Cyber Essentials is a UK Government-backed certification scheme that helps organisations protect themselves against the most common cyber threats. It requires businesses to implement five basic technical security controls and verify them through an independent assessment. It is the minimum standard of cyber security that every UK business should meet.
The scheme was introduced by the National Cyber Security Centre (NCSC) and is administered through the IASME Consortium. Since 2014, it has been a mandatory requirement for any supplier bidding for UK Government contracts that involve handling sensitive or personal information.
But Cyber Essentials is not just about government contracts. It is increasingly expected by private-sector clients, insurance providers, and partners as evidence that your business takes security seriously.
The Two Levels of Cyber Essentials
Cyber Essentials (Basic)
The standard level involves a self-assessment questionnaire. You answer questions about your security practices and technical controls, and an independent assessor reviews your answers. There is no hands-on technical testing at this level.
What it proves: Your organisation understands the five controls and states that they are implemented.
Cost: Approximately £300–£500 for the assessment, depending on your certification body and organisation size.
Timeline: Most businesses can complete the questionnaire in a few days, though preparation may take weeks if controls are not yet in place.
Cyber Essentials Plus
This is the more rigorous level. In addition to the self-assessment, a qualified assessor performs hands-on technical testing of your systems. They verify that the controls you claim to have are actually working.
The assessor will test a sample of your devices and infrastructure, attempt to access systems without authorisation, verify patch levels, check configurations, and confirm that your defences work in practice — not just on paper.
What it proves: Your controls have been independently verified through technical testing.
Cost: Approximately £1,500–£5,000, depending on the size and complexity of your organisation.
Timeline: The technical assessment typically takes 1–3 days on-site or remotely, but preparation can take several weeks.
Who Needs Cyber Essentials?
Mandatory For
- UK Government suppliers handling sensitive or personal information
- MOD suppliers — Cyber Essentials is a minimum requirement for Ministry of Defence contracts
- NHS suppliers — increasingly required for health sector contracts
Strongly Recommended For
- Any business handling personal data — Cyber Essentials demonstrates UK GDPR compliance effort
- Businesses in regulated industries — finance, legal, healthcare
- Companies seeking cyber insurance — many insurers offer reduced premiums for certified businesses
- Organisations in supply chains — large clients increasingly require certification from suppliers
- Any SME — the five controls represent the bare minimum of responsible cyber security
The Five Technical Controls
Cyber Essentials is built around five fundamental security controls. These are not complex or expensive to implement. They are basic measures that every business should have in place regardless of certification.
1. Firewalls
A firewall controls the traffic flowing in and out of your network. It acts as a boundary between your internal systems and the internet, blocking unauthorised access while allowing legitimate traffic.
What the assessment checks:
- All devices connecting to the internet are protected by a properly configured firewall
- Default firewall passwords have been changed
- Firewall rules only allow traffic that is necessary for business purposes
- Administrative access to the firewall is restricted
Common failures:
- Using default passwords on routers or firewalls
- Allowing unnecessary inbound connections
- Not having a firewall on individual devices (especially laptops used outside the office)
2. Secure Configuration
Devices and software should be configured to reduce vulnerabilities. This means changing default settings, removing unnecessary software, and disabling features you do not use.
What the assessment checks:
- Default passwords have been changed on all devices and software
- Unnecessary user accounts have been removed or disabled
- Auto-run features are disabled
- Only necessary software is installed
- Screen lock activates after a short period of inactivity
Common failures:
- Guest accounts still enabled on workstations
- Default admin credentials on printers, routers, or IoT devices
- Unused software still installed and potentially vulnerable
3. Security Update Management
Software vulnerabilities are discovered regularly. Vendors release patches to fix them. Your job is to apply those patches promptly before attackers exploit them.
What the assessment checks:
- All software is licensed and supported (no end-of-life software)
- High-risk or critical security patches are applied within 14 days of release
- Automatic updates are enabled where possible
- Unsupported software has been removed
Common failures:
- Running Windows versions that are no longer supported
- Ignoring firmware updates on routers and firewalls
- Using outdated versions of browsers, plugins, or office software
- Third-party applications not included in the patching process
4. User Access Control
People should only have access to the systems and data they need for their role. Administrative privileges — the ability to install software, change settings, or access everything — should be tightly restricted.
What the assessment checks:
- Each user has their own individual account (no shared accounts)
- Administrative accounts are only used for administrative tasks
- User accounts only have the access necessary for their role
- Strong passwords or multi-factor authentication are enforced
- Accounts are removed or disabled when staff leave
Common failures:
- Everyone in the company has admin rights on their computer
- Shared login accounts (“the office account”)
- No process for revoking access when employees leave
- Weak password policies
5. Malware Protection
Your systems need protection against malicious software — viruses, ransomware, spyware, and other threats.
What the assessment checks:
- Anti-malware software is installed and active on all devices
- Anti-malware is configured to update automatically
- Anti-malware scans files automatically when accessed
- Users are prevented from running unapproved applications (application whitelisting) or anti-malware is in place
Common failures:
- Anti-virus disabled or expired on some devices
- No malware protection on Macs (the myth that Macs do not get viruses persists)
- Mobile devices excluded from malware protection
Common Reasons Businesses Fail Cyber Essentials
Understanding common failures helps you avoid them.
- End-of-life software. Running Windows 10 after its support end date, using an old version of macOS, or running legacy applications that no longer receive security patches.
- Missing patches. Having devices where critical updates are weeks or months overdue. The 14-day window for critical patches is strictly assessed.
- Default credentials. Printers, routers, smart TVs, and other networked devices still using factory passwords.
- Excessive admin rights. Staff using admin accounts for daily work. If your marketing manager can install software and change system settings, that is a failure.
- Bring-your-own-device without controls. Personal devices accessing company data without meeting the same security standards as company-owned equipment.
- Cloud services not considered. Forgetting that your Microsoft 365, Google Workspace, or AWS accounts are in scope and need the same controls applied.
- Incomplete scope definition. Not including all devices and services that should be in scope. If it connects to your network or handles your data, it is in scope.
How to Prepare for Cyber Essentials Certification
Step 1: Define Your Scope
List every device, network, cloud service, and user account that falls within your certification boundary. This includes laptops, desktops, phones, tablets, servers, routers, firewalls, and cloud services.
Step 2: Audit Against the Five Controls
Walk through each of the five controls and honestly assess where you stand. For each one, ask: “If an assessor checked this today, would we pass?”
Step 3: Fix the Gaps
This is where most of the work happens. Common tasks include:
- Updating or replacing end-of-life software
- Applying outstanding security patches
- Changing default passwords across all devices
- Removing unnecessary admin rights
- Implementing a password policy or multi-factor authentication
- Installing and configuring anti-malware on all devices
- Reviewing and tightening firewall rules
Step 4: Document Everything
The self-assessment questionnaire requires you to describe your practices. Having clear documentation of your security policies, patch management process, and access control procedures makes this straightforward.
Step 5: Complete the Assessment
Choose a certification body accredited by IASME. Complete the self-assessment questionnaire honestly and thoroughly. If you are going for Plus, schedule the technical assessment.
Step 6: Maintain Certification
Cyber Essentials certification is valid for 12 months. You must recertify annually. Use the intervening months to maintain your controls and address any new issues.
Cost Breakdown
| Item | Estimated Cost |
|---|---|
| Cyber Essentials (Basic) assessment fee | £300–£500 |
| Cyber Essentials Plus assessment fee | £1,500–£5,000 |
| Remediation work (if needed) | £0–£5,000+ |
| External consultancy support | £500–£3,000 |
| Total (Basic, already compliant) | £300–£500 |
| Total (Plus, with remediation needed) | £3,000–£10,000 |
If your security posture is already reasonable, the cost is modest. If significant remediation is needed, the work pays for itself many times over in reduced risk.
Cyber Essentials vs Other Certifications
| Certification | Scope | Cost | Complexity |
|---|---|---|---|
| Cyber Essentials | Five basic controls | £300–£500 | Low |
| Cyber Essentials Plus | Verified five controls | £1,500–£5,000 | Medium |
| ISO 27001 | Full information security management system | £10,000–£50,000+ | High |
| SOC 2 | Trust service criteria (US-focused) | £15,000–£50,000+ | High |
Cyber Essentials is the starting point. ISO 27001 is the comprehensive standard. Many businesses start with Cyber Essentials and progress to ISO 27001 as they mature.
Beyond Certification
Certification is a milestone, not a destination. The five controls are a baseline — they protect against the most common, unsophisticated attacks. They will not stop a determined, skilled attacker targeting your business specifically.
For deeper assurance, consider:
- Penetration testing — active testing of your defences by ethical hackers
- Security awareness training — reducing the human risk factor
- Incident response planning — knowing what to do when something goes wrong
- Ongoing security monitoring — detecting threats in real time
Get Certified With Confidence
Cyber Essentials certification does not need to be complicated. The controls are straightforward, the process is well-defined, and the benefits — to your security, your reputation, and your eligibility for contracts — are substantial.
At Beu IT, our security services help UK businesses prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification. We audit your current posture, fix the gaps, and guide you through the assessment process.
Get in touch to discuss your Cyber Essentials certification.