Cyber Essentials explained: what it is and who needs it

What Cyber Essentials is

Cyber Essentials is a UK government-backed certification scheme, developed by the National Cyber Security Centre (NCSC) and administered through IASME. It identifies the five technical controls that, if properly implemented, protect a business against the vast majority of common cyber attacks.

The scheme isn't a complex audit. At its core it's a self-assessment questionnaire – you answer questions about your IT environment, a certifying body reviews your answers and, if everything checks out, you receive a certificate. It's designed to be accessible to businesses without large in-house security teams, which is precisely the point.

There are two levels. Cyber Essentials is the self-assessment route: you complete the questionnaire, pay the assessment fee and receive certification if you pass. Cyber Essentials Plus goes further – an independent assessor carries out a technical audit of your systems, including vulnerability scanning and hands-on testing, to verify that the controls you've described are actually in place and working correctly.

Both certificates expire after 12 months. Annual renewal isn't optional if you want to maintain certification – which matters if you're using it to meet contractual or regulatory requirements.

The five controls, briefly

The first control is boundary firewalls. A firewall sits between your network and the internet and controls what traffic is allowed in and out. The requirement is to have one in place, configured correctly – not left on default settings that were never designed to be secure.

Secure configuration is about making sure devices and software are set up properly before they're connected to your network. Default usernames and passwords, unnecessary features left switched on, software installed that nobody uses – all of these expand the attack surface without adding any value. The principle is straightforward: only enable what you need, and change anything that comes pre-configured with obvious credentials.

User access control means giving people only the access they actually need to do their jobs. Shared admin accounts – where multiple people log in as "admin" with a shared password – fail this immediately. Every user should have their own account, admin rights should be restricted to those who genuinely need them and those accounts shouldn't be used for everyday tasks like browsing the web or reading email.

Malware protection covers antivirus and anti-malware software on all devices. It sounds obvious, but we regularly see businesses with devices that haven't been brought into a managed endpoint protection solution – laptops used by remote workers, older machines running legacy software, personal devices connected to the corporate network. If a device can access your systems, it needs protection.

Patch management means keeping your operating systems and applications up to date. Attackers routinely exploit known vulnerabilities in unpatched software – vulnerabilities for which a fix already exists and has been sitting in your update queue. Cyber Essentials requires critical patches to be applied within 14 days of release. That's the standard. If your update process can't reliably meet it, that's a gap worth closing regardless of whether you're pursuing certification.

Who needs it

Cyber Essentials is mandatory for suppliers bidding for UK central government contracts that involve handling sensitive information or providing certain technical products and services. If you work in, or want to work in, the public sector supply chain, you'll likely need it. Many government departments now expect it as a baseline from all suppliers, not just those handling sensitive data.

Beyond the public sector, the certification is increasingly expected by private sector clients. Defence, finance and healthcare supply chains have been moving in this direction for several years. If a potential client asks whether you're Cyber Essentials certified and you aren't, you're at a disadvantage that has nothing to do with the quality of your work.

Some cyber insurance policies now require Cyber Essentials as a condition of cover, or use its absence as a factor in setting premiums. As the insurance market has hardened following a significant increase in ransomware claims, underwriters have become more specific about the baseline controls they expect to see. Certification doesn't guarantee a better premium, but the absence of it is increasingly a red flag.

For businesses handling personal data – which is most businesses – Cyber Essentials aligns well with the expectation under UK GDPR to implement appropriate technical and organisational security measures. It doesn't substitute for a full GDPR compliance programme, but it demonstrates that you've addressed the most important technical controls.

And for businesses without any specific regulatory pressure? We'd still recommend it. The five controls are things a well-run IT environment should have in place anyway. Certification formalises that and gives you something concrete to show clients, partners and insurers.

Cyber Essentials vs Cyber Essentials Plus

The choice between the two levels comes down to how much independent assurance you need and what you're using the certificate for.

Cyber Essentials – the self-assessment route – is faster and cheaper to obtain. A certifying body reviews your questionnaire responses, but they don't independently verify that your systems reflect what you've described. For most smaller businesses and most supply chain requirements, this is sufficient. The certificate carries weight and the process of completing it is genuinely useful.

Cyber Essentials Plus involves an independent technical audit on top of the self-assessment. The assessor carries out vulnerability scanning on your external-facing systems and tests your devices directly – checking that endpoint protection is active, that patches are applied and that the configuration controls you've described are actually in place. It takes longer and costs more, but the assurance it provides is meaningfully higher.

We'd recommend Plus if you handle particularly sensitive data, if a client has specifically requested it or if you want a higher level of confidence that your controls are working as intended rather than just described correctly. For most SMEs working through supply chain requirements, standard Cyber Essentials gets the job done.

What preparation actually involves

Most businesses are closer to certification than they think. The five controls aren't exotic – they're the things a reasonably well-managed IT environment should already have. That said, the gaps that do exist tend to be consistent across organisations of a similar size and type.

Legacy software that can't be patched is one of the most common. If you're running an application that hasn't received a security update in two years because the vendor no longer supports it, that's a problem the certification process will surface. The honest answer is to replace it or isolate it from your network, neither of which is a quick fix.

Personal devices connected to corporate networks – BYOD arrangements – create complexity. Cyber Essentials requires that all devices in scope meet the controls, which is difficult to enforce on hardware you don't own. Either the devices need to be brought into scope and managed accordingly, or the scope of the assessment needs to be clearly defined to exclude them.

Shared admin accounts and default router credentials that have never been changed are two others we encounter regularly. Both are easy to fix once they're identified.

A pre-assessment review before you submit the questionnaire is worth the investment. It identifies the gaps while you still have time to address them, which is considerably cheaper than submitting, failing and having to go through the process again. In our experience, the time from starting preparation to receiving a certificate is typically two to six weeks, depending on how much remediation is needed.

What it doesn't cover

Cyber Essentials is a baseline. It's honest about that, and we think you should be too when talking to clients about what your certification means.

The five controls don't cover physical security – someone walking out with a laptop is outside their scope. They don't address social engineering or phishing at a process level, though some of the technical controls (malware protection, secure configuration) provide partial mitigation. Incident response planning, business continuity, insider threats and the specific security requirements of cloud environments aren't covered in depth.

For businesses operating in higher-risk environments – those handling particularly sensitive data, operating critical infrastructure or subject to sector-specific regulation – Cyber Essentials is the starting point, not the destination. ISO 27001 provides a much more comprehensive framework. Cyber Essentials Plus, combined with additional controls, represents a meaningful step up from basic certification.

Being clear about what your certification covers, and what it doesn't, is the right approach. Clients and partners who understand security will recognise that honesty. Those who expect a single certificate to represent a comprehensive security posture probably need educating rather than reassuring.