Cyber Essentials is the UK government's baseline security certification — developed by the NCSC and designed specifically to protect businesses from the most common cyber attacks. It's not as complex or expensive as ISO 27001, and it doesn't require a security team to achieve. For most small and medium businesses, it's the most practical security credential available.
This post covers everything you need to know: what the scheme actually tests, the difference between the two levels, what you get from achieving it, how the certification process works, and who is authorised to certify you.
What Cyber Essentials Actually Tests
The scheme focuses on five technical controls, chosen because they address the attack vectors behind the vast majority of opportunistic cyber incidents. If you have these five things in place and configured correctly, you are substantially better protected than most businesses of your size.
- Firewalls. All devices connecting to the internet must be protected by a correctly configured firewall. This includes boundary firewalls protecting your network and, crucially, software firewalls on individual laptops and mobile devices — particularly important if staff work remotely or use their own equipment.
- Secure configuration. Devices and software must be configured securely before use. Default settings on routers, operating systems, and applications are often designed for convenience rather than security — Cyber Essentials requires you to change default passwords, disable unnecessary features, and remove software you don't use.
- User access control. User accounts should only have the level of access they actually need to do their job. Standard accounts for day-to-day work, administrator accounts used only for administrative tasks. This limits the damage if an account is compromised — an attacker who gets into a standard account can't install malware or change system settings without additional access.
- Malware protection. Devices must have active, up-to-date protection against malware. This can be achieved through traditional antivirus software or through technical controls that prevent unapproved software from running — for example, application allowlisting or managed app stores on mobile devices.
- Patch management. Software and operating systems must be kept up to date. Specifically, security patches must be applied within 14 days of release, and software that is no longer receiving updates from its vendor must be removed. Many of the most damaging cyber incidents exploit vulnerabilities that had patches available months or years earlier.
The NCSC estimates that Cyber Essentials certification protects against approximately 80% of common cyber attacks — the opportunistic, automated scanning that makes up the overwhelming majority of incidents affecting small businesses. It won't protect you against a determined, targeted attacker — but it will make you an unattractive target for the vast majority of threats you'll actually face.
The Two Levels
Cyber Essentials comes in two tiers. Both test the same five controls — the difference is who assesses you and how rigorously.
For most small businesses, Cyber Essentials is the right starting point. It's achievable in a few days of preparation, the cost is modest, and the certificate carries genuine weight. Cyber Essentials Plus is increasingly required in government and defence supply chains, and provides stronger assurance to clients who need confidence that your controls have been independently tested — not just declared.
What You Get From It
Government and public sector contracts
Since 2014, any supplier bidding for UK government contracts that involve handling personal data or providing certain technical services must hold Cyber Essentials certification. This is a hard requirement, not a preference — without it, you cannot bid. For contracts involving MOD work or higher-sensitivity government systems, Cyber Essentials Plus is typically required. If public sector work is part of your growth plan, certification is not optional.
Cyber insurance
Cyber Essentials certification is one of the most tangible signals an insurer looks for when assessing a risk. Many brokers and underwriters offer premium discounts to certified businesses; some specialist policies are only available to certified organisations. Additionally, every business that achieves Cyber Essentials certification (not Plus — just the basic level) automatically receives 12 months of free cyber liability insurance provided through the NCSC and underwritten by specialist insurers. For qualifying organisations with an annual turnover under £20 million, this covers up to £25,000 of costs from a cyber incident — useful as a bridge while you establish a full standalone policy.
Supply chain confidence
Large organisations are increasingly conducting security assessments of their suppliers and requiring certification as a condition of doing business. Holding Cyber Essentials allows you to answer "yes" to the security questionnaires that come with significant commercial relationships — and to do so credibly, backed by an independently issued certificate rather than an assertion.
GDPR and regulatory standing
UK GDPR requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Cyber Essentials is not a substitute for a full GDPR compliance programme, but it is widely regarded as evidence of a reasonable baseline of technical security. In the event of a breach, holding a current Cyber Essentials certificate is a meaningful factor in demonstrating that you had appropriate measures in place — which matters both to the ICO and to any affected individuals.
How the Certification Process Works
You don't apply to the NCSC directly. Certification is delivered through a network of accredited Certification Bodies (CBs) who are authorised to carry out assessments on the NCSC's behalf. The process for each level looks like this:
Cyber Essentials
- Choose an accredited Certification Body (see below) and purchase an assessment.
- Complete the online self-assessment questionnaire — this covers your organisation's scope, the five technical controls, and your current configuration. Be precise: vague or overstated answers are the most common reason assessments are delayed or failed.
- Your CB reviews your answers and may come back with clarification questions. If everything is in order, they issue your certificate. If gaps are identified, you address them and resubmit.
- Your certificate is valid for 12 months. You'll need to recertify annually to maintain it.
Cyber Essentials Plus
- You must hold a valid Cyber Essentials certificate first — Plus is an extension, not a standalone assessment.
- Your CB conducts an on-site or remote technical audit. This typically includes: external vulnerability scanning of your internet-facing systems, internal testing of a representative sample of devices, verification of patch levels and software versions, testing of multi-factor authentication and access controls, and review of firewall and configuration settings.
- The audit scope covers all devices and systems within your certification boundary — the more tightly you define your scope, the more manageable (and affordable) the assessment becomes. Most SMBs certify their primary IT environment and explicitly exclude systems that don't handle sensitive data.
- If any failures are found, you have 30 days to remediate and retest before having to restart the process.
The most common reasons businesses fail their first Cyber Essentials assessment: out-of-date software (particularly older versions of Windows, Office, or browser plugins), default credentials still in use on network devices, and administrator accounts used for day-to-day tasks. All three are straightforward to fix before you start — it's worth doing an honest internal review first.
Who Can Certify You
The Cyber Essentials scheme is managed by IASME Consortium on behalf of the NCSC. IASME is the sole licence holder for the scheme and is responsible for accrediting all Certification Bodies. You should only work with a CB that appears on the official IASME-accredited list — using an unaccredited provider means any certificate they issue is not recognised by the NCSC, government procurement, or insurers.
Well-known accredited Certification Bodies include IASME itself (which certifies directly as well as through its network), BSI Group, CREST member organisations, Pentest People, and a wide range of regional IT security firms. The full list is searchable at iasme.co.uk — you can filter by location and whether they offer CE, CE Plus, or both.
Prices vary between CBs, so it's worth getting two or three quotes. The cheapest option isn't always the best — the quality of pre-assessment guidance and willingness to work through any remediation with you varies significantly. For most SMBs, a CB that provides clear pre-assessment guidance and treats the process as collaborative rather than just a checkbox exercise is worth paying a modest premium for.
Preparing for Your Assessment
You don't need to engage an IT company to achieve Cyber Essentials — it's designed to be accessible to organisations without dedicated security staff. That said, a few hours of honest internal preparation significantly increases your chance of passing first time.
- Define your scope carefully before you start. The assessment applies to all devices within your defined boundary. If you include personal devices used for work, you're responsible for their compliance too. Most SMBs define their scope as company-owned devices on managed networks, which keeps the assessment manageable.
- Audit your software and patch status. Run Windows Update on all devices. Update all software — particularly web browsers, Office, and any line-of-business applications. Check that any software no longer receiving updates from its vendor has been removed or replaced. This alone resolves the majority of first-time failures.
- Review all default credentials. Check every router, firewall, network switch, and internet-connected device for default usernames and passwords. Change them. This takes less than an hour and is one of the most impactful security improvements you can make regardless of certification.
- Check your user account structure. Do staff log in with administrator accounts for everyday work? If so, create standard accounts for daily use and limit admin accounts to actual admin tasks. This is a configuration change, not a new tool or purchase.
- Verify your firewall coverage. Ensure every device — including laptops used at home or in coffee shops — has its software firewall enabled. On Windows, this is under Windows Security; on Mac, under System Settings > Network > Firewall.
Is It Worth It?
For most small businesses the answer is yes, straightforwardly. The cost of basic Cyber Essentials is modest — comparable to a month's software subscription — and the process of completing it tends to surface and fix real security gaps that would otherwise remain unaddressed. The certificate opens doors in public sector supply chains, carries weight in conversations with larger clients, and in most cases unlocks a year of free cyber liability insurance that alone exceeds the cost of certification.
Cyber Essentials Plus is a more significant investment, but for businesses in sectors where it's expected — defence supply chain, government IT services, healthcare, financial services — the commercial and reputational benefits are clear. It's also a meaningful step toward more comprehensive frameworks like ISO 27001, if that's on your roadmap.
Neither level is a guarantee that you won't be breached. What they do is close the doors that most attackers rely on being open — and demonstrate to clients, partners, and insurers that you've done the work to close them.
Know Where You Stand Before You Apply
Faradome RisQ gives you a clear picture of your current security posture — so you can identify and fix gaps before your Cyber Essentials assessment, not during it.
Start Your RisQ Assessment → Talk to Us