Cyber threats affect every business today, no matter the size or sector. A single attack can disrupt operations, damage customer trust and lead to financial loss. To help protect against these risks, the UK government introduced the Cyber Essentials scheme. Managed by the National Cyber Security Centre (NCSC), it sets out simple but effective security controls that stop the most common online attacks. This guide explains what Cyber Essentials is, how the certification process works, and the benefits it can bring.

What is Cyber Essentials?

Cyber Essentials is a government-backed essentials certification that helps organisations protect themselves from basic cyber threats. It sets out a clear framework of technical controls that reduce the risk of attack. The scheme is suitable for organisations of all sizes, from small and medium businesses to large enterprises.

There are two levels of certification:

- Cyber Essentials: a verified self-assessment. Organisations answer questions about their systems and security practices. Certification bodies review the answers and decide if the requirements are met.

- Cyber Essentials Plus: includes the same questions but adds an independent audit. Assessors test real systems and run a vulnerability scan to check that controls are working properly.

Both levels are valid for one year and need to be renewed annually. 

The Five Technical Controls

At the heart of the Cyber Essentials scheme are five technical controls. These are the areas where organisations are most often exposed to attack.

Firewalls and Internet Gateways

Firewalls and internet gateways act as barriers between your network and the outside world. They must be set up so only safe and necessary traffic is allowed.

Secure Configuration

Devices and software often come with default settings that are unsafe. Secure configuration means changing these settings, removing unused accounts and disabling unnecessary features.

User Access Control

Staff should only have the access they need to do their jobs. Role-based access, prompt removal of old accounts and strong control of administrator rights are all required.

Malware Protection

Up-to-date anti-malware tools must be in place to block harmful software. Organisations also need to limit the use of macros to prevent attackers from using them to install malware.

Patch Management

Systems must be kept up to date. Security patches should be applied within 14 days of release, especially when they fix high-risk vulnerabilities.

Together, these five controls prevent a large proportion of common cyber threats.

Cyber Essentials vs Cyber Essentials Plus

The difference between the two levels is the level of assurance.

Cyber Essentials relies on an online questionnaire signed by a senior manager. It proves that the organisation has taken steps to meet the security controls.

Cyber Essentials Plus adds independent testing. An assessor checks systems directly, running vulnerability scans and testing sample devices. They also examine internet gateways and attempt to download fake malware to confirm that protections are in place.

Cyber Essentials Plus gives stronger evidence to customers and partners, and it is often required in supply chains or contracts. 

Why the Certification Matters

Certification is valuable for several reasons:

- Contract eligibility: Some UK government contracts require Cyber Essentials, especially when handling personal or financial data.

- Trust and reputation: A certificate shows that you take cybersecurity seriously. This can reassure customers and partners.

- Insurance benefits: Organisations with certification are less likely to make insurance claims. Some insurers even offer reduced premiums. Smaller organisations certified through IASME may also qualify for automatic cyber liability insurance.

- Stronger resilience: Following the framework helps protect against around 80% of the most common cyber attacks.

For small and medium businesses in particular, the scheme offers a cost-effective way to improve defences without needing complex standards. 

The Certification Process

The certification process is straightforward if you prepare in advance.

Step 1 - Define the scope: Decide whether certification will cover your whole organisation or just part of it.

Step 2 - Prepare: Use readiness guides and checklists from the Cyber Security Centre NCSC or certification bodies. Fix obvious issues such as unsupported software or default passwords.

Step 3 - Self-assessment: Complete the questionnaire and have it signed by a senior manager.

Step 4 - Review: An assessor checks the answers. If changes are needed, you normally have two working days to respond.

Step 5 - Certification: If successful, you receive a certificate valid for twelve months.

Step 6 - Cyber Essentials Plus: If you want the higher level, an assessor carries out audits and vulnerability scans. This must be done within three months of achieving Cyber Essentials.

With the right preparation, organisations can achieve certification quickly.

Costs and Timelines

Cyber Essentials is designed to be cost-effective. Prices start from a few hundred pounds and vary depending on the size of the organisation. Cyber Essentials Plus usually costs more, with fees depending on the number of systems and the complexity of the network. Both are subject to VAT.

Timelines also vary. The basic level can often be achieved within days if systems are ready. Cyber Essentials Plus takes longer due to the need for on-site or remote testing, but most certification bodies can complete the process within a few weeks.

Support from Cyber Advisors

Some organisations, particularly small and medium businesses, may not have in-house expertise. The Cyber Advisor scheme provides trusted experts who can guide organisations through the requirements. A Cyber Advisor can explain technical controls in plain language, help prepare for the assessment, and ensure that the certification process runs smoothly. They are separate from assessors, whose role is to review answers and carry out the audits.

Common Pitfalls

Organisations often fail certification because of simple issues that can be avoided with preparation: 

- Using unsupported software or operating systems.

- Delaying important security updates.

- Leaving default passwords unchanged.

- Allowing macros to run without control.

- Not removing old user accounts promptly.

Checking these areas before submitting your assessment makes passing much more likely.

Wider Benefits

Cyber Essentials certification is more than a compliance exercise. It creates a strong baseline for building wider security programmes. Many organisations use it as a first step before moving on to more advanced standards or controls. On a larger scale, the scheme helps improve resilience across the UK economy by raising the minimum level of protection against cyber threats. 

Frequently Asked Questions

Is Cyber Essentials mandatory?

It is not mandatory for all organisations, but it is required for some UK government contracts and is increasingly expected in supply chains.

How long does it take?

If systems are already compliant, the basic level can be completed quickly. Cyber Essentials Plus takes longer due to testing and the vulnerability scan.

Do I need Cyber Essentials before Plus?

Yes. You must complete the basic level before starting the Plus audit.

Does certification include insurance?

Some smaller organisations receive automatic cyber liability insurance when they certify through IASME. Others may find insurance premiums reduced.

What has changed recently?

The scheme is updated regularly to reflect new threats. Recent changes included bringing cloud services into scope and requiring multi-factor authentication for admin accounts.

Conclusion

The Cyber Essentials scheme provides organisations with a clear, practical framework for defending against the most common cyber threats. By following the certification process and implementing the five technical controls, businesses can protect themselves, reassure customers, and open up new opportunities. For small and medium organisations in particular, it is a cost-effective way to show commitment to cyber security and build stronger resilience for the future.