What Cyber Essentials actually is
Cyber Essentials is a UK government-backed certification scheme that helps businesses protect themselves against the most common cyber attacks. It was introduced in 2014 and is administered by the National Cyber Security Centre (NCSC). The idea is straightforward: if you get five basic technical controls right, you block the vast majority of commodity cyber attacks.
It is not about being unhackable. No certification can promise that. It is about proving that you have covered the basics properly, which is more than most small businesses can say.
Who actually needs it
Strictly speaking, nobody is legally required to have Cyber Essentials. But in practice, it is becoming essential for a growing number of Somerset businesses.
- Any business bidding for UK government contracts that involve handling sensitive or personal information must hold Cyber Essentials certification. This has been mandatory since 2014.
- Businesses working in large infrastructure and public sector supply chains frequently need it. Major contractors and project leads often require their subcontractors to hold Cyber Essentials as a minimum standard.
- Somerset County Council and local authority suppliers are increasingly asking for it as part of procurement processes.
- Insurance companies are starting to offer better cyber insurance rates to businesses that hold the certification.
- Some larger private sector clients now ask for it as part of supplier due diligence.
Even if nobody is asking you for it right now, going through the process is a genuinely useful exercise. It forces you to look at your security setup properly, which most businesses never do until something goes wrong.
The five technical controls
Cyber Essentials focuses on five areas. None of them are exotic or complicated, which is sort of the point.
Firewalls. You need a properly configured firewall between your network and the internet. This includes software firewalls on individual devices if they connect to untrusted networks. Default passwords must be changed, and unnecessary services should be disabled.
Secure configuration. Computers and devices should be configured to reduce vulnerabilities. That means removing unnecessary software, changing default settings, and disabling features you do not use. Auto-run should be turned off, and guest accounts disabled.
User access control. Staff should only have access to what they need to do their job. Admin accounts should be separate from day-to-day accounts. Everyone should have their own login, and you need a process for removing access when someone leaves.
Malware protection. You need anti-malware software installed and kept up to date, or you need to use application whitelisting, or sandboxing. For most small businesses, a decent endpoint protection product covers this.
Patch management. Software must be kept up to date. Security patches should be applied within 14 days of release. Unsupported software (anything that no longer gets security updates) must be removed.
Cyber Essentials vs Cyber Essentials Plus
There are two levels of certification, and the difference is important.
Cyber Essentials (basic) is a self-assessment. You fill in an online questionnaire about your security controls, and an assessor reviews your answers. If everything checks out, you get certified. It is relatively quick and affordable.
Cyber Essentials Plus includes everything from the basic level, but adds a hands-on technical audit. An assessor will actually test your systems, including vulnerability scans and phishing simulations, to verify that your controls work in practice, not just on paper. This is more involved and more expensive, but it carries more weight with clients and procurement teams.
For most Somerset businesses, starting with basic Cyber Essentials makes sense. If you are working in a major infrastructure supply chain or bidding for government contracts, you may need to step up to Plus.
How long it takes
If your IT is already in reasonable shape, you can get Cyber Essentials basic done in two to four weeks. That includes reviewing your current setup, making any changes needed, completing the self-assessment, and getting it reviewed by the certifying body.
If your IT is a mess (outdated systems, no patch management, everyone using the same admin account), it could take a couple of months to get things sorted before you can even apply.
Cyber Essentials Plus typically takes an additional two to three weeks on top of the basic certification, because the assessor needs to schedule the technical audit.
What it costs
The certification fee itself depends on your business size. For companies with fewer than 50 employees, the IASME assessment fee is currently around 300 to 400 pounds for basic Cyber Essentials. Larger organisations pay more.
Cyber Essentials Plus costs more because of the hands-on audit. Expect to pay between 1,500 and 3,000 pounds depending on the size and complexity of your setup.
On top of the assessment fees, you may need to budget for remediation work. If your IT provider needs to reconfigure your firewall, set up proper user access controls, or update a bunch of machines, that work is separate from the certification fee.
Getting started
The process is not complicated. Pick a certification body (there are several accredited by IASME), decide whether you are going for basic or Plus, and start reviewing your setup against the five controls. If you have an IT support provider, they should be able to guide you through the process and handle most of the technical requirements.
The certification is valid for 12 months, so you will need to renew annually. The renewal process is the same as the initial certification, which keeps you honest about maintaining your security standards rather than letting things slide after the first year.