1. What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme, launched in 2014 and managed by the National Cyber Security Centre (NCSC). It was designed to provide organisations with a structured baseline of cybersecurity controls that protect against the vast majority of common internet-borne cyber attacks — phishing, malware, password attacks, and exploitation of known vulnerabilities.
The scheme is deliberately pragmatic: rather than addressing every conceivable threat, it focuses on the five technical controls that, when properly implemented, protect against approximately 80% of commodity cyber attacks. This makes it achievable for organisations of any size, including micro-businesses and charities, without requiring a dedicated security team.
There are two levels of Cyber Essentials certification:
- Cyber Essentials (CE) — self-assessment questionnaire, verified by an NCSC-accredited certification body
- Cyber Essentials Plus (CE+) — independent technical audit that tests the controls you claimed in the self-assessment
2. Who Needs It — Mandatory and Recommended
Cyber Essentials certification is mandatory for a specific category of UK government suppliers, and strongly recommended for any organisation that handles sensitive data or wants to demonstrate a credible cybersecurity posture to clients and insurers.
| Category | Mandatory? | Why |
|---|---|---|
| UK government supplier (personal data or IT products/services) | YES | Cabinet Office requirement for all government contracts involving personal data or certain IT services, since 2014 |
| MoD supply chain | YES | Defence Cyber Protection Partnership (DCPP) requires CE for suppliers handling OFFICIAL information |
| NHS supplier (certain contracts) | YES | NHS Data Security and Protection Toolkit references CE; some NHS contracts specify CE as a requirement |
| Any UK SME | STRONGLY RECOMMENDED | Cyber insurance discounts, client reassurance, demonstrated due diligence in the event of an incident |
| Charity handling personal data | RECOMMENDED | Trustees' duty of care to beneficiaries; funding bodies increasingly require CE; ICO expects appropriate security under UK GDPR |
3. Two Certification Levels: CE and CE+
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment type | Self-assessment questionnaire | Independent technical audit by accredited assessor |
| Who verifies | Certification body reviews and verifies your answers | Auditor actively tests your systems and configurations |
| Cost (small org) | £300–500 | £1,500–3,000+ (varies by organisation size and complexity) |
| Technical testing | None — based on your self-reported answers | Vulnerability scanning, phishing simulation, configuration checks on in-scope devices |
| Certificate validity | 12 months | 12 months |
| Typically required for | Most UK government contracts, general client assurance | MoD OFFICIAL-SENSITIVE contracts, some NHS and intelligence community supply chain requirements |
4. The 5 Cyber Essentials Technical Controls
The five controls address the most common attack vectors used in commodity cyber attacks. They are deliberately achievable — most SMEs can implement all five with existing IT resources, without specialist security consultants.
- 1. Firewalls A boundary firewall or router must be configured to block inbound connections to services that are not explicitly required for business purposes. Default passwords on firewalls and routers must be changed. Network access rules must be documented and reviewed regularly. Personal firewalls must be enabled on devices that connect to the internet directly (e.g. laptops used outside the office network).
- 2. Secure Configuration Remove or disable unnecessary software, user accounts, and services on all in-scope devices. Apply vendor security settings and harden default configurations — default “out of the box” settings are typically insecure. Admin accounts must be used only for administrative tasks, not day-to-day browsing or email. Auto-run must be disabled to prevent malicious code executing automatically from removable media.
- 3. User Access Control Standard user accounts (not admin accounts) must be used for day-to-day work. Admin rights must only be granted where explicitly necessary for a specific role. All accounts must use strong passwords of at least 8 characters (14+ recommended), or multi-factor authentication. Accounts belonging to individuals who have left the organisation must be removed or disabled promptly — within 24 hours of departure is best practice.
- 4. Malware Protection Anti-malware software must be installed on all in-scope devices and configured to scan files automatically. Signature databases must be updated at least daily. Alternatively, application whitelisting (allowing only approved applications to run) or sandboxing for high-risk activities is accepted. Mobile device management (MDM) on company mobile devices can satisfy this control if properly configured.
- 5. Patch Management Operating systems and all applications on in-scope devices must be patched within 14 days of a critical or high-severity security patch becoming available. Auto-updates must be enabled where the vendor supports them. Software that is no longer supported by the vendor (“end of life”) must be removed from in-scope devices — you cannot patch software for which patches no longer exist.
5. Scope of Assessment
The scope of a Cyber Essentials assessment covers all devices and software within your “internet-connected boundary”. This typically means every device that connects to the internet, all cloud services used for business, and any internet-facing servers or services operated by your organisation.
Defining your scope
- Map all internet connections — identify every point where your organisation's networks and devices connect to the public internet
- Include cloud services — SaaS applications (Microsoft 365, Google Workspace, Salesforce, etc.) used for business are in scope
- Include home working devices — company-issued devices used at home are in scope; BYOD devices used for work email or data are also in scope
- List all in-scope locations — if you have multiple offices, all must be included unless you can demonstrate they are entirely separate networks
6. Costs and Certification Bodies
| Certification level | Approximate cost | What's included |
|---|---|---|
| CE (small org, up to 10 users) | £300–400 | Access to self-assessment portal, review by certification body, digital certificate if passed |
| CE (medium org, 10–50 users) | £400–600 | Self-assessment portal, verification review, potential verification call with assessor |
| CE+ (small org) | £1,500–2,500 | Technical audit (vulnerability scanning, config checks), written audit report, certificate if passed |
| CE+ (medium org, multiple sites) | £2,500–5,000+ | Full technical audit across all in-scope locations and device types, detailed report, remediation guidance |
Certification bodies must be accredited by IASME (the scheme owner on behalf of NCSC). Well-known CREST-member certification bodies include IASME Consortium, Pentest People, NCC Group, and many regional IT security consultancies. Costs vary between providers, so it is worth obtaining two or three quotes.
7. How to Prepare — 8-Week Plan
Most SMEs can achieve Cyber Essentials certification within 8 weeks if they follow a structured preparation approach. The steps below assume you are starting from a typical SME baseline — some patching done, basic antivirus in place, but no formal security programme.
Week 1 — Define scope and create asset inventory
Produce a list of every device in scope (laptops, desktops, servers, mobiles, network devices). Record the operating system, owner, and location of each. This inventory is the foundation for all subsequent steps and will be required by the certification body.
Week 2 — Audit firewall rules and remove unnecessary ports
Review all inbound firewall rules on your boundary firewall and any cloud-hosted services. Remove rules that permit inbound connections to services not explicitly required for business. Change any default passwords on network equipment. Document the resulting rule set.
Week 3 — Review user accounts and remove stale ones
Audit all user accounts across all in-scope systems — laptops, servers, cloud services, SaaS applications. Remove or disable accounts for anyone who has left the organisation. Ensure no shared accounts exist. Document who has admin rights and confirm each is genuinely necessary.
Week 4 — Enable MFA for admin accounts and cloud services
Enable multi-factor authentication on all admin accounts and on all cloud services used for business (Microsoft 365, Google Workspace, AWS, Azure, etc.). MFA for standard user accounts is strongly recommended but required for privileged access. Document MFA status for each service.
Week 5 — Patch OS and applications across all devices
Apply all outstanding critical and high-severity patches to operating systems and applications on all in-scope devices. Enable automatic updates where possible. Remove any software that is end-of-life (no longer receiving security updates). Document the patching status of each device.
Week 6 — Deploy or update anti-malware on all in-scope devices
Ensure anti-malware software is installed and active on all in-scope devices. Verify that signature databases are set to update automatically at least daily. For mobile devices, ensure MDM is in place or equivalent protection is configured. Document your anti-malware deployment.
Week 7 — Review secure configuration and disable unnecessary services
Go through each device type and disable unnecessary services, features, and default accounts that are not required for the device's business purpose. Ensure admin accounts are not used for day-to-day tasks. Disable auto-run on all Windows devices. Check that cloud service configurations match vendor security baselines.
Week 8 — Complete self-assessment questionnaire and submit
Access the IASME Cyber Essentials portal, complete the self-assessment questionnaire for your organisation, and submit it to your chosen certification body. Be honest in your answers — certification bodies verify responses and inaccurate answers can lead to certificate revocation. Allow 3–5 working days for the body to review and issue your certificate.
8. Cyber Essentials vs NIS Regulations vs ISO 27001
UK organisations often ask how Cyber Essentials relates to other cybersecurity frameworks. The three main standards serve different purposes and different audiences — they are complementary rather than competing.
| Standard | Scope | Cost | Time | Who needs it |
|---|---|---|---|---|
| Cyber Essentials | UK SMEs and government suppliers | Low (£300–5k) | 4–8 weeks | Any UK organisation; mandatory for gov suppliers |
| NIS Regulations | Designated OES + large DSPs | Medium–High (project cost) | 6–12 months | In-scope essential service operators and large digital service providers |
| ISO 27001 | Any organisation worldwide | High (audit fees + internal project) | 12–18 months | Enterprises, large supply chains, international contracts |
For most UK SMEs, the practical path is: Cyber Essentials first, then ISO 27001 if enterprise contracts require it, and NIS Regulations compliance if you are formally designated as an Operator of Essential Services. CE is not a prerequisite for the others, but the five controls it requires form a solid foundation that reduces the uplift needed for more comprehensive frameworks.
Start Your NIS / Cyber Compliance Journey
Whether you need Cyber Essentials for a government contract or NIS2 compliance for your EU operations, nis2.saaslab.pl helps you map your obligations and build your compliance programme.
Start compliance assessment →No credit card required. Basic access free.