What Is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme designed to help organisations protect themselves against the most common cyber threats. Launched in 2014 by the National Cyber Security Centre (NCSC), it provides a clear, practical framework that any organisation — from sole traders to large enterprises — can implement to significantly reduce their risk of cyberattack.
The scheme focuses on five key technical controls that, when properly implemented, can prevent the vast majority of commodity-level cyberattacks. It’s not about achieving perfect security; it’s about getting the fundamentals right and demonstrating to clients, partners, and regulators that your organisation takes cybersecurity seriously.
These statistics paint a stark picture: cyber threats are not a hypothetical risk for UK businesses — they are a daily reality. Cyber Essentials exists precisely to address this gap between the threat landscape and the baseline security posture of most organisations.
Who Needs Cyber Essentials Certification?
While any organisation can benefit from Cyber Essentials, certain businesses have a stronger imperative — or even a legal requirement — to obtain certification:
Mandatory Requirements
- Government suppliers: Since 2014, Cyber Essentials certification has been mandatory for all suppliers bidding for UK government contracts that involve handling sensitive or personal information, or providing certain technical products and services.
- Ministry of Defence (MoD) contracts: The MoD requires Cyber Essentials Plus (the higher-level certification) for many of its supply chain partners.
- NHS Digital suppliers: Healthcare technology providers working with NHS trusts are increasingly required to hold Cyber Essentials certification.
Strongly Recommended
- Financial services firms: FCA-regulated organisations benefit from demonstrating baseline cybersecurity controls to regulators and clients.
- Legal practices: The Solicitors Regulation Authority (SRA) and the Law Society strongly recommend Cyber Essentials for all law firms.
- Education providers: Schools, academies, and universities handling student data should demonstrate adequate cybersecurity measures.
- Healthcare organisations: Beyond NHS suppliers, any organisation handling patient data benefits from the structured approach Cyber Essentials provides.
- Any business handling personal data: If you process personal data under UK GDPR, Cyber Essentials demonstrates a commitment to appropriate technical measures as required by Article 32.
Even if Cyber Essentials isn’t mandatory for your sector, holding certification can be a powerful differentiator in competitive tenders. Many private-sector organisations now require their suppliers to be Cyber Essentials certified, mirroring the government’s approach. Getting certified before it becomes a requirement in your industry puts you ahead of the curve.
Cyber Essentials vs Cyber Essentials Plus
The scheme offers two levels of certification. Understanding the difference is crucial for deciding which level is right for your organisation.
- Self-assessed online questionnaire
- Verified by licensed assessor
- Covers five core technical controls
- Certificate valid for 12 months
- Free cyber liability insurance (up to £25,000)
- Use of Cyber Essentials badge
- No hands-on technical testing
- No vulnerability scanning
- No penetration testing
- Everything in Cyber Essentials
- Independent hands-on technical audit
- Internal & external vulnerability scanning
- Simulated phishing exercise
- Verified device configuration checks
- Higher assurance for clients & partners
- Required for many MoD contracts
- Greater confidence in security posture
- Demonstrates investment in security
To achieve Cyber Essentials Plus, you must first hold a valid Cyber Essentials (basic) certificate. The Plus assessment must be completed within three months of the basic certification. Plan your timeline accordingly to avoid having to re-do the basic assessment.
The Five Technical Controls Explained
At the heart of Cyber Essentials are five technical controls. These aren’t arbitrary requirements — they represent the fundamental security measures that, together, protect against the most common attack vectors used by cybercriminals targeting UK organisations.
1. Firewalls & Internet Gateways
Firewalls act as the boundary between your internal network and the outside world. They control what traffic is allowed in and out, blocking unauthorised access while permitting legitimate communications.
Key requirements:
- All devices that connect to the internet must be protected by a correctly configured firewall
- Default firewall passwords must be changed to something strong and unique
- Firewall rules must be documented and reviewed regularly
- Unnecessary ports and services must be blocked or disabled
- Host-based firewalls should be enabled on individual devices, especially laptops that connect to external networks
2. Secure Configuration
Computers and network devices are often shipped with default settings that prioritise ease of use over security. Secure configuration means adjusting these settings to reduce vulnerabilities.
Key requirements:
- Remove or disable unnecessary software, services, and user accounts
- Change all default passwords before deployment
- Disable auto-run features for removable media
- Configure devices to lock after a period of inactivity
- Ensure only necessary applications are installed
3. User Access Control
Controlling who has access to your systems — and what level of access they have — is fundamental to security. The principle of least privilege should guide your approach.
Key requirements:
- Each user must have their own unique credentials
- Administrative accounts must only be used for administrative tasks
- Passwords must meet minimum complexity requirements (at least 8 characters, or 12+ for admin accounts)
- Multi-factor authentication (MFA) must be enabled where available, particularly for cloud services and admin accounts
- User accounts must be removed or disabled when no longer needed
- Access permissions must be reviewed regularly and granted on a need-to-know basis
4. Malware Protection
Malware — including viruses, ransomware, spyware, and trojans — remains one of the most prevalent threats to UK businesses. Effective malware protection requires multiple layers of defence.
Key requirements:
- Anti-malware software must be installed on all in-scope devices
- Anti-malware must be kept up to date (automatic updates enabled)
- Anti-malware must be configured to scan files on access, scan web pages during browsing, and perform regular full scans
- Alternatively, application whitelisting or sandboxing can fulfil this control
- Users must be prevented from installing unapproved software
5. Security Update Management (Patch Management)
Software vulnerabilities are discovered constantly. Vendors release patches to fix them, but those patches only protect you if they’re actually applied. Timely patching is one of the most effective security measures any organisation can take.
Key requirements:
- All software must be licensed and supported (no end-of-life software in scope)
- Critical and high-severity patches must be applied within 14 days of release
- Automatic updates should be enabled where possible
- Unsupported software must be removed or isolated from the network
- A process must exist to identify and respond to new vulnerabilities
Control Difficulty Ratings
Based on our experience helping UK businesses achieve certification, here’s how each control typically rates in terms of implementation difficulty:
Malware protection tends to be the easiest to implement — most organisations already have antivirus in place. Security update management and secure configuration are typically the most challenging, especially for organisations with legacy systems, BYOD policies, or large device estates.
The Business Case: Why Cyber Essentials Matters
Beyond compliance, Cyber Essentials delivers tangible business benefits that justify the investment many times over.
Breach Reduction by Attack Type
Organisations with Cyber Essentials controls in place see significant reductions in successful attacks across every common threat vector:
The data is clear: implementing the five Cyber Essentials controls dramatically reduces your exposure to the most common attack types. Ransomware and malware infections — two of the most costly and disruptive threats facing UK businesses — see the greatest reduction.
Additional Business Benefits
- Win more contracts: Many public and private sector tenders now require or prefer Cyber Essentials-certified suppliers.
- Insurance advantages: Basic Cyber Essentials includes free cyber liability insurance (up to £25,000), and many insurers offer preferential rates to certified organisations.
- GDPR alignment: The controls map closely to the technical measures expected under UK GDPR Article 32, supporting your data protection compliance posture.
- Customer confidence: The Cyber Essentials badge signals to customers that you take their data security seriously.
- Supply chain assurance: Certification demonstrates to partners and vendors that you won’t be the weak link in their supply chain.
- Structured improvement: The annual recertification process drives continuous improvement in your security practices.
Cost & Timeline Breakdown
Understanding the investment required helps you plan effectively. Costs vary depending on your organisation’s size, complexity, and current security maturity.
| Item | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| IASME assessment fee | £300 – £500 | £1,500 – £5,000+ |
| Typical consultancy support | £500 – £2,000 | £2,000 – £8,000 |
| Remediation costs (if needed) | £0 – £5,000 | £1,000 – £10,000 |
| Total estimated investment | £800 – £7,500 | £4,500 – £23,000 |
| Preparation time | 1 – 4 weeks | 4 – 12 weeks |
| Assessment duration | 1 – 3 business days | 1 – 5 business days |
| Certificate validity | 12 months | 12 months |
| Assessment method | Online self-assessment questionnaire | On-site or remote technical audit |
| Assessor involvement | Questionnaire review only | Hands-on testing & verification |
For small businesses with fewer than 50 employees and relatively simple IT environments, the total cost of basic Cyber Essentials (including any minor remediation) is often under £1,500. That’s a remarkably cost-effective way to significantly improve your security posture and unlock new business opportunities.
Step-by-Step Certification Process
Whether you’re pursuing basic Cyber Essentials or Cyber Essentials Plus, following a structured process maximises your chances of first-time success.
Phase 1: Preparation & Scoping
Timeline: 1–2 weeks
- Define your scope: Identify all devices, software, and services that connect to the internet or handle business data. This includes desktops, laptops, tablets, phones, servers, routers, firewalls, cloud services, and any BYOD devices used for work.
- Conduct a gap analysis: Compare your current security posture against the five technical controls. Identify areas where you already comply and areas that need work.
- Choose your certification body: Select an IASME-licensed assessor. Check the NCSC website for the full list of approved certification bodies.
- Assign responsibility: Designate a project lead who will coordinate the certification effort. This should be someone with sufficient authority to implement changes and access to relevant IT systems.
Phase 2: Remediation & Implementation
Timeline: 1–8 weeks (depending on current maturity)
- Address firewall configuration: Review and document all firewall rules. Close unnecessary ports. Change default credentials. Enable host-based firewalls on all endpoints.
- Harden device configurations: Remove unnecessary software and services. Disable auto-run. Configure screen lock timeouts. Document your standard build configurations.
- Strengthen access controls: Implement unique user accounts. Enforce password policies. Enable MFA on all cloud services and admin accounts. Review and remove unnecessary access rights.
- Deploy malware protection: Ensure anti-malware is installed, up to date, and correctly configured on all in-scope devices. Enable real-time scanning and automatic updates.
- Establish patch management: Create a process for identifying and applying security updates. Remove or isolate any end-of-life software. Enable automatic updates where feasible.
Phase 3: Self-Assessment (Cyber Essentials Basic)
Timeline: 1–3 business days
- Complete the online questionnaire: Log into the IASME assessment portal and answer questions about your implementation of each control. Be thorough and accurate — the assessor will review your responses carefully.
- Provide supporting evidence: While basic Cyber Essentials doesn’t require extensive documentation, be prepared to clarify or provide additional detail if the assessor requests it.
- Assessor review: Your certification body reviews the questionnaire. They may come back with questions or requests for clarification.
- Certification decision: If everything meets the standard, you receive your Cyber Essentials certificate, valid for 12 months.
Phase 4: Technical Audit (Cyber Essentials Plus Only)
Timeline: 1–5 business days (must be completed within 3 months of basic certification)
- Schedule the audit: Coordinate with your certification body for on-site or remote testing. Ensure all in-scope systems are available.
- External vulnerability scan: The assessor scans your internet-facing IP addresses and services for known vulnerabilities.
- Internal vulnerability scan: In-scope devices are scanned for missing patches, misconfigurations, and known vulnerabilities.
- Configuration review: The assessor checks a representative sample of devices against the secure configuration requirements.
- Simulated phishing test: A controlled phishing exercise tests whether your email filtering and user awareness controls are effective.
- Malware protection test: The assessor verifies that anti-malware solutions detect and block known test payloads.
- Report and certification: The assessor documents findings. If you pass, you receive your Cyber Essentials Plus certificate.
The 2024 update to the Cyber Essentials requirements (version 3.1) introduced strengthened requirements around cloud services, home working, multi-factor authentication, and thin clients. Make sure you’re working from the latest version of the requirements when preparing for assessment. The NCSC updates the scheme periodically to reflect the evolving threat landscape.
Common Failures & How to Avoid Them
Having supported numerous UK businesses through the certification process, Cloudswitched has identified the most common pitfalls that lead to assessment failures. Here’s what to watch out for — and how to avoid each one.
1. Incomplete or Inaccurate Scoping
The problem: Organisations frequently underestimate their scope, forgetting about cloud services, BYOD devices, remote workers’ home routers, or legacy systems that still connect to the network.
The fix: Conduct a thorough asset inventory before starting. Include every device and service that touches your network or handles business data. If a personal device is used to access work email, it’s in scope. If a cloud service stores business data, it’s in scope.
2. Failing to Enforce MFA
The problem: Since the 2022 requirements update, multi-factor authentication is mandatory for cloud services and administrator accounts. Many organisations still haven’t enabled MFA on all qualifying accounts.
The fix: Audit every cloud service you use — Microsoft 365, Google Workspace, CRM systems, accounting software, file-sharing platforms. Enable MFA on all of them. Don’t forget admin accounts on firewalls, switches, and other infrastructure.
3. Running Unsupported Software
The problem: End-of-life operating systems (like Windows 8.1) and unsupported applications are an automatic fail. Even one device running unsupported software can sink your assessment.
The fix: Audit all devices for software versions. Upgrade or replace anything that’s no longer receiving security updates. If you absolutely cannot upgrade a system, isolate it from the network entirely and exclude it from scope — but be prepared to justify this to the assessor.
4. Missing Critical Patches
The problem: The 14-day patching window for critical and high-severity updates catches many organisations off guard, particularly those without automated patch management.
The fix: Enable automatic updates on all devices where feasible. For systems that require manual patching, establish a weekly review process. Use a patch management tool to track compliance across your estate. Pay particular attention to third-party software (browsers, PDF readers, Java) which is often overlooked.
5. Poor Password Policies
The problem: Weak password requirements, shared credentials, or failure to change default passwords on devices and applications.
The fix: Implement a password policy that meets the minimum requirements: 8 characters for standard accounts, 12 characters for admin accounts. Better yet, adopt a passphrase-based approach with 14+ characters. Use a password manager. Never share credentials between users. Audit all devices for default passwords.
6. Inadequate BYOD Controls
The problem: Personal devices used for work purposes are in scope but often lack the security controls applied to company-owned devices.
The fix: Either bring BYOD devices up to the same security standard as company devices (anti-malware, patching, encryption, screen lock) or exclude them from work use entirely. A mobile device management (MDM) solution can help enforce policies on personal devices.
7. Forgetting About Home Routers
The problem: With the rise of remote and hybrid working, home routers used by employees to connect to company resources are now in scope. Many have default passwords and outdated firmware.
The fix: You have several options: require employees to change their home router password and update firmware; provide company-managed routers for home workers; or use a VPN solution that creates a secure tunnel regardless of the home network’s security posture.
If you fail the Cyber Essentials assessment, you can retake it — but you’ll need to pay the assessment fee again. For Cyber Essentials Plus, a failure can also mean additional remediation costs and delays. Investing in proper preparation and, if needed, professional consultancy support almost always saves money compared to the cost of a failed assessment and retake.
Cyber Essentials & UK GDPR Alignment
While Cyber Essentials and UK GDPR are separate frameworks with different objectives, there is significant overlap in practice. Achieving Cyber Essentials can support your GDPR compliance in several important ways:
| UK GDPR Requirement | Relevant Cyber Essentials Control | How It Helps |
|---|---|---|
| Article 5(1)(f) – Integrity & confidentiality | All five controls | Demonstrates appropriate technical measures to protect personal data |
| Article 25 – Data protection by design | Secure configuration, access control | Shows security is built into systems from the start |
| Article 32 – Security of processing | All five controls | Provides evidence of systematic security measures |
| Article 32(1)(b) – Confidentiality of systems | Firewalls, access control | Controls who can access personal data and how |
| Article 32(1)(d) – Testing & evaluation | Annual recertification | Provides a regular review cycle for security measures |
| Article 83 – Mitigating factor in enforcement | Certification as evidence | Demonstrates proactive approach to security if a breach occurs |
It’s important to note that Cyber Essentials alone does not guarantee GDPR compliance — GDPR encompasses much more than technical security controls. However, the ICO has indicated that holding Cyber Essentials certification can be considered a positive factor when assessing an organisation’s approach to data protection.
The Role of Cloud Services in Cyber Essentials
The modern Cyber Essentials requirements explicitly address cloud services, reflecting the reality that most UK businesses now rely on cloud platforms for critical operations.
What’s In Scope
Any cloud service where your organisation stores, processes, or transmits business data is in scope. This includes:
- SaaS platforms: Microsoft 365, Google Workspace, Salesforce, Xero, Slack, and similar
- IaaS/PaaS: AWS, Azure, Google Cloud — your responsibility extends to everything above the hypervisor layer
- Web applications: Any web-based tools your organisation uses for business purposes
Your Responsibilities
Under the shared responsibility model, the cloud provider secures the underlying infrastructure, but you remain responsible for:
- User access controls and authentication (including MFA)
- Configuration of security settings within the platform
- Ensuring data is protected according to the five controls
- Managing user permissions and removing former employees’ access promptly
Review the security settings in all your cloud services before assessment. Common oversights include not enabling MFA on Microsoft 365 admin accounts, leaving default sharing settings too permissive in Google Workspace, and failing to disable former employees’ accounts across all platforms. A systematic cloud security review should be part of your Cyber Essentials preparation.
Maintaining Your Certification
Cyber Essentials is not a one-time achievement — it requires annual renewal to maintain certification. Here’s how to stay compliant year-round:
Ongoing Best Practices
- Monthly patch audits: Review all devices and software monthly to ensure patches are current. Don’t wait until recertification time to discover gaps.
- Quarterly access reviews: Review user accounts and permissions every quarter. Remove leavers’ accounts promptly. Audit admin access.
- Annual configuration review: Revisit your firewall rules, device configurations, and security policies at least annually, or whenever you make significant IT changes.
- Staff awareness: While not strictly a Cyber Essentials requirement, regular security awareness training significantly enhances the effectiveness of the five controls.
- Change management: Any significant change to your IT environment (new software, new cloud services, office moves, acquisitions) should trigger a review of your Cyber Essentials compliance.
Recertification Timeline
Start your recertification process at least six weeks before your current certificate expires. The requirements are updated periodically, so check the NCSC website for any changes since your last certification. Building good security hygiene throughout the year makes recertification much smoother than a last-minute scramble.
How Cloudswitched Supports Your Certification Journey
At Cloudswitched, we specialise in helping UK businesses navigate the Cyber Essentials certification process with confidence. Our security team brings deep expertise in both the technical controls and the assessment process, ensuring you achieve certification efficiently and without unnecessary cost.
Our Approach
- Gap analysis & scoping: We start by thoroughly assessing your current security posture against the five controls, identifying exactly what needs to change and what’s already compliant.
- Remediation support: Our engineers implement the necessary technical changes — from firewall hardening to patch management automation — working alongside your team to minimise disruption.
- Assessment preparation: We guide you through the self-assessment questionnaire (for basic) or prepare your systems for the technical audit (for Plus), ensuring nothing is overlooked.
- Ongoing management: Beyond certification, we offer managed security services that maintain your compliance year-round, handling patching, monitoring, and access management so you can focus on running your business.
- GDPR integration: We help you align your Cyber Essentials controls with your broader UK GDPR obligations, creating a unified approach to data protection and cybersecurity.
Frequently Asked Questions
Is Cyber Essentials legally required?
It is not a legal requirement for most private-sector businesses. However, it is mandatory for suppliers bidding on certain UK government contracts involving sensitive or personal data. Beyond government work, an increasing number of private organisations require their supply chain partners to hold certification.
How long does the entire process take?
For a well-prepared small business, basic Cyber Essentials can be achieved in as little as one to two weeks. For larger organisations or those requiring significant remediation, allow four to eight weeks. Cyber Essentials Plus adds an additional one to four weeks for the technical audit phase.
Can we certify only part of our organisation?
Yes, you can define a subset of your organisation as the scope for certification. However, the scope must include all devices and services that connect to the internet and handle the data you’re seeking to protect. You cannot exclude devices simply because they would fail the assessment.
What happens if we fail the assessment?
If you fail, the assessor will provide feedback on what needs to be addressed. You can remediate and retake the assessment, though you will need to pay the assessment fee again. There is no mandatory waiting period between attempts.
Does Cyber Essentials cover remote workers?
Yes. The current requirements explicitly cover remote and home-working scenarios, including the devices used and the networks they connect through. This is one of the areas that was significantly strengthened in recent updates to the scheme.
Do we need to certify our cloud services?
Cloud services that store or process your business data are in scope. You are responsible for the security configuration of your cloud accounts, user access controls, and MFA enforcement, even though the cloud provider manages the underlying infrastructure.
Getting Started
Cyber Essentials is one of the most impactful investments a UK business can make in its cybersecurity posture. It provides a structured, achievable framework that addresses the threats most likely to affect your organisation, while opening doors to new business opportunities and demonstrating your commitment to data protection.
Whether you’re pursuing basic Cyber Essentials for the first time, upgrading to Cyber Essentials Plus, or preparing for annual recertification, the key to success is preparation, attention to detail, and — where needed — expert support from a team that understands both the technical requirements and the assessment process.
Ready to Achieve Cyber Essentials Certification?
Cloudswitched helps UK businesses achieve Cyber Essentials and Cyber Essentials Plus certification with a 98% first-time pass rate. From gap analysis through to ongoing managed security, we’re with you every step of the way. Get in touch to discuss your certification journey.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.