In an era where cyber threats targeting UK businesses have reached unprecedented levels, achieving cyber essentials certification has become far more than a regulatory checkbox. It represents a fundamental commitment to protecting your organisation, your clients, and your reputation. Whether you are a sole trader handling customer data or a large enterprise bidding for government contracts, understanding the cyber essentials framework is now essential to operating safely and competitively in the United Kingdom.
This comprehensive guide covers everything you need to know about cyber essentials UK certification — from the five technical controls mandated by the National Cyber Security Centre to the differences between Cyber Essentials and Cyber Essentials Plus, the certification process, costs, common pitfalls, and how this scheme fits into a broader cybersecurity strategy. By the end, you will have a clear, actionable roadmap for achieving and maintaining your cyber essentials certification UK status.
What Is Cyber Essentials? Understanding the UK's Foundational Cybersecurity Scheme
Cyber essentials is a UK government-backed cybersecurity certification scheme designed to help organisations of all sizes protect themselves against the most common cyber threats. Developed and overseen by the NCSC cyber essentials programme — a division of the National Cyber Security Centre, itself part of GCHQ — the scheme provides a clear, practical framework of baseline security controls that every organisation should implement.
The scheme was launched in 2014 by the UK government in response to growing concerns about the volume of cyber attacks targeting British businesses. Rather than creating an overly complex standard that only large enterprises could afford to implement, the government designed cyber essentials as an accessible, proportionate framework that addresses the most prevalent attack vectors. The NCSC estimates that implementing these controls can prevent around 80% of the most common cyber attacks.
At its core, cyber essentials certification verifies that an organisation has implemented five fundamental technical controls across its IT infrastructure. These controls are deliberately focused on the areas where the vast majority of attacks originate: internet-facing systems, user access, software vulnerabilities, and malware. The scheme does not attempt to cover every possible cybersecurity scenario — instead, it focuses on getting the basics right, which is where most organisations fail.
Cyber Essentials is not just about technology. It requires a holistic understanding of your IT estate, including cloud services, mobile devices, and remote working configurations. Before starting the certification process, conduct a thorough audit of every device, service, and user account in your organisation.
The NCSC cyber essentials framework is deliberately technology-agnostic. It does not prescribe specific products or vendors. Instead, it defines outcomes that your security controls must achieve. This means that whether you use Windows, macOS, Linux, or a combination, whether your infrastructure is on-premises, cloud-hosted, or hybrid, you can achieve certification by demonstrating that your systems meet the required security standards.
There are two levels of certification within the scheme:
- Cyber Essentials — A self-assessment questionnaire verified by an external certification body. This provides a baseline level of assurance.
- Cyber Essentials Plus — Includes everything in the basic certification plus an independent, hands-on technical verification by a qualified assessor who tests your systems directly.
Both levels of cyber essentials certification UK are valid for 12 months from the date of issue, after which organisations must recertify to maintain their status. This annual renewal ensures that security controls keep pace with evolving threats and changes in the organisation's IT environment.
Why Cyber Essentials Matters: The Business Case for Certification
Understanding the strategic value of cyber essentials requires looking beyond simple compliance. While the scheme was originally introduced to establish a minimum security baseline, the benefits of achieving cyber essentials certification extend far beyond ticking a box.
Government Contract Requirements
Since October 2014, the UK government has required all suppliers bidding for contracts that involve handling sensitive or personal information to hold cyber essentials certification at a minimum. This requirement extends across central government, the Ministry of Defence, the NHS, local authorities, and many public sector bodies. Without certification, your organisation is effectively locked out of a significant portion of the public sector market.
The requirement is increasingly flowing down supply chains as well. Prime contractors working with government are now routinely requiring their subcontractors and partners to hold cyber essentials UK certification, creating a cascading demand throughout the economy.
Insurance and Risk Reduction
Many cyber insurance providers in the UK now offer preferential terms to organisations that hold cyber essentials certification. Some insurers have made it a prerequisite for coverage. The IASME Consortium, which manages the scheme on behalf of the NCSC, includes free cyber liability insurance for qualifying organisations with a turnover under £20 million that achieve certification.
Customer and Partner Confidence
In an era where data breaches regularly make headlines, demonstrating that your organisation takes cybersecurity seriously is a competitive differentiator. The cyber essentials badge — which certified organisations can display on their website, marketing materials, and proposals — provides an immediately recognisable signal of security competence to customers, partners, and stakeholders.
GDPR Alignment
While cyber essentials certification UK does not guarantee GDPR compliance, the technical controls required by the scheme directly support many of the security obligations under the UK GDPR and the Data Protection Act 2018. Article 32 of the UK GDPR requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Achieving cyber essentials demonstrates a tangible, auditable commitment to this requirement — something that the Information Commissioner's Office (ICO) may consider favourably in the event of a data breach investigation.
Organisational Awareness
The process of preparing for cyber essentials certification forces organisations to take stock of their IT estate, review their security practices, and identify gaps that might otherwise go unnoticed. Many organisations discover shadow IT, outdated software, misconfigured firewalls, or excessive user privileges during the preparation process. This exercise alone delivers significant security value, regardless of the certification outcome.
The Five Technical Controls: The Foundation of Cyber Essentials
The NCSC cyber essentials scheme is built around five technical controls. These controls are the heart of the certification — every question in the self-assessment questionnaire and every test in the Plus assessment relates to one of these five areas. Understanding them in depth is essential to achieving cyber essentials certification and, more importantly, to actually securing your organisation.
1. Firewalls (Boundary Firewalls and Internet Gateways)
The first technical control in the cyber essentials framework addresses the boundary between your organisation's internal network and the internet. Every device that connects to the internet must be protected by a correctly configured firewall — whether that is a hardware firewall at the network perimeter, a software firewall on an individual device, or a cloud-based firewall service.
The requirements for this control include:
- Changing default administrator passwords on all firewalls and routers to strong, unique passwords
- Blocking all inbound connections by default, only allowing those that are explicitly required and documented
- Ensuring that firewall rules are reviewed regularly and unnecessary rules are removed
- Configuring host-based firewalls on all devices, particularly those used outside the office network
- Disabling administrative interfaces accessible from the internet unless absolutely necessary, and protecting them with additional controls if they must remain accessible
For organisations with remote workers — now the majority of UK businesses — this control is particularly important. Every laptop, tablet, and mobile device that connects to the internet from home networks, coffee shops, or co-working spaces must have its own firewall configured and active. Relying solely on the office network firewall is no longer sufficient.
Document every inbound firewall rule with a business justification, the date it was created, and a review date. During the Cyber Essentials assessment, you will need to explain why each rule exists. Rules without clear justification should be removed.
2. Secure Configuration
The second control requires that all computers, network devices, and software are configured to reduce unnecessary functionality and known vulnerabilities. Out-of-the-box configurations are designed for ease of use, not security — default settings often include guest accounts, sample applications, unnecessary services, and weak passwords that create easy entry points for attackers.
Key requirements under this control include:
- Removing or disabling unnecessary software, services, and user accounts from all devices
- Changing all default passwords to strong, unique alternatives
- Disabling auto-run and auto-play features
- Configuring devices to lock after a period of inactivity (typically 15 minutes maximum)
- Implementing a password policy that requires passwords of at least 8 characters (the NCSC recommends using three random words combined into a passphrase)
- Configuring account lockout or throttling after a defined number of failed login attempts
This control also covers cloud services. If your organisation uses Microsoft 365, Google Workspace, AWS, Azure, or any other cloud platform, the configuration of those services falls within scope. Default settings in cloud environments are frequently insecure — multi-factor authentication may be disabled, sharing settings may be overly permissive, and administrative access may be too broadly distributed.
3. User Access Control
The third control addresses how user accounts are managed and how access to systems, data, and services is controlled. The principle of least privilege is central to this control: users should only have access to the systems and data they need to perform their specific role, and no more.
Requirements include:
- Using individual user accounts — never shared accounts — so that actions can be attributed to specific individuals
- Granting administrative (admin) privileges only to those who genuinely need them for their role
- Ensuring that admin accounts are not used for day-to-day activities such as email and web browsing
- Implementing a process for promptly removing or disabling access when staff leave the organisation or change roles
- Using multi-factor authentication (MFA) wherever it is available, particularly for cloud services, remote access, and administrative accounts
- Controlling access to administrative accounts with strong, unique passwords
The 2025 update to the cyber essentials requirements placed increased emphasis on multi-factor authentication. MFA is now required for all cloud services and administrator accounts where it is available. This reflects the growing recognition that passwords alone — no matter how strong — are insufficient to protect against modern phishing and credential-stuffing attacks.
4. Malware Protection
The fourth control requires organisations to implement measures to prevent malware from infecting their systems and to detect and remove malware if it does get through. This control recognises that while preventive measures are essential, no defence is perfect, and organisations must also be prepared to respond to infections.
Organisations must implement at least one of the following approaches:
- Anti-malware software — installed on all devices, configured to update automatically, and set to scan files on access and web pages during browsing
- Application whitelisting — configuring devices to only allow approved applications to run, preventing unauthorised software (including malware) from executing
- Sandboxing — running applications in an isolated environment where malware cannot affect the wider system
For most organisations, anti-malware software is the primary defence. Windows Defender, which is built into Windows 10 and 11, meets the requirements for cyber essentials certification provided it is enabled, kept up to date, and configured to perform real-time scanning. Organisations do not need to purchase expensive third-party antivirus solutions unless they choose to for additional features.
5. Patch Management (Security Update Management)
The fifth and final control requires that all software and firmware is kept up to date with the latest security patches. Unpatched vulnerabilities are one of the most common entry points for cyber attacks — when a software vendor releases a patch, it effectively announces the existence of a vulnerability, and attackers move quickly to exploit organisations that have not yet applied the update.
The cyber essentials UK requirements state that:
- All security patches must be applied within 14 days of release
- Software that is no longer supported by its vendor (end-of-life software) must be removed or isolated from the network
- Automatic updates should be enabled wherever possible
- All software within scope — including operating systems, browsers, plugins, firmware, and applications — must be licensed and supported
The 14-day patching window is one of the most frequently failed requirements in cyber essentials certification assessments. Many organisations struggle with legacy applications that are incompatible with recent updates, or they lack the processes and tools to track and deploy patches across their entire IT estate efficiently.
Cyber Essentials vs Cyber Essentials Plus: Which Level Do You Need?
One of the most common questions organisations have about cyber essentials certification UK is which level to pursue. Both levels assess the same five technical controls, but they differ significantly in how the assessment is conducted, the level of assurance they provide, and their cost.
Cyber Essentials
Cyber Essentials Plus
Cyber Essentials (Basic)
The basic cyber essentials certification involves completing a self-assessment questionnaire (SAQ) through the IASME online portal. The questionnaire asks detailed questions about how your organisation implements each of the five technical controls. Your answers are reviewed by a qualified assessor at a licensed certification body, who evaluates whether your stated practices meet the required standards.
It is important to understand that the basic certification relies on the accuracy and honesty of your self-assessment. The assessor does not log into your systems or test your configuration directly. They may ask follow-up questions or request additional evidence, but the assessment is fundamentally based on what you declare.
Basic cyber essentials is appropriate for organisations that need to demonstrate a baseline commitment to cybersecurity — for example, to meet a supply chain requirement or to display the certification badge. It is also a sensible starting point for organisations that are new to formal cybersecurity frameworks and want to establish good practices before progressing to Plus.
Cyber Essentials Plus
Cyber Essentials Plus builds on the basic certification by adding an independent technical assessment. A qualified assessor visits your organisation (or conducts a remote assessment) and performs a series of hands-on tests to verify that the controls you described in your self-assessment are actually implemented and working correctly.
The Plus assessment typically includes:
- External vulnerability scanning — The assessor scans your internet-facing IP addresses and services to identify vulnerabilities, missing patches, and misconfigurations
- Internal device configuration review — A representative sample of your devices (workstations, laptops, servers, mobile devices) are checked for correct configuration, up-to-date patches, active malware protection, and appropriate user access settings
- Malware protection testing — The assessor may attempt to download test malware files (EICAR test files) or execute simulated phishing emails to verify that your malware protection is functioning correctly
- User account and access review — The assessor checks that administrative privileges are appropriately restricted and that MFA is configured where required
Cyber Essentials Plus provides significantly higher assurance than the basic certification because it independently verifies your security posture rather than relying on self-declaration. Many organisations that pass the basic assessment discover issues during the Plus assessment that they were unaware of — a finding that underscores the value of the independent verification.
You must hold a valid Cyber Essentials (basic) certificate before you can undergo the Plus assessment. The Plus assessment must be completed within three months of the basic certificate being issued. Plan both assessments as a single project to avoid delays and duplicated effort.
Which Level Should You Choose?
The right level depends on your specific circumstances. Consider pursuing Cyber Essentials Plus if:
- You handle particularly sensitive data (financial, health, classified information)
- Your clients or partners require or prefer Plus certification
- You want independent assurance that your controls are working, not just documented
- You are bidding for government contracts where Plus is specified
- You want to demonstrate a strong security posture to differentiate yourself in competitive markets
For many organisations, starting with basic cyber essentials certification and progressing to Plus within 12 months is a practical approach. This allows time to identify and address any gaps revealed during the basic assessment process before undergoing the more rigorous Plus evaluation.
Who Needs Cyber Essentials? Scope and Applicability
A common misconception about cyber essentials UK is that it is only relevant to technology companies or large enterprises. In reality, the scheme is designed for organisations of every size and sector. Any organisation that uses computers, email, or the internet in its operations can benefit from — and in many cases, is expected to hold — cyber essentials certification.
Organisations Required to Certify
| Sector | Requirement | Level Required |
|---|---|---|
| Central government suppliers | Mandatory for contracts involving sensitive/personal data | CE minimum, CE Plus often preferred |
| MOD supply chain | Mandatory for most contracts | CE Plus typically required |
| NHS suppliers | Required under NHS Digital DSPT alignment | CE minimum |
| Local authority suppliers | Increasingly required in tenders | CE minimum |
| Legal sector | Recommended by SRA and Law Society | CE minimum, CE Plus recommended |
| Financial services | Expected by FCA-regulated firms | CE Plus recommended |
| Education | Required for DfE-funded programmes | CE minimum |
| Charities | Required for many government grants | CE minimum |
Defining Your Scope
When preparing for cyber essentials certification, one of the first and most important decisions is defining the scope of your assessment. The scope determines which systems, devices, users, and networks are included in the certification.
The current NCSC cyber essentials requirements state that the scope should include:
- All devices that access organisational data or services (including BYOD devices)
- All user accounts (including administrators, standard users, and service accounts)
- All internet-facing services and servers
- All cloud services used by the organisation
- All network equipment (routers, switches, access points, firewalls)
While it is possible to scope a subset of your organisation — for example, certifying only a particular office or business unit — the NCSC has been progressively tightening the scoping rules. The scope must now include all devices and services used to access organisational data, which makes it difficult to exclude significant parts of the business. Attempting to artificially narrow the scope can result in a failed assessment if the assessor determines that relevant systems have been excluded.
The Certification Process: Step by Step
Achieving cyber essentials certification UK follows a structured process. While the exact timeline varies depending on your organisation's size, complexity, and current security posture, the following steps apply to every certification.
Step 1: Define Your Scope
Identify all devices, users, networks, cloud services, and internet-facing systems that will be included in the assessment. Create a comprehensive asset inventory. This step typically takes 1-2 weeks for small businesses and 2-4 weeks for larger organisations.
Step 2: Choose a Certification Body
Select a licensed certification body (also called an assessor or certification partner) from the IASME directory. Your certification body will guide you through the process, provide the self-assessment questionnaire, and evaluate your submission. Consider factors such as sector experience, support levels, and pricing.
Step 3: Conduct a Gap Analysis
Before attempting the assessment, review your current security controls against the five technical requirements. Identify gaps and remediate them before submitting your questionnaire. This is where working with an experienced IT partner like Cloudswitched can save significant time and prevent costly failures.
Step 4: Implement Remediation
Address any gaps identified in the analysis. This may involve updating firewall rules, deploying patches, configuring MFA, removing unnecessary software, tightening user access permissions, or replacing end-of-life systems. Allow 2-6 weeks depending on the number and complexity of issues.
Step 5: Complete the Self-Assessment Questionnaire
Log into the IASME portal and complete the SAQ. Answer every question accurately and comprehensively. Provide supporting evidence where requested. The questionnaire covers all five technical controls and requires detailed knowledge of your IT infrastructure.
Step 6: Assessor Review
Your certification body reviews your submission. They may ask follow-up questions or request additional evidence. If your answers demonstrate compliance, you receive your Cyber Essentials certificate. If issues are identified, you will have the opportunity to remediate and resubmit.
Step 7 (Plus Only): Technical Assessment
For Cyber Essentials Plus, a qualified assessor conducts hands-on testing of your systems. This includes external vulnerability scanning, internal device audits, malware protection testing, and access control verification. Any issues must be remediated before the certificate is issued.
Step 8: Certification Awarded
Upon successful completion, you receive your certificate, your organisation is listed on the NCSC certified organisations directory, and you can use the Cyber Essentials badge. Your certificate is valid for 12 months.
Common Failure Points: Why Organisations Fail Cyber Essentials
Despite the scheme being designed as a baseline standard, a significant number of organisations fail their cyber essentials certification assessment on the first attempt. Understanding the most common failure points can help you avoid them.
1. Unpatched Software
The 14-day patching requirement catches many organisations off guard. It is not enough to have a patching policy — you must demonstrate that all critical and high-severity patches have been applied within 14 days of release across every device in scope. A single unpatched laptop can cause a failure. Common culprits include:
- Third-party applications (Adobe Reader, Java, browser plugins) that are not covered by automatic OS updates
- Firmware on routers, firewalls, and network devices that is rarely updated
- Devices belonging to remote workers that are not regularly connected to patch management systems
- Legacy applications that cannot be updated without breaking compatibility
2. Inadequate User Access Controls
Many organisations struggle with the principle of least privilege. Common failures include:
- Staff using administrator accounts for daily work (email, web browsing, document editing)
- Shared accounts that prevent attribution of actions to individuals
- Former employees' accounts still active weeks or months after departure
- MFA not enabled on cloud services or remote access tools
- Excessive administrator privileges granted "for convenience"
3. Misconfigured Firewalls
Firewall misconfigurations frequently cause failures, particularly:
- Default passwords still in use on firewall appliances
- Inbound rules that are no longer needed but have not been removed
- Host-based firewalls disabled on individual devices
- Remote desktop (RDP) exposed directly to the internet without VPN or additional protection
4. Incomplete Scope Definition
Some organisations fail because they exclude systems that the assessor considers in scope. Cloud services, personal devices used for work (BYOD), and home network equipment used for remote working are all common areas where scope disputes arise.
5. End-of-Life Software
Running software that no longer receives security updates from its vendor is an automatic failure. This includes older versions of Windows (Windows 7, Windows 8.1), outdated versions of macOS, unsupported versions of server operating systems, and legacy applications that have been discontinued by their developers.
Before your assessment, run a vulnerability scan against your own systems. Tools such as Nessus, Qualys, or even the free Microsoft Baseline Security Analyzer can identify unpatched software, misconfigurations, and other issues that would cause a failure. Address these before the assessor finds them.
Preparing for Cyber Essentials: A Practical Checklist
Thorough preparation is the single most important factor in achieving cyber essentials certification efficiently and without costly re-assessments. The following checklist covers the key activities you should complete before submitting your self-assessment questionnaire.
Asset Inventory
Create a comprehensive inventory of every device, user account, software application, and cloud service within your scope. This inventory forms the foundation of your assessment — you cannot secure what you do not know you have. Your inventory should include:
- All desktops, laptops, tablets, and smartphones (including personal devices used for work)
- All servers (physical and virtual, on-premises and cloud-hosted)
- All network equipment (routers, switches, wireless access points, firewalls)
- All cloud services (Microsoft 365, Google Workspace, AWS, Azure, Salesforce, Slack, etc.)
- All software installed on each device, with version numbers
- All user accounts, including admin accounts, service accounts, and shared accounts
Technical Preparation by Control Area
| Control | Preparation Actions | Common Tools |
|---|---|---|
| Firewalls | Audit all firewall rules, remove unnecessary inbound rules, change default passwords, enable host-based firewalls on all devices | pfSense, Windows Firewall, Fortinet, Sophos |
| Secure Configuration | Review and harden OS settings, disable unnecessary services, implement password policies, configure screen lock timeouts | Group Policy, Intune, Jamf, CIS Benchmarks |
| User Access Control | Audit all user accounts, remove leavers, restrict admin privileges, enable MFA on all cloud services | Azure AD, Google Admin, Active Directory |
| Malware Protection | Verify anti-malware is installed and active on all devices, enable real-time scanning, ensure signature updates are automatic | Windows Defender, Sophos, CrowdStrike, Bitdefender |
| Patch Management | Deploy all outstanding patches, remove end-of-life software, enable automatic updates, implement patch monitoring | WSUS, Intune, SCCM, Automox, Patch My PC |
Documentation
While cyber essentials does not require extensive policy documentation in the same way as ISO 27001, you should have clear records of:
- Your asset inventory (as described above)
- Your firewall configuration and rule justifications
- Your user access management processes (joiners, movers, leavers)
- Your patch management schedule and records
- Your BYOD policy (if applicable)
- Your password policy
These records serve two purposes: they ensure you can answer the self-assessment questionnaire accurately, and they provide evidence if the assessor requests additional information.
Choosing a Certification Body
Your choice of certification body can significantly impact your cyber essentials certification UK experience. All certification bodies are licensed by the IASME Consortium to deliver the scheme, but they differ in their sector expertise, support levels, pricing, and approach.
What to Look For
- IASME licence — Verify that the certification body is currently listed on the IASME directory of licensed assessors. Only licensed bodies can issue valid cyber essentials certificates.
- Sector experience — Some certification bodies specialise in particular sectors (healthcare, legal, financial services, defence). Choosing an assessor with experience in your sector means they will understand your specific challenges and regulatory context.
- Support level — Some certification bodies offer a "bare-bones" assessment-only service, while others provide pre-assessment guidance, readiness reviews, and remediation support. If this is your first certification, a more supportive approach may be worthwhile.
- Pricing transparency — Ensure you understand exactly what is included in the quoted price. Some bodies charge separately for follow-up questions, resubmissions, or additional evidence reviews.
- Turnaround time — Ask about expected turnaround times for questionnaire review and certificate issuance. If you have a deadline — for example, a contract tender closing date — factor this into your planning.
Your IT managed service provider (MSP) and your certification body should ideally be separate organisations. While some MSPs are also licensed certification bodies, using the same company for both creates a potential conflict of interest. Having independent certification provides stronger assurance and credibility.
Costs and Timeline: What to Budget
Understanding the full cost of achieving and maintaining cyber essentials certification requires looking beyond the certification fee itself. The total investment includes the assessment fee, any remediation costs, internal staff time, and potentially external consultancy support.
Direct Certification Costs
| Cost Element | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment fee (typical range) | £300 – £500 | £1,500 – £5,000+ |
| IASME fee (included in assessment) | Included | Included |
| Reassessment fee (if initially failed) | £100 – £300 | £500 – £2,000 |
| Annual renewal | £300 – £500 | £1,500 – £5,000+ |
Indirect and Preparation Costs
The preparation costs vary enormously depending on your starting point. An organisation that already has well-managed IT may need only a few hours of review and minor adjustments. An organisation with significant gaps may need to invest in new hardware, software, or professional services.
| Preparation Activity | Estimated Cost Range |
|---|---|
| Gap analysis (internal) | £0 – £500 (staff time) |
| Gap analysis (external consultancy) | £500 – £2,000 |
| Remediation (software patches, configuration changes) | £0 – £5,000 |
| Hardware replacement (end-of-life equipment) | £0 – £10,000+ |
| MFA deployment | £0 – £500 |
| Staff training and awareness | £0 – £1,000 |
| External IT support for preparation | £500 – £5,000 |
Timeline Expectations
Maintaining Your Cyber Essentials Certification
Achieving cyber essentials certification UK is not a one-time event. The certificate is valid for 12 months, after which you must recertify. More importantly, the security controls underpinning the certification must be maintained continuously — not just at renewal time.
Ongoing Maintenance Activities
To maintain compliance with the NCSC cyber essentials requirements throughout the year, your organisation should establish the following ongoing practices:
- Continuous patch management — Monitor for new security updates daily and deploy them within the 14-day window. Automate patching wherever possible.
- Regular access reviews — Conduct quarterly reviews of user accounts and access privileges. Remove or disable accounts for departed staff immediately. Review admin privileges monthly.
- Firewall rule audits — Review firewall configurations quarterly to ensure rules remain necessary and correctly configured. Remove rules that are no longer needed.
- Asset inventory updates — Update your asset inventory whenever devices are added, removed, or replaced. Include new cloud services in scope.
- Malware protection monitoring — Verify that anti-malware is active and up to date on all devices. Check that no devices have had their protection disabled.
- Security awareness training — While not a formal cyber essentials requirement, regular security awareness training for staff supports all five controls by reducing human error.
Preparing for Annual Renewal
Start preparing for your annual renewal at least 8 weeks before your certificate expires. The cyber essentials requirements are updated periodically — the NCSC typically announces changes in January for implementation from April — so you may need to adjust your controls to meet new or modified requirements.
Key steps for renewal preparation:
- Review the latest NCSC cyber essentials requirements document for any changes since your last certification
- Conduct an internal audit against the five controls
- Update your asset inventory and network diagrams
- Verify that all patches are current across all devices
- Confirm that MFA is enabled on all services where it is available
- Review and update your firewall rules
- Ensure all software is within its supported lifecycle
Cyber Essentials and the Broader Cybersecurity Landscape
While cyber essentials certification provides a strong foundation, it is designed as a baseline — not a comprehensive cybersecurity programme. Understanding how it fits into the broader landscape of cybersecurity standards and frameworks will help you build a mature, resilient security posture.
How Cyber Essentials Relates to Other Standards
| Standard/Framework | Scope | Relationship to Cyber Essentials |
|---|---|---|
| ISO 27001 | Comprehensive information security management system | CE provides a subset of ISO 27001 technical controls. Many organisations use CE as a stepping stone to ISO 27001. |
| NIST Cybersecurity Framework | Risk-based framework covering identify, protect, detect, respond, recover | CE covers aspects of the "Protect" function. NIST is broader but not UK-specific. |
| SOC 2 | Trust service criteria for service organisations | CE addresses some security criteria. SOC 2 is broader and includes availability, processing integrity, and privacy. |
| PCI DSS | Payment card data security | CE overlaps with several PCI DSS requirements (firewalls, patching, access control). PCI DSS is sector-specific and more prescriptive. |
| UK GDPR / DPA 2018 | Personal data protection | CE supports Article 32 "appropriate technical measures" requirement. Does not cover organisational measures, DPIAs, or data subject rights. |
| IASME Governance | SME-focused information security standard | Includes Cyber Essentials plus risk management, incident management, and data protection. A natural next step after CE. |
Building Beyond Cyber Essentials
Once you have achieved cyber essentials certification UK, consider these additional steps to strengthen your security posture:
- Incident response planning — Cyber essentials focuses on prevention. You also need a plan for when (not if) an incident occurs. Develop and test an incident response plan that covers detection, containment, eradication, recovery, and lessons learned.
- Backup and recovery — Ensure you have a robust backup strategy with regular testing of restore procedures. The 3-2-1 rule (three copies, two different media, one offsite) remains a solid baseline.
- Security awareness training — Human error remains the single largest factor in successful cyber attacks. Regular, engaging security awareness training — covering phishing, social engineering, password hygiene, and safe browsing — significantly reduces risk.
- Vulnerability management — Move beyond the 14-day patching cycle to continuous vulnerability scanning and prioritised remediation based on risk.
- Network monitoring and detection — Implement monitoring tools that can detect suspicious activity on your network, such as unusual login patterns, data exfiltration attempts, or lateral movement.
- Supply chain security — Assess the cybersecurity posture of your suppliers and partners. Require key suppliers to hold cyber essentials certification as a minimum.
The Role of Managed Service Providers in Cyber Essentials
Many UK businesses, particularly small and medium-sized enterprises, rely on managed service providers (MSPs) to manage their IT infrastructure. Understanding the role of your MSP in the cyber essentials certification process is crucial to achieving and maintaining certification.
What Your MSP Should Handle
If you work with an MSP like Cloudswitched, your provider should be actively supporting the technical controls required for cyber essentials:
- Patch management — Your MSP should be deploying security updates across your managed devices within the 14-day requirement. They should have automated tools and processes to track patch compliance across your entire estate.
- Firewall configuration — Your MSP should manage and maintain your firewall rules, ensuring that default passwords are changed, unnecessary rules are removed, and configurations are documented.
- User access management — Your MSP should support your joiner/mover/leaver processes, ensuring that accounts are created, modified, and disabled promptly. They should help enforce MFA and manage admin privileges.
- Malware protection — Your MSP should deploy, monitor, and maintain anti-malware software across all managed devices.
- Secure configuration — Your MSP should implement and maintain hardened device configurations aligned with the NCSC cyber essentials requirements.
Shared Responsibility
Even with an MSP managing your IT, the certification is ultimately your responsibility as the applicant organisation. You remain accountable for:
- Accurately defining the scope of your assessment
- Ensuring that your MSP's services meet the cyber essentials requirements
- Managing aspects of user access that are within your control (such as reporting leavers promptly)
- Completing the self-assessment questionnaire (your MSP can help, but you sign it)
- Maintaining the controls between certifications
Ask your MSP whether they hold Cyber Essentials certification themselves. An MSP that has gone through the certification process understands the requirements first-hand and is better positioned to support your own certification journey. At Cloudswitched, we maintain our own Cyber Essentials Plus certification and use this experience to guide our clients.
Recent and Upcoming Changes to Cyber Essentials
The NCSC cyber essentials scheme is regularly updated to reflect the evolving threat landscape and changes in technology. Staying aware of these updates is essential for both new applicants and organisations preparing for renewal.
Key Recent Updates
- Enhanced MFA requirements — Multi-factor authentication is now required for all cloud services and administrative accounts where available. The acceptable MFA methods have been specified, with SMS-based OTP being discouraged in favour of app-based authenticators or hardware security keys.
- Cloud services in scope — The requirements now explicitly include cloud services (IaaS, PaaS, SaaS) within the scope of certification. Organisations must demonstrate that their cloud configurations meet the five controls, including secure configuration, access management, and patch management for cloud-hosted resources.
- Home working — The scheme now explicitly addresses home and remote working scenarios. Devices used for work outside the office must meet all the same requirements as office-based devices, including firewall protection and patch management.
- BYOD clarification — Bring Your Own Device arrangements are now clearly within scope if the devices access organisational data or services. Organisations using BYOD must demonstrate appropriate controls over these devices.
- Thin clients and virtual desktops — Guidance has been updated to clarify how thin clients, virtual desktop infrastructure (VDI), and similar technologies are assessed under the scheme.
- Password requirements — The minimum password length remains 8 characters, but the NCSC now explicitly recommends three-random-word passphrases and discourages complexity requirements (uppercase, numbers, special characters) that lead to predictable patterns.
What to Expect Going Forward
Based on the trajectory of the scheme and the NCSC's published guidance, organisations should anticipate further strengthening of requirements in areas including:
- Stronger MFA requirements, potentially mandating phishing-resistant methods for high-risk accounts
- More granular cloud security requirements as cloud adoption continues to grow
- Greater emphasis on supply chain security
- Potential integration with the NCSC's broader Cyber Assessment Framework (CAF) for certain sectors
Cyber Essentials for Specific Sectors
While the cyber essentials requirements are universal, their practical application varies by sector. Here is sector-specific guidance for some of the most common industries pursuing cyber essentials certification UK.
Legal Sector
Law firms handle extremely sensitive client data, and the Solicitors Regulation Authority (SRA) strongly recommends cyber essentials certification. The Law Society has also endorsed the scheme. Key considerations for legal firms include securing case management systems, client portals, document management systems, and email communications. Many law firms find that the user access control requirements are particularly challenging due to the common practice of sharing administrative access across partners.
Healthcare
NHS trusts and healthcare providers are increasingly required to demonstrate compliance with the Data Security and Protection Toolkit (DSPT), which aligns closely with cyber essentials. Medical devices connected to the network, patient record systems, and remote consultation platforms all fall within scope. The challenge in healthcare is often the presence of legacy medical devices running outdated operating systems that cannot be patched.
Financial Services
FCA-regulated firms are expected to implement robust cybersecurity measures, and cyber essentials certification is widely regarded as a minimum baseline. Financial services firms should pay particular attention to access controls around trading systems, client account management, and payment processing. Many firms pursue Cyber Essentials Plus to provide the higher level of assurance expected by regulators and clients.
Construction and Engineering
Construction firms bidding for public sector infrastructure projects increasingly need cyber essentials UK certification. The challenge in this sector is often the highly distributed workforce, extensive use of personal devices on job sites, and the need to share project information with multiple subcontractors and partners.
Education
Schools, colleges, and universities are frequent targets for cyber attacks. The Department for Education requires cyber essentials certification for certain funded programmes. Educational institutions face unique challenges including large numbers of users with varying technical abilities, BYOD policies for students, and the need to balance openness with security.
Frequently Asked Questions About Cyber Essentials
Based on our experience supporting hundreds of UK businesses through the cyber essentials certification process, here are the questions we are asked most frequently.
How long does the certification process take?
For a well-prepared small business, the entire process from start to certificate can take as little as 2-3 weeks. For larger organisations or those with significant gaps to address, allow 6-12 weeks for basic certification and 8-16 weeks for Plus. The key variable is the time needed for preparation and remediation — the assessment itself is relatively quick.
Can I certify only part of my organisation?
The current NCSC cyber essentials scoping rules require that you include all devices, users, and services that access organisational data. While you can define a sub-scope for a particular business unit or location, you cannot exclude devices or services that are used to access the same data as those in scope. The assessor will challenge overly narrow scoping.
What happens if I fail the assessment?
If your self-assessment or Plus assessment reveals non-compliance, you will receive feedback identifying the specific areas that need attention. You can then remediate the issues and resubmit. Most certification bodies offer one or more resubmission opportunities within the original fee, but this varies — check with your chosen body before starting.
Do I need Cyber Essentials if I already have ISO 27001?
ISO 27001 is a more comprehensive standard that covers many of the same areas as cyber essentials and more. However, they are separate certifications with different governance. Some government contracts specifically require cyber essentials certification — ISO 27001 alone may not satisfy this requirement. The good news is that if you already hold ISO 27001, achieving cyber essentials should be straightforward.
Is Cyber Essentials relevant if I only use cloud services?
Yes. Cloud services are explicitly within scope for cyber essentials UK certification. If your organisation uses cloud-based email, file storage, applications, or infrastructure, these services must be configured securely, access must be appropriately controlled, and you must ensure they are kept up to date. The devices used to access cloud services (laptops, tablets, phones) are also in scope.
What is the difference between IASME Governance and Cyber Essentials?
IASME Governance is a broader information security standard that includes cyber essentials as a component. It adds risk management, incident management, data protection, and other management controls. It is designed for SMEs that want to go beyond the technical baseline of cyber essentials without the full complexity and cost of ISO 27001.
Can my MSP complete the assessment on my behalf?
Your MSP can help you prepare for the assessment and can provide technical information needed to complete the questionnaire. However, the self-assessment must be completed and signed by an authorised representative of your organisation — not your MSP. For the Plus assessment, the assessor will need access to your actual systems and devices, which your MSP can facilitate.
How Cloudswitched Supports Your Cyber Essentials Journey
As a London-based UK IT managed service provider with deep expertise in cybersecurity, Cloudswitched has guided organisations of all sizes through the cyber essentials certification process. Our approach combines technical expertise with practical business understanding to make the certification journey as smooth and efficient as possible.
Our Cyber Essentials Support Services
- Readiness assessment — We conduct a thorough review of your current IT environment against the five NCSC cyber essentials technical controls, identifying gaps and providing a clear remediation roadmap with priorities and timelines.
- Technical remediation — Our engineers implement the required changes to bring your systems into compliance, including firewall configuration, patch deployment, MFA setup, user access restructuring, and secure configuration hardening.
- Assessment support — We help you navigate the self-assessment questionnaire, ensuring that your answers accurately reflect your environment and meet the assessor's expectations. For Plus assessments, we prepare your systems for the technical evaluation.
- Ongoing management — Through our managed IT services, we maintain continuous compliance with the cyber essentials requirements, including automated patch management, access reviews, firewall monitoring, and malware protection.
- Annual renewal preparation — We proactively prepare for your annual recertification, ensuring that any changes to the requirements or your IT environment are addressed well before your certificate expiry date.
Why Organisations Choose Cloudswitched
Our clients choose us for cyber essentials certification UK support because we combine:
- Deep understanding of the NCSC cyber essentials scheme from years of supporting certifications across multiple sectors
- London-based team with UK-wide remote support capability
- Experience across regulated sectors including legal, financial services, healthcare, and government supply chains
- A managed service approach that maintains certification year-round, not just at renewal time
- Clear, fixed pricing with no hidden costs
- Proven track record of first-time pass rates significantly above the industry average
Taking the Next Step Towards Certification
Achieving cyber essentials certification is one of the most impactful steps any UK organisation can take to protect itself against cyber threats, comply with government requirements, and demonstrate security competence to customers and partners. The five technical controls — firewalls, secure configuration, user access control, malware protection, and patch management — provide a solid foundation that prevents the vast majority of common attacks.
Whether you are pursuing certification for the first time, preparing for your annual renewal, or considering the step up from basic to Plus, the key to success is preparation, expertise, and ongoing commitment to maintaining your security posture.
The threat landscape continues to evolve, and the NCSC cyber essentials scheme evolves with it. What remains constant is the fundamental principle: getting the basics right protects you against the vast majority of attacks. With the right support and a structured approach, any UK organisation can achieve and maintain cyber essentials certification UK — and build from that foundation towards a comprehensive, resilient cybersecurity strategy.
Do not wait until a breach occurs or a contract opportunity is missed. Start your cyber essentials journey today and take control of your organisation's cybersecurity posture.
Ready to Achieve Cyber Essentials Certification?
Cloudswitched provides end-to-end support for Cyber Essentials and Cyber Essentials Plus certification. From readiness assessments to technical remediation and ongoing managed compliance, our London-based cybersecurity team ensures you achieve certification efficiently and maintain it year-round. Book a free consultation to discuss your requirements.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
