xWiki for Cyber Essentials (UK)
Cyber Essentials is the UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber attacks. While the technical controls it prescribes are relatively straightforward, the documentation and evidence requirements often catch organisations off guard, particularly those pursuing the more rigorous Cyber Essentials Plus certification. xWiki provides a structured, version-controlled platform for documenting every control, collecting assessment evidence, and maintaining the ongoing records that keep certification current.
What Cyber Essentials Requires
The scheme centres on five technical controls that together address the vast majority of commodity cyber threats. Organisations must demonstrate that these controls are implemented, documented, and consistently applied across all devices and systems in scope. For the basic Cyber Essentials certification, this involves completing a verified self-assessment questionnaire. For Cyber Essentials Plus, an external assessor performs hands-on technical testing. In both cases, having well-organised documentation significantly reduces the effort involved in preparing for and passing the assessment.
Documenting the Five Technical Controls
Each of the five controls carries specific documentation expectations. xWiki's hierarchical page structure allows organisations to create a dedicated space for Cyber Essentials with a child page for each control area, keeping everything organised and easy to navigate during assessment preparation.
Boundary Firewalls and Internet Gateways
Organisations must document how they control traffic at the boundary between their internal networks and the internet. In xWiki, this means maintaining pages that describe the firewall architecture, default-deny rule sets, the process for approving new firewall rules, and a record of all currently active rules with their business justification. Embedded network diagrams show the placement of firewalls and gateways, and version history proves that the documentation is reviewed whenever changes are made to the network perimeter.
Secure Configuration
The secure configuration control requires that computers and network devices are configured to reduce unnecessary functionality and known vulnerabilities. xWiki can host baseline configuration standards for each device type, covering topics such as removal of unnecessary software, disabling of default accounts, and enforcement of minimum password policies. When a new device type is introduced, the corresponding baseline page is created from a standard template, ensuring consistency across the documentation set.
Access Control
Cyber Essentials demands that user accounts are managed carefully, with access granted only to the applications and data each user needs. xWiki pages can document the access control policy, the process for creating and removing user accounts, privilege escalation procedures, and the schedule for periodic access reviews. A structured table listing all administrative accounts, their owners, and the date of last review provides assessors with immediate visibility into how access is governed.
| Technical Control | Key Documentation | xWiki Approach |
|---|---|---|
| Boundary Firewalls | Firewall rules, network diagrams | Embedded diagrams, rule justification pages |
| Secure Configuration | Baseline standards per device type | Templated pages with configuration checklists |
| Access Control | Account policies, admin account register | Structured data pages with review records |
| Malware Protection | Anti-malware deployment records | Status pages with update verification logs |
| Patch Management | Patching policy, patch status reports | Scheduled review pages with compliance dashboards |
Malware Protection
Organisations must ensure that malware protection is installed, active, and kept up to date on all devices in scope. Documentation in xWiki should cover the anti-malware policy, the products deployed, update frequency expectations, and procedures for responding to malware detections. Regular status snapshots, recorded as child pages with dates, demonstrate to assessors that protection is continuously maintained rather than configured once and forgotten.
Patch Management
The patch management control requires that software is kept up to date and that patches for known vulnerabilities are applied within fourteen days of release. xWiki is well suited to documenting the patching policy, the tools used to identify missing patches, the approval and testing process, and the timeline targets for different patch severity levels. Monthly patch status reports can be logged as dated child pages, building a longitudinal record that shows consistent compliance over time.
Evidence Collection for Assessment
For Cyber Essentials Plus, the external assessor will look beyond documentation to verify controls through technical testing. However, well-maintained documentation in xWiki accelerates the assessment process by giving the assessor confidence that controls are systematically managed. Evidence pages can include screenshots of firewall configurations, exports from patch management tools, access review sign-off records, and anti-malware deployment reports. Tagging evidence by control area allows the compliance team to quickly assemble everything the assessor needs.
Organisations that hold or are working toward additional certifications such as ISO 27001 or PCI DSS can use xWiki to cross-reference overlapping controls, reducing duplication and ensuring consistency across compliance programmes.
Start documenting your Cyber Essentials controls in a platform built for structured, auditable content. Explore MassiveGRID's managed xWiki hosting for a fully supported deployment, or contact us to discuss your requirements.
Published by MassiveGRID — managed infrastructure and hosting for teams that depend on xWiki for mission-critical documentation.