What Cyber Essentials Is
Cyber Essentials is a government-backed cybersecurity certification scheme run by the National Cyber Security Centre (NCSC). It was introduced in 2014 and it sets out five basic technical controls that every organisation should have in place to protect against the most common cyber threats.
It is not a comprehensive security framework. It will not protect you from every possible attack. What it does is make sure you have the fundamentals covered, which is enough to prevent the vast majority of common, opportunistic cyber attacks that target small and medium businesses.
Think of it as a baseline. If you do not have these five things in order, you are leaving doors open that should be closed. Getting Cyber Essentials certified means an assessor has checked that you meet this baseline standard.
The Five Technical Controls
The entire scheme centres on five areas. They are not complicated, but they do require attention.
Firewalls. Every device that connects to the internet needs a firewall. This includes your network firewall or router, but also software firewalls on individual devices. The firewall should be configured to block inbound connections that are not needed. Default passwords on firewalls and routers must be changed.
Secure configuration. Devices and software should only have the functions they need enabled. Default accounts should be removed or disabled. Default passwords must be changed to something strong. Auto-run features for removable media should be turned off. Basically, do not leave things in their out-of-the-box state.
User access control. People should only have access to the systems and data they need for their job. Admin accounts should only be used for admin tasks, not for day-to-day email and web browsing. When someone leaves the company, their accounts need to be disabled promptly. Passwords should be strong, and multi-factor authentication should be used where available.
Malware protection. You need anti-malware software on all devices, and it needs to be kept up to date. This could be a traditional antivirus product or a more modern endpoint detection tool. The point is that something is actively scanning for and blocking malicious software. You also need to prevent users from installing unapproved applications.
Security update management (patching). All software and firmware must be kept up to date. Critical and high-severity patches need to be applied within 14 days of release. Software that is no longer supported by the vendor must be removed or isolated from the network. This is one of the areas where businesses most commonly fall short.
Cyber Essentials vs Cyber Essentials Plus
There are two levels of certification, and it is important to understand the difference.
Cyber Essentials is a self-assessment. You fill in a questionnaire about your setup, a qualified assessor reviews your answers, and if everything checks out, you get certified. You are essentially confirming that you have the five controls in place, and the assessor is verifying that your answers are consistent and plausible.
Cyber Essentials Plus includes everything in the basic certification but adds an independent technical audit. An assessor will actually test your systems with a vulnerability scan and check a sample of your devices against the requirements. They will verify that patches are applied, configurations are correct and your controls are working as described. It is a more rigorous process and carries more weight.
For many businesses, the basic Cyber Essentials is a good starting point. If you handle sensitive data, work with larger organisations or want the extra assurance, CE Plus is worth the additional investment.
Who Needs It
If you supply goods or services to the UK government, you need Cyber Essentials certification. This has been a requirement since 2014 for any contract that involves handling sensitive or personal information. Without it, you cannot bid for these contracts.
Beyond government work, a growing number of private sector companies are asking their suppliers to hold Cyber Essentials certification. It is becoming a standard part of procurement and due diligence processes. If you work in a supply chain where data security matters, expect to be asked about it.
Even if nobody is requiring you to get certified, it is still a good idea. The five controls are genuinely useful and will protect your business from the most common attacks. Getting certified gives you a structured way to make sure the basics are in place rather than just assuming they are.
What It Costs
The assessment fee for basic Cyber Essentials is set by the IASME consortium, which oversees the scheme. For micro and small businesses, the assessment typically costs between £300 and £500. The exact fee depends on your assessor and your organisation size.
Cyber Essentials Plus is more expensive because it involves hands-on testing. Expect to pay between £1,500 and £3,000 depending on the size of your organisation, the number of devices and the complexity of your setup. Larger organisations with multiple sites will be at the higher end.
These are the assessment costs. If your systems are not currently meeting the requirements, you will also need to factor in the cost of bringing things up to standard. That might mean updating software, reconfiguring devices, implementing MFA or replacing unsupported equipment. For most well-run businesses, the remediation work is not extensive, but if you have been neglecting updates and security for years, it could take more time and money.
How Long It Takes
If your setup is already in reasonable shape, the basic Cyber Essentials certification can be done in a few weeks. Most of that time is spent filling in the self-assessment questionnaire and gathering the information you need. The assessor typically turns it around within a few working days.
CE Plus takes longer because the technical audit needs to be scheduled and carried out. Allow four to six weeks from starting the process to receiving your certificate. Again, this assumes your systems are already meeting the requirements.
If you need to do remediation work first, add that time on top. Replacing an unsupported operating system across your business or implementing a new patch management process does not happen overnight. Be realistic about timelines and start the process well before any contract deadlines.
Is It Actually Worth It
Yes. Cyber Essentials is not perfect and it will not make you invulnerable, but it covers the basics that every business should have in place regardless of certification. The five controls are sensible, practical measures that protect against the most common attack methods.
There are also practical benefits beyond security. Many cyber insurance providers now ask whether you hold Cyber Essentials certification, and some offer reduced premiums for certified organisations. It demonstrates to clients and partners that you take security seriously. And it gives you a structured annual review of your security posture, since the certificate needs to be renewed each year.
The cost is modest compared to the potential impact of a cyber incident. The average cost of a data breach for a small business in the UK runs into thousands of pounds, not counting the reputational damage and lost business. Spending a few hundred pounds a year on certification that forces you to maintain good security hygiene is a sensible investment.
If you are not sure where you stand, get an IT provider to do a gap analysis against the Cyber Essentials requirements. That will tell you exactly what needs fixing and how much work is involved. From there, you can make an informed decision about when and how to pursue certification.