Cyber Essentials is the UK government's baseline cyber security certification scheme, designed to help organisations protect themselves against the most common cyber threats. It's backed by the National Cyber Security Centre (NCSC) and has become increasingly expected — and in some sectors, required — as a condition of doing business.
Here's what you need to know.
What Does Cyber Essentials Actually Cover?
The scheme focuses on five technical controls that address the most common attack vectors. Together they protect against the vast majority of commodity cyber attacks — the kind that opportunistically scan the internet looking for easy targets.
1. Firewalls Boundary firewalls and internet gateways should be configured to restrict inbound and outbound traffic to only what is necessary. Routers and firewalls must be secured and not left on default credentials.
2. Secure Configuration Devices and software should be configured securely from the outset — unnecessary features disabled, default passwords changed, and unnecessary accounts removed.
3. User Access Control User accounts should only have the access they need to do their job. Administrative privileges should be restricted and reviewed regularly.
4. Malware Protection Devices must be protected against malware through anti-malware software, application allowlisting, or sandboxing.
5. Patch Management Software and operating systems must be kept up to date. High and critical patches should be applied within 14 days of release.
Cyber Essentials vs. Cyber Essentials Plus
There are two levels of certification:
Cyber Essentials is a self-assessed questionnaire verified independently by a certification body. You answer questions about your technical controls, a qualified assessor reviews your responses, and if they pass, you receive certification. This is the faster and lower-cost route.
Cyber Essentials Plus includes everything from the standard certification, plus a hands-on technical assessment carried out by the certifying body. Your systems are tested to verify the controls are actually in place and working as described. It's more rigorous, more credible, and understandably takes longer and costs more.
Which level is right for you depends on your sector, your customers' requirements, and your risk appetite. Many businesses start with Cyber Essentials and progress to Plus.
Who Needs It?
Government and public sector contracts. Since 2014, Cyber Essentials has been mandatory for all UK government contracts involving the handling of sensitive information or the provision of certain technical products and services. If you supply to the public sector, check your contract requirements.
Supply chain requirements. Large enterprise customers increasingly require their suppliers to hold Cyber Essentials. If you're providing IT services, professional services, or anything involving access to their systems or data, expect to be asked.
Regulated industries. Some sectors — defence, legal, financial services, healthcare — either mandate or strongly encourage it.
Insurance. A number of cyber liability insurers now ask about Cyber Essentials at renewal, and holding certification can affect your premium.
Even if none of the above apply to you, certification remains a credible way to demonstrate to customers and prospects that you take security seriously.
What Does the Process Involve?
The Cyber Essentials assessment covers devices and software in scope — typically all devices that handle business data, from servers and desktops through to laptops, tablets, and smartphones.
The process broadly involves:
- Scoping — defining which systems and locations are in scope for the assessment
- Gap analysis — reviewing your current controls against the five requirements and identifying what needs to change
- Remediation — addressing any gaps before the assessment
- Assessment — completing the self-assessment questionnaire (for CE) or undergoing technical testing (for CE+)
- Certification — if you pass, you receive a certificate valid for 12 months
The timeline varies. Businesses with well-maintained infrastructure and good security hygiene can move through the process in a few weeks. Those with more work to do will need longer.
What Cyber Essentials Doesn't Cover
It's important to be clear about what the scheme isn't. Cyber Essentials is a baseline. It protects against common, opportunistic attacks — but it doesn't address more sophisticated or targeted threats, insider risk, physical security, or business continuity.
Think of it as a solid foundation, not a complete security programme.
Cyber Essentials certification is one of the more practical and cost-effective steps a business can take to improve its security posture and demonstrate credibility. If you're considering it — or have been asked for it by a customer — we can help you understand what's involved and prepare your systems for assessment.
Get in touch to discuss Cyber Essentials for your business.