks: What They Are and Who Built Them
1. CyFUN — Ireland's National Cyber Baseline
CyFUN — the Cyber Fundamentals Framework — is Ireland's national cybersecurity baseline, published by the NCSC Ireland. It was originally developed in Belgium and Ireland adopted it as a co-owner. The NCSC recommends it as the primary structured tool for Irish organisations to meet their NIS2 obligations.
CyFUN is built on the globally respected NIST Cybersecurity Framework (CSF 2.0) and organises cybersecurity into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is guidance-based, improvement-focused, and — crucially — not a formal certification in the same way that Cyber Essentials is. You can self-assess against CyFUN without paying for an external assessor.
Who CyFUN suits: Micro businesses and startups beginning their security journey. Businesses that are not yet required to hold formal certification. Irish organisations that need to demonstrate NIS2 readiness to regulators or enterprise clients. Any business that wants a structured, honest picture of where their security actually stands.
The honest limitation: CyFUN helps you understand what you should be doing. It does not, by itself, prove to customers or regulators that you are doing it. For that, you need a certification.
2. Cyber Essentials — The UK Government's Baseline Certification
Cyber Essentials is a certification scheme provided by the UK government via the NCSC UK. It proves your business has implemented five core technical controls. It is self-assessed, with your answers independently verified by an accredited certification body.
The five controls are: firewalls, secure configuration, user access control, malware protection, and patch management. That is it. No deep auditing. No penetration testing. Just structured evidence that you have implemented the basics correctly.
Why it matters for Irish businesses: Cyber Essentials is increasingly requested by enterprise clients and regulated sector organisations — not just in the UK but in Ireland too. If you supply UK public sector contracts, it is often mandatory. If you work with large Irish enterprises, procurement teams are increasingly using it as a minimum supplier standard. It is affordable, widely recognised, and covers the basics thoroughly.
The honest limitation: Cyber Essentials is a self-assessment with light verification. It tells the world you claim to have the controls in place. It does not independently test whether those controls are actually working under real-world conditions.
3. Cyber Essentials Plus — The Independently Verified Version
Cyber Essentials Plus includes everything in Cyber Essentials, but with independent technical testing conducted by an accredited assessor. The assessor will scan your systems, test your configuration, attempt limited exploitation of vulnerabilities, and validate that your controls are genuinely working — not just documented.
The key distinction is simple: Cyber Essentials is paperwork plus evidence. Cyber Essentials Plus is real-world validation.
Who needs Cyber Essentials Plus: Businesses handling sensitive client data — medical records, financial information, legal files. Regulated sectors where trust is not optional. Organisations bidding for higher-tier government or enterprise contracts. Any business where a breach would cause serious reputational or financial damage.
The honest limitation: Cyber Essentials Plus does not add new controls to what Cyber Essentials already requires. It simply validates the existing ones more rigorously. If you are not yet doing the basics well, Plus will expose that — which is actually the point.
4. The Essential 8 — Australia's Prioritised Mitigation Strategies
The Essential 8 was developed by the Australian Cyber Security Centre (ACSC) and is a mitigation strategy framework rather than a certification scheme by default. It focuses specifically on reducing the most common cyber attack techniques used against organisations.
The eight strategies are: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.
Unlike Cyber Essentials, the Essential 8 includes maturity levels — Level 0 through Level 3 — allowing organisations to measure and demonstrate progressive improvement rather than simply pass or fail.
Why it matters for Irish businesses: The Essential 8 is more prescriptive and more technically demanding than Cyber Essentials. It is generally considered more robust, particularly for preventing ransomware and targeted attacks. While it was developed for Australia, its controls are universally applicable — and increasingly referenced by Irish and European security professionals as a practical technical baseline.
The honest limitation: The Essential 8 is more technically demanding than Cyber Essentials. For a small business without dedicated IT support, achieving Maturity Level 2 across all eight strategies requires sustained effort. Start with Level 1 and build from there.
Where the Frameworks Overlap — and Why That Matters
Here is the comparison that most guides bury in footnotes. We are putting it front and centre because it is the most useful thing you can read.
| Control Area | CyFUN | Cyber Essentials | Cyber Essentials Plus | Essential 8 |
|---|---|---|---|---|
| Firewalls | Yes | Yes | Yes | Indirect |
| Secure configuration | Yes | Yes | Yes | Yes |
| Patch management | Yes | Yes | Yes | Yes (OS + apps separately) |
| User access control | Yes | Yes | Yes | Yes (admin restriction) |
| MFA | Often | Recommended | Expected | Explicitly required |
| Backups | Yes | Not core requirement | Not core requirement | Mandatory |
| Application control | Sometimes | No | No | Yes |
| Independent testing | No | Limited | Yes | Only if you pursue certification |
Look at the middle columns. Patch management appears in all four. User access control appears in all four. Secure configuration appears in all four. MFA appears in all four, with varying degrees of emphasis.
This repetition is not accidental. It tells you exactly which controls matter most. If four independent frameworks developed by four different national cyber agencies all agree that patching, access control, and MFA are essential — they are essential. Full stop.
Free Resource: Download the Irish SME Cyber Survival Guide — a practical, no-jargon checklist of the 10 controls that will reduce your risk the most. Based on NCSC Ireland and ENISA guidance. Free to download.
The Overlapping Core: Five Controls That Appear in Every Framework
Strip away the branding, the certification language, and the national origins of each framework, and you are left with five controls that appear — in some form — in all of them.
Multi-factor authentication everywhere. Email, remote access, admin accounts, cloud services. MFA is the single highest-impact control available to a small business. It blocks the vast majority of credential-based attacks. The Essential 8 makes it explicit. Cyber Essentials expects it. CyFUN includes it in the Protect function. There is no excuse for not having it.
Automatic patching for operating systems and applications. Unpatched software is the number one entry point for attackers. The WannaCry ransomware attack that devastated the HSE in 2021 exploited a Windows vulnerability that had been patched two months earlier. The patch existed. It had not been applied. Automatic patching removes human error from the equation.
Removal of unnecessary admin privileges. Most employees do not need administrator rights on their devices. Most do not need access to every folder on the company server. The principle of least privilege — give people access to only what they need to do their job — is one of the most effective controls available. It limits the damage an attacker can do if they compromise a standard user account.
Secure, tested backups. A backup that has never been tested is not a backup. It is a hope. The Essential 8 requires backups to be immutable (meaning they cannot be altered or deleted by ransomware) and tested regularly. If you cannot restore your data in a controlled test, you will not be able to restore it under the pressure of a live incident.
Basic firewall and endpoint protection. A properly configured firewall and a reputable endpoint security tool are the minimum technical perimeter for any business. Cyber Essentials makes firewalls one of its five core controls. This is not optional.
Implement these five controls properly and you have already reduced the vast majority of real-world small business cyber risk. Certification then becomes a business decision — about proving your security to others — not a security decision.
A Donegal Accountancy Firm, a Sligo Hotel, and a Cork Manufacturer
These are not hypothetical scenarios. They are the kinds of incidents we see regularly in Irish SMEs.
A Donegal accountancy firm received a business email compromise (BEC) email that appeared to come from a long-standing client. They transferred €18,000 before realising the client's email had been spoofed. They had no cyber insurance. They had no MFA on their email accounts. The attacker had been inside their email system for three weeks, reading correspondence and timing the attack perfectly.
A Sligo hotel's booking system was encrypted by ransomware on a bank holiday weekend — the worst possible time. They paid €12,000 in Bitcoin. The decryption key only partially worked. They lost three weeks of booking data. Their TripAdvisor rating dropped as guests who had made reservations arrived to find no record of their booking.
A Cork manufacturing firm lost a €2.3 million contract because they failed a client cybersecurity audit. The client required Cyber Essentials certification as a minimum supplier standard. The manufacturer had no certification, no documented controls, and no way to demonstrate their security posture. The contract went to a competitor.
In each case, the controls that would have prevented the incident — or at least dramatically reduced the damage — are covered by the overlapping core of all four frameworks. MFA would have stopped the BEC attack. Tested backups would have meant the hotel did not need to pay the ransom. Cyber Essentials certification would have kept the Cork manufacturer in the running.
What Your Business Should Do First: A Priority Order
Here is the honest priority order for a small business approaching cybersecurity frameworks for the first time.
Priority 1: Implement the Overlapping Core Controls
Before pursuing any certification, implement the five controls that appear in every framework. Turn on MFA for email, remote access, and admin accounts. Enable automatic updates for operating systems and applications. Restrict admin rights to only those who genuinely need them. Set up immutable or offline backups and test them. Deploy a reputable endpoint security tool.
This work aligns with CyFUN, Cyber Essentials, the Essential 8, and Cyber Essentials Plus simultaneously. It is the foundation on which everything else is built. Without it, no certification is meaningful.
Priority 2: Achieve Cyber Essentials
If you operate in Ireland or the UK, work with regulated sectors, or supply enterprise clients, Cyber Essentials is the most practical first certification. It forces structured implementation of the five core controls, is affordable (typically under €500 for small businesses), is widely recognised by procurement teams, and covers the basics thoroughly.
For many small businesses, Cyber Essentials is the right balance of effort and benefit. It is achievable in weeks, not months, once the core controls are in place.
Priority 3: Align with Essential 8 Maturity Levels
If you want stronger ransomware resilience, handle sensitive data, or operate in a sector with elevated risk, aligning with the Essential 8 gives you clear maturity targets to work towards. Start with Maturity Level 1 across all eight strategies — this means each control is implemented in a basic but consistent way. Then progress to Level 2 for the highest-risk controls: MFA, patching, and admin restriction.
The Essential 8 is more technically demanding than Cyber Essentials, but the maturity level structure means you can make measurable progress without needing to achieve everything at once.
Priority 4: Upgrade to Cyber Essentials Plus
Move to Cyber Essentials Plus when contracts require it, when you store sensitive client data, or when you need stronger trust signals for enterprise or regulated sector clients. It does not add new controls — it validates the ones you already have. If you have implemented the core controls properly, the Plus assessment should not reveal significant surprises.
A Simple Decision Guide
Not sure which framework applies to your situation? Here is a straightforward guide.
If you are an Irish SME just starting out: Use CyFUN as your self-assessment tool to understand where you stand. Implement the overlapping core controls. Then pursue Cyber Essentials as your first formal certification.
If you supply UK government contracts or UK enterprise clients: Cyber Essentials is likely mandatory. Get it. Then consider Plus if your contracts require it.
If you handle sensitive personal data — medical, financial, legal: Cyber Essentials Plus is the appropriate standard. The independent testing provides the assurance your clients and regulators need.
If ransomware resilience is your primary concern: Align with the Essential 8. Its explicit focus on application control, macro settings, and immutable backups makes it the strongest framework for preventing and recovering from ransomware attacks.
If you are in scope for NIS2: CyFUN is the NCSC Ireland's recommended path to compliance. Use it as your governance structure, layer in Cyber Essentials controls for the technical baseline, and consider Essential 8 maturity levels for ongoing improvement.
The Reality Check: What No Framework Can Replace
Every framework covered in this guide is a tool. Tools are only useful if the person using them understands why they matter.
No framework replaces staff awareness. The most technically robust security controls in the world will not stop an employee who clicks a phishing link because they have never been taught to recognise one. Regular, practical security awareness training is not optional — it is the human layer that all technical controls depend on.
No framework replaces strong password habits. Password reuse across personal and work accounts remains one of the most common causes of business account compromise. A password manager and a clear password policy cost almost nothing and prevent a significant proportion of credential-based attacks.
No framework replaces leadership accountability. Cybersecurity is not an IT problem. It is a business risk management problem. The director who signs off on the budget, the manager who decides whether to apply patches this week or next month, the owner who decides whether MFA is worth the minor inconvenience — these are the decisions that determine whether a framework is implemented or just documented.
No framework replaces regular review. The threat landscape changes. Your business changes. The controls that were appropriate twelve months ago may not be sufficient today. A quarterly review of your security posture — even a brief one — is more valuable than a certification that sits in a drawer.
Frameworks repeat the same controls because those controls work. Implement the overlapping core properly and you have already reduced most real-world small business risk. Certification then becomes a business decision — about demonstrating your security to others — not a security one.
Where Pragmatic Security Can Help
Most Irish SMEs are closer to Cyber Essentials compliance than they think. The gap between where you are and where you need to be is usually not technical complexity — it is knowing which controls to prioritise, how to implement them correctly, and how to document them in a way that satisfies an assessor.
In a free 20-minute call, we will tell you exactly where your business stands against the overlapping core controls, which framework is the right starting point for your specific situation, and what the three highest-priority actions are for your business right now.
No sales pitch. No obligation. Just a straight answer from a senior security professional who has helped Irish SMEs implement these frameworks from Donegal to Dublin.
Book your free 20-minute CyFUN and Cyber Essentials assessment: pragmaticsecurity.ie/book-a-call
We will map your current controls against the overlapping core, identify your biggest gaps, and give you a prioritised action plan — at no cost and no obligation.
Frequently Asked Questions
Is CyFUN mandatory for Irish businesses?
CyFUN is currently voluntary. However, it is the NCSC Ireland's recommended baseline for NIS2 compliance, and NIS2 is mandatory for businesses in scope. If your business falls under NIS2 — including those in supply chains of larger organisations — using CyFUN is the most straightforward way to demonstrate compliance to regulators.
Do I need Cyber Essentials certification to use the framework?
No. You can implement the five Cyber Essentials controls without pursuing formal certification. However, if you supply UK public sector contracts or work with UK enterprise clients, certification is often required by your customer. For Irish businesses, the certification is increasingly requested by enterprise procurement teams even without a formal requirement.
How long does it take to implement the core controls?
For a typical Irish SME with 10–50 employees, implementing the overlapping core controls — MFA, patching, admin restriction, backups, endpoint protection — takes four to eight weeks when approached systematically. Achieving Cyber Essentials certification typically takes an additional two to four weeks for documentation and assessment. The 7-Day Govern Quick Start in our CyFUN Framework hub gets your governance structure in place in a week.
What is the difference between Essential 8 Maturity Level 1 and Level 2?
Maturity Level 1 means you have implemented the control in a basic way — for example, MFA is enabled on email. Maturity Level 2 means the control is implemented consistently and comprehensively — MFA is enabled on all internet-facing services, privileged accounts, and remote access. Most Irish SMEs should target Level 1 across all eight strategies as a starting point, then progress to Level 2 for the highest-risk controls.
Can a vCISO help with framework implementation?
Yes — and for most Irish SMEs, a vCISO is the most cost-effective way to implement these frameworks. A vCISO provides the senior security leadership to drive governance, the technical expertise to implement controls, and the ongoing oversight to maintain compliance. Pragmatic Security provides vCISO services from €1,500/month — a fraction of the cost of a full-time CISO.
James McGee is the founder of Pragmatic Security, an Irish cybersecurity consultancy specialising in vCISO services, NIS2 compliance, and practical security implementation for SMEs. Pragmatic Security works with businesses across Donegal, Sligo, and Ireland. Contact: [email protected]
Related Reading
Share this article
Related Articles
Every Cybersecurity Grant and Funding Option Available to Irish SMEs in 2026
The Cybersecurity Conversation Every Donegal Business Owner Should Have With Their IT Provider.
Patch Tuesday: Why Ignoring Software Updates Is the Most Expensive Mistake You Can Make.
Ready to strengthen your security?
Get expert vCISO guidance tailored to your business needs.