What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme launched in 2014 by the National Cyber Security Centre (NCSC). It was developed in partnership with industry to define a set of basic technical controls that organisations should have in place to protect themselves against the most common internet-based threats.
The scheme operates at two levels. Cyber Essentials is a self-assessment certification where organisations complete a questionnaire about their security controls, which is then reviewed by an accredited certification body. Cyber Essentials Plus adds a hands-on technical verification stage, where an external assessor tests your systems to confirm the controls are working as described.
Since 2014, Cyber Essentials has been a mandatory requirement for UK government contracts that involve handling personal data or the provision of certain ICT products and services. Increasingly, private-sector organisations are also requiring it from their supply chains as a minimum standard of cyber security assurance.
The 5 Technical Controls
At the heart of Cyber Essentials are five technical controls that address the most common attack vectors. These controls are deliberately straightforward and achievable for organisations of all sizes, yet they form a robust baseline defence against the majority of commodity cyber attacks.
Cyber Essentials Technical Controls
| Control | Requirements | Practical Steps |
|---|---|---|
| Firewalls | Boundary firewalls and internet gateways must be configured to control traffic flowing in and out of your network | Configure firewall rules to block unauthorised inbound connections; change default admin passwords; disable unnecessary services on boundary devices |
| Secure Configuration | Computers and network devices must be configured to reduce vulnerabilities; remove or disable unnecessary functionality | Remove default accounts; disable auto-run features; uninstall software that is not required for business purposes |
| User Access Control | User accounts must operate on the principle of least privilege; multi-factor authentication must be used where available; each user must have a unique account | Grant minimum access rights needed for each role; enforce MFA on all cloud services and admin accounts; remove or disable accounts when staff leave |
| Malware Protection | Anti-malware software must be installed and active on all devices; application whitelisting may be used as an alternative | Deploy anti-malware on all endpoints; keep signature databases updated; configure real-time scanning; restrict execution of untrusted applications |
| Patch Management | Software and firmware must be kept up to date; critical and high-risk patches must be applied within 14 days of release | Enable automatic updates where possible; maintain a software inventory; remove unsupported software from the network; monitor vendor advisories for critical patches |
Source: NCSC Cyber Essentials Requirements for IT Infrastructure (v3.1)
The 14-Day Patching Deadline
One of the most critical requirements is the 14-day patching window. When a vendor releases a patch rated as critical or high risk, your organisation must apply it within 14 calendar days. Software that is no longer supported by its vendor and therefore no longer receiving security updates must be removed from your network entirely. This single control addresses a huge proportion of known vulnerability exploits.
Cyber Essentials vs Cyber Essentials Plus
Choosing between the two levels depends on your risk appetite, budget, and the requirements of your clients or contracts. Both certifications cover the same five technical controls, but they differ significantly in how compliance is verified.
Comparison: Cyber Essentials and Cyber Essentials Plus
| Aspect | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment Method | Self-assessment questionnaire reviewed by a certification body | External technical audit with hands-on testing by a qualified assessor |
| Cost | Typically £300 to £500 plus VAT | Typically £1,500 to £5,000+ plus VAT depending on scope and complexity |
| Duration | 1 to 3 days to complete and receive certification | 2 to 5 days including on-site or remote technical testing |
| Validity | 12 months from date of certification | 12 months from date of certification |
| Scope | Same 5 technical controls | Same 5 technical controls |
| Testing | Questionnaire only — no technical verification of answers | Vulnerability scanning, phishing simulation, and configuration checks on a sample of devices |
Source: IASME Consortium — Cyber Essentials Scheme Documentation
When Should You Go for Plus?
If your organisation handles sensitive customer data, operates in a regulated sector, or works with clients who require independent verification of your security posture, Cyber Essentials Plus provides a stronger level of assurance. Many larger enterprises and public-sector bodies now specify Plus as a minimum requirement in their procurement processes. For smaller organisations or those starting their cybersecurity journey, standard Cyber Essentials is an excellent first step.
The Certification Process
The certification process is designed to be accessible for organisations of all sizes. The steps differ slightly depending on whether you are pursuing Cyber Essentials or Cyber Essentials Plus, but the fundamental process follows the same structure.
Steps to Cyber Essentials Certification
| Step | Action | Details |
|---|---|---|
| 1 | Choose your scope | Decide which systems, networks, and devices will be included in the assessment; you can scope to specific parts of your infrastructure |
| 2 | Choose a certification body | Select an accredited certification body such as IASME, CREST-accredited assessors, or other NCSC-approved organisations |
| 3 | Complete the self-assessment questionnaire | Answer questions about your implementation of the 5 technical controls; provide evidence of your security configurations |
| 4 | Submit and await review | The certification body reviews your answers; they may ask for clarification or additional evidence on specific controls |
| 5 | Receive your certificate | Once approved, you receive a certificate valid for 12 months and are listed on the NCSC directory of certified organisations |
| 6 | Display your badge | Use the Cyber Essentials badge on your website, marketing materials, and tender documents to demonstrate your certification status |
Source: NCSC Cyber Essentials Scheme Overview
For Cyber Essentials Plus, the process includes two additional stages after completing the standard certification. An external assessor conducts a vulnerability scan of your internet-facing systems and performs an on-site or remote technical audit. This involves testing a representative sample of your devices and configurations to verify that your self-assessment answers accurately reflect your actual security posture.
Scoping Your Certification
You do not have to certify your entire organisation at once. The NCSC allows you to scope your certification to specific parts of your network — for example, a particular office, department, or cloud environment. This is particularly useful for large organisations or those with complex legacy systems. However, be aware that you must clearly describe the scope boundary, and any systems that handle data for government contracts must be included.
Preparing Your Organisation
Preparation is key to a smooth certification process. Most organisations that fail their assessment do so because of overlooked defaults, unpatched software, or poorly documented access controls. Starting your preparation 4 to 6 weeks before the assessment gives you adequate time to identify and remediate issues.
Preparation Activities
| Activity | What to Do | Common Issues Found |
|---|---|---|
| Asset Inventory | Document all hardware, software, and cloud services in scope for certification | Unknown devices on the network; shadow IT services not tracked by the IT team |
| Password Policy Review | Ensure all accounts use strong passwords or multi-factor authentication; eliminate shared accounts | Shared admin credentials; no MFA on cloud services; default passwords on network devices |
| Patch Audit | Verify all software is currently supported and patched within the 14-day window for critical updates | End-of-life operating systems; unpatched third-party applications; firmware out of date on routers |
| Firewall Rule Review | Audit all firewall rules to ensure only necessary ports and services are open; remove legacy rules | Overly permissive rules; ports open for decommissioned services; default firewall configurations |
| Admin Account Audit | Review all administrator and privileged accounts; remove unnecessary admin rights; enforce separate admin accounts | Day-to-day users with admin privileges; dormant admin accounts; no separation of duties |
| BYOD Policy Review | Establish clear policies for personal devices accessing business data; ensure they meet the same security standards | Personal devices without anti-malware; no mobile device management; unencrypted access to corporate email |
| Software Inventory | List all installed software and verify it is licensed, supported, and necessary for business operations | Unlicensed software; applications no longer receiving security updates; unnecessary browser plugins |
| Backup Verification | Confirm that backups are running, stored securely, and can be restored within an acceptable timeframe | Untested restore procedures; backups stored on the same network; no offline or immutable backups |
Source: NCSC Cyber Essentials Readiness Toolkit
Start Preparation 4 to 6 Weeks Early
Give yourself adequate lead time before your assessment date. Remediation work — particularly patching legacy systems, reconfiguring firewalls, and rolling out MFA — can take longer than expected. A 4 to 6 week preparation window allows you to identify gaps, implement fixes, and verify everything is working before the assessor reviews your submission.
Benefits Beyond Compliance
While many organisations pursue Cyber Essentials to meet contractual or regulatory requirements, the benefits extend well beyond compliance. The certification process drives genuine improvements in your security posture and delivers tangible business advantages.
Business Benefits of Cyber Essentials
| Benefit | Description |
|---|---|
| Government Contract Eligibility | Cyber Essentials is mandatory for UK government contracts involving personal data or ICT services — certification opens the door to public-sector procurement opportunities |
| Cyber Insurance Discounts | Many insurers offer discounts of up to 25% on cyber liability premiums for organisations holding current Cyber Essentials certification |
| Customer Confidence | Displaying the Cyber Essentials badge on your website and proposals demonstrates to customers and partners that you take cybersecurity seriously |
| Supply Chain Assurance | Increasingly, large enterprises require their suppliers to hold Cyber Essentials as a minimum standard — certification protects your position in supply chains |
| Reduced Breach Risk | The NCSC estimates that implementing the 5 controls prevents approximately 80% of common cyber attacks, significantly reducing your likelihood of a costly breach |
| Staff Awareness Improvement | The certification process raises security awareness across the organisation, encouraging better cyber hygiene practices among all employees |
| Framework for Continuous Improvement | Annual recertification creates a structured cycle of review and improvement, ensuring your security controls remain current and effective year on year |
Source: NCSC and IASME published case studies and scheme documentation
Cyber Essentials Is the Minimum Baseline
It is important to understand that Cyber Essentials represents a minimum baseline of cyber hygiene, not a comprehensive security programme. Organisations handling highly sensitive data or operating in high-risk sectors should treat Cyber Essentials as the foundation and build additional controls on top — such as ISO 27001 certification, penetration testing, and security operations centre (SOC) monitoring.
Build Your Cybersecurity Skills
Understanding Cyber Essentials is just the beginning. Our accredited Cybersecurity course covers the full spectrum of defensive security — from network protection and threat analysis to incident response and compliance frameworks — giving you the skills to protect your organisation and advance your career.
Explore Our Cybersecurity Course