If you run a business in the United Kingdom, how to get Cyber Essentials certification is a question you cannot afford to ignore. With cyber attacks targeting organisations of every size — from one-person consultancies to FTSE 100 companies — the UK Government-backed Cyber Essentials scheme provides a clear, achievable baseline of cyber security that protects against the most common internet-based threats. Whether you need it to bid on government contracts, satisfy supply-chain requirements, or simply demonstrate to customers that you take security seriously, this guide walks you through every stage of the cyber essentials certification process from start to certificate — and beyond.
Below, you will find a detailed, step-by-step breakdown of the entire journey: choosing the right level, selecting a cyber essentials certification body, scoping your assessment, preparing your systems, completing the self-assessment questionnaire, understanding what happens during a Cyber Essentials Plus audit, avoiding common pitfalls, and maintaining your certification year after year. We have helped hundreds of UK organisations through this process at Cloudswitched, and every lesson learned is distilled into the pages that follow.
What Is Cyber Essentials and Why Does It Matter?
Cyber Essentials is a UK Government-backed scheme, overseen by the National Cyber Security Centre (NCSC), designed to help organisations protect themselves against the most common cyber threats. The scheme focuses on five technical controls that, when properly implemented, can prevent approximately 80 per cent of cyber attacks. These controls are straightforward, practical, and relevant to every organisation regardless of sector or size.
The scheme exists at two levels: Cyber Essentials (the basic certification, sometimes called CE) and Cyber Essentials Plus (CE Plus), which adds independent technical verification. Both certifications are valid for twelve months, after which you must renew. Understanding how to get Cyber Essentials starts with understanding why the scheme was created and what it protects against.
Since October 2014, any supplier bidding on UK Government contracts that involve handling sensitive or personal information must hold a valid Cyber Essentials certificate. But the requirement has expanded far beyond government work. Insurance providers, enterprise clients, and regulatory bodies increasingly expect Cyber Essentials as a minimum standard. For many organisations, completing a cyber essentials application is no longer optional — it is a commercial necessity.
Even if you do not bid on government contracts, holding Cyber Essentials certification can reduce your cyber insurance premiums and give you a competitive edge when tendering for private-sector work. Many large enterprises now include Cyber Essentials as a prerequisite in their supply-chain security requirements.
The Five Technical Controls Explained
Before diving into the cyber essentials certification process, you need to understand what the scheme actually assesses. Cyber Essentials is built around five fundamental technical controls. Every question in the self-assessment questionnaire, and every test in a CE Plus audit, relates back to these five areas:
| Control | What It Covers | Key Requirements |
|---|---|---|
| Firewalls | Boundary firewalls and internet gateways | Default admin credentials changed; unnecessary ports and services blocked; firewall rules documented and reviewed |
| Secure Configuration | Removing unnecessary software and changing default settings | Default passwords changed on all devices; unnecessary accounts removed; auto-run disabled; only required software installed |
| User Access Control | Managing user accounts and access privileges | Unique user accounts; admin privileges limited to those who need them; MFA where available; strong password policies |
| Malware Protection | Protecting against viruses and other malware | Anti-malware software installed and updated; application allow-listing or sandboxing as alternatives |
| Security Update Management | Keeping software and devices up to date | Critical and high-risk patches applied within 14 days; unsupported software removed or isolated; automatic updates enabled where possible |
These controls are deliberately practical. They do not require expensive enterprise security tools or dedicated security teams. They represent the absolute minimum that every organisation should have in place. The cyber essentials certification process verifies that you have implemented these controls correctly across your entire in-scope IT estate.
Cyber Essentials vs Cyber Essentials Plus: Choosing the Right Level
One of the first decisions in your journey is choosing between the two certification levels. Both cover the same five technical controls, but they differ significantly in how your compliance is verified. Understanding this distinction is critical before you begin your cyber essentials application.
Cyber Essentials (CE)
Cyber Essentials Plus (CE+)
Cyber Essentials (basic) involves completing a self-assessment questionnaire through an online portal. Your answers are reviewed by an assessor at your chosen cyber essentials certification body, and if everything meets the requirements, you receive your certificate. There is no hands-on technical testing of your systems.
Cyber Essentials Plus starts with a valid Cyber Essentials certificate (you must hold current CE before applying for CE Plus). An independent assessor then performs hands-on technical verification of your systems, including vulnerability scanning, phishing simulations, and checks of your device configurations. This provides a higher level of assurance and is required for some government contracts and supply-chain arrangements.
If you are unsure which level you need, start with basic Cyber Essentials. You can always upgrade to CE Plus afterwards. However, if your clients or contracts specifically require CE Plus, plan for both from the outset to avoid duplicating effort. At Cloudswitched, we recommend most organisations aim for CE Plus within their first year if budget allows.
Selecting a Cyber Essentials Certification Body
You cannot self-certify against Cyber Essentials. You must use an accredited cyber essentials certification body to assess your application and, for CE Plus, conduct the technical audit. The choice of certification body matters — it affects your experience, the support you receive, and sometimes the cost.
Understanding the IASME Consortium
IASME certification is at the heart of the Cyber Essentials scheme. The IASME Consortium (Information Assurance for Small and Medium Enterprises) is the sole Cyber Essentials Partner, appointed by the NCSC to manage the scheme's delivery. IASME does not typically certify organisations directly — instead, it licenses and oversees a network of Certification Bodies that carry out assessments.
When you search for a certification body, you are looking for an organisation that is licensed by IASME to deliver Cyber Essentials assessments. The IASME website maintains an up-to-date directory of all licensed Certification Bodies. Every legitimate cyber essentials application goes through one of these IASME-licensed bodies.
Choosing the Right Certification Body for You
| Factor | What to Look For | Why It Matters |
|---|---|---|
| IASME Licensing | Listed on the official IASME directory | Unlicensed bodies cannot issue valid certificates |
| CE Plus Capability | Licensed for both CE and CE Plus assessments | Not all bodies offer CE Plus; check if you plan to upgrade |
| Sector Experience | Experience with your industry (healthcare, finance, etc.) | Sector-specific guidance can speed up your preparation |
| Support Level | Pre-assessment guidance, readiness checks, remediation help | Better support reduces the risk of failing your assessment |
| Turnaround Time | Average time from submission to certificate | Important if you have a contract deadline to meet |
| Pricing Transparency | Clear, upfront pricing with no hidden extras | Some bodies charge extra for re-assessments or support calls |
| Location | UK-based with good communication | For CE Plus, the assessor may need remote or on-site access |
Some well-known Certification Bodies include IASME itself (which does offer direct certification in some cases), Blockmark IT, IT Governance, CyberSmart, and many IT managed service providers like Cloudswitched that are licensed to deliver assessments. When evaluating options, do not choose solely on price — the quality of pre-assessment support can make or break your first attempt.
Ask your chosen certification body whether they offer a "readiness review" before you submit your formal application. This informal check can identify gaps early and dramatically improve your chances of passing first time. Cloudswitched provides a comprehensive pre-assessment review as part of our Cyber Essentials support packages.
Step-by-Step: The Cyber Essentials Certification Process
Now that you understand the scheme, the controls, and how to choose a certification body, let us walk through the cyber essentials certification process from beginning to end. Whether you are pursuing basic Cyber Essentials or CE Plus, the journey follows a structured path.
Step 1: Define Your Scope
Identify which systems, devices, and networks fall within the scope of your assessment. This is the foundation of your entire certification effort and determines what you must secure.
Step 2: Perform a Gap Analysis
Compare your current security posture against the five technical controls. Identify where you meet requirements and where remediation is needed before submitting your application.
Step 3: Remediate and Prepare
Address all identified gaps — patch systems, update configurations, implement access controls, deploy malware protection, and configure firewalls correctly.
Step 4: Choose a Certification Body and Purchase
Select an IASME-licensed certification body and purchase your Cyber Essentials assessment. You will receive access to the online self-assessment questionnaire.
Step 5: Complete the Self-Assessment Questionnaire
Answer all questions honestly and thoroughly. The questionnaire covers each of the five technical controls in detail and asks about your specific systems and configurations.
Step 6: Submit and Await Assessment
Submit your completed questionnaire. An assessor at your certification body reviews your answers and may come back with clarification questions or requests for evidence.
Step 7: Receive Your Certificate (CE)
If your answers demonstrate compliance, you receive your Cyber Essentials certificate, valid for 12 months. You can display the Cyber Essentials badge on your website and marketing materials.
Step 8: CE Plus Technical Audit (Optional)
For CE Plus, an independent assessor conducts hands-on testing of your systems — vulnerability scans, configuration checks, and simulated phishing tests. This must be completed within 3 months of your CE certificate.
Step 9: Maintain and Renew Annually
Cyber Essentials certificates are valid for 12 months. You must renew annually, which means going through the assessment process again each year.
Step 1: Scoping Your Assessment Correctly
Scoping is arguably the most critical — and most commonly misunderstood — part of the cyber essentials certification process. Getting your scope wrong can lead to either a failed assessment (if you exclude systems that should be in scope) or unnecessary complexity (if you include systems that could legitimately be excluded).
What Must Be in Scope
The NCSC requires that your scope includes all devices and software that are capable of accessing the internet — including email and web browsing. This means:
- All desktop computers, laptops, and workstations
- All servers (including virtual servers and cloud instances)
- All mobile phones and tablets used for business purposes
- All networking equipment (routers, switches, firewalls, access points)
- Cloud services where you have configuration responsibility (IaaS, PaaS)
- All software installed on in-scope devices
- BYOD devices that access organisational data or services
What Can Be Excluded
Some systems can be legitimately excluded from scope, but only under specific conditions:
- Segregated networks: Systems on a physically or logically separated network that cannot access the internet may be excluded
- SaaS applications: Where the cloud provider manages all configuration (pure SaaS), the application itself is out of scope — but the devices you use to access it are still in scope
- IoT devices: Some IoT devices may be excluded if they are on a segregated network, though this area is evolving
Create a comprehensive asset register before you begin. List every device, every piece of software, every cloud service. You will need this for the questionnaire, and gaps in your asset register are one of the most common reasons organisations fail their first assessment. A simple spreadsheet with columns for device type, operating system, location, and owner is sufficient.
Common Scoping Mistakes
| Mistake | Consequence | How to Avoid It |
|---|---|---|
| Excluding BYOD devices | Failed assessment — personal devices accessing work email are in scope | Implement MDM or a BYOD policy; include them in your scope |
| Forgetting cloud infrastructure | Incomplete scope — IaaS/PaaS where you manage config is in scope | List all cloud services and determine your configuration responsibility |
| Ignoring home workers' devices | Failed assessment — remote devices accessing company resources are in scope | Include all remote/home-working devices in your asset register |
| Over-scoping | Unnecessary complexity and cost; more systems to patch and manage | Legitimately segregate systems that do not need internet access |
| Vague scope descriptions | Assessor queries and delays | Be specific: name device types, OS versions, and network boundaries |
Step 2: The Gap Analysis — Where Do You Stand Today?
Before you begin your formal cyber essentials application, you need an honest assessment of where your current security posture sits relative to the five technical controls. A gap analysis saves time, money, and frustration by identifying remediation work before you enter the formal assessment process.
The progress bars above represent what we typically see when UK SMEs first approach us for Cyber Essentials support. Malware protection tends to be the strongest area (most businesses already have antivirus software), while security update management is consistently the weakest (many organisations struggle with consistent patching).
How to Conduct Your Gap Analysis
A practical gap analysis involves walking through each of the five controls and documenting your current state:
- Firewalls: Check your boundary firewall configuration. Are default credentials changed? Are unnecessary ports closed? Is there a documented firewall policy? Do you have a software firewall enabled on all devices?
- Secure Configuration: Review every in-scope device. Are default accounts disabled or passwords changed? Is unnecessary software removed? Is auto-run disabled on all devices?
- User Access Control: Audit your user accounts. Does everyone have a unique account? Are admin privileges limited to those who need them? Is MFA enabled on cloud services? What is your password policy?
- Malware Protection: Verify that anti-malware software is installed on all in-scope devices, that it is configured to update automatically, and that it performs regular scans. Consider whether application allow-listing is appropriate for your environment.
- Security Update Management: Check when each device and application was last updated. Identify any software that is out of support. Verify that critical patches are being applied within 14 days of release.
Document everything you find. For each gap, note what needs to change, who is responsible, and a target completion date. This gap analysis document becomes your remediation roadmap.
Step 3: Remediation — Preparing Your Systems
With your gap analysis complete, it is time to address every shortfall before you submit your cyber essentials application. Remediation is where the real work happens, and it is where many organisations benefit most from expert guidance.
Firewalls and Boundary Devices
Start with your network perimeter. Ensure your firewall is configured to block all inbound traffic by default, with only explicitly authorised ports and services open. Change all default administrator credentials — this includes your router, firewall appliance, and any managed switches. If your staff work remotely, ensure their home routers are also considered (the device's built-in firewall settings or a VPN configuration may be relevant). Enable the host-based firewall on every device — Windows Firewall, macOS firewall, or equivalent.
Secure Configuration
Go through every in-scope device and remove software that is not needed for business purposes. Disable or delete default user accounts. Change all default passwords. Disable auto-run and auto-play. Ensure that only necessary services are running. For servers, remove or disable any services you do not actively use. Document your standard build configuration so that new devices are set up correctly from the start.
User Access Control
Implement a clear access control policy. Every user should have a unique account — no shared logins. Admin accounts should be separate from standard user accounts, and staff should only use admin privileges when they specifically need them. Implement multi-factor authentication (MFA) on all cloud services and remote access points. Set a minimum password length of at least 12 characters (the current NCSC recommendation). Remove or disable accounts for anyone who has left the organisation.
Malware Protection
Ensure anti-malware software is installed on every in-scope device that supports it. Configure it to update its signatures automatically (at least daily) and to perform scheduled scans. Ensure real-time scanning is enabled. Consider whether application allow-listing or sandboxing is appropriate for high-risk devices. For mobile devices, ensure that apps are only installed from official stores (Google Play, Apple App Store).
Security Update Management
This is the control that trips up the most organisations. You must be able to demonstrate that all software on in-scope devices is within its supported lifecycle (receiving security updates from the vendor) and that critical and high-risk security patches are applied within 14 days of release. Enable automatic updates wherever possible. For software that cannot auto-update, establish a documented patch management process. Remove or replace any end-of-life software — Windows 7, Office 2013, or any application that no longer receives security updates must go.
The 14-day patching window is one of the strictest requirements in the scheme. If you have devices or applications that are consistently behind on patches, address this first. Consider using a centralised patch management tool like Microsoft Intune, WSUS, or a third-party RMM solution. At Cloudswitched, we deploy automated patching across all managed devices to ensure this requirement is continuously met.
Step 4: Completing the Self-Assessment Questionnaire
The self-assessment questionnaire is the core of your cyber essentials application. It is completed through an online portal provided by your chosen cyber essentials certification body (typically the IASME assessment platform). The questionnaire has evolved significantly over the years and, as of the current version (Willow, effective from April 2025), covers a comprehensive range of questions across the five technical controls.
What the Questionnaire Covers
The questionnaire is divided into sections that mirror the five technical controls. For each section, you will be asked detailed questions about your specific systems, configurations, and policies. Questions are a mix of multiple-choice, yes/no, and free-text fields where you must describe your approach in detail.
Key areas include:
- Scope definition: A description of your organisation, the number and types of devices, your network topology, and which systems are in scope
- Firewall configuration: How your boundary firewalls are configured, what ports and services are open, how you manage firewall rules
- Secure configuration: How you configure new devices, what default settings you change, how you manage software installation
- Access control: Your authentication policies, how you manage admin accounts, MFA deployment, password requirements
- Malware protection: What anti-malware solutions you use, how they are configured and updated, your approach to application control
- Patch management: How you track and apply security updates, how quickly patches are deployed, how you handle end-of-life software
- Cloud services: Which cloud services you use and your configuration responsibilities for each
- Home and mobile working: How you secure remote access and devices used outside the office
Tips for Completing the Questionnaire Successfully
- Be honest: The assessor will spot inconsistencies. If something is not in place, fix it before submitting rather than fudging your answer.
- Be specific: "We have a firewall" is not enough. Name the product, describe the configuration, explain who manages it.
- Cover all devices: If you state you have 50 laptops, the assessor will expect all 50 to meet the requirements. Do not undercount your devices.
- Describe your processes: For free-text questions, explain not just what you do but how you do it. "Patches are applied automatically via Microsoft Intune within 7 days of release" is much stronger than "We keep things updated."
- Address cloud services properly: For each cloud service, be clear about your shared responsibility. You are responsible for your configuration of services like Microsoft 365, Google Workspace, and AWS — even if the provider manages the underlying infrastructure.
- Include BYOD: If staff use personal devices to access work email or data, these devices are in scope. Describe how you manage them.
The gauge above illustrates a key statistic: organisations that conduct a thorough gap analysis and remediation before submitting their questionnaire pass at a rate of approximately 75 per cent on their first attempt. Those who rush to submit without preparation see pass rates closer to 40 per cent. Preparation is the single biggest determinant of success in the cyber essentials certification process.
Step 5: What Happens During a Cyber Essentials Plus Audit
If you are pursuing Cyber Essentials Plus, the process does not end with the questionnaire. After receiving your basic Cyber Essentials certificate, you have a three-month window to complete the Plus assessment. This involves an independent technical audit conducted by a qualified assessor from your cyber essentials certification body.
The CE Plus Assessment Process
The CE Plus audit typically involves the following activities, which can be conducted remotely or on-site depending on your certification body and your preference:
| Test | What the Assessor Does | What They Are Looking For |
|---|---|---|
| External Vulnerability Scan | Scans your internet-facing IP addresses and domains for known vulnerabilities | No critical or high-risk vulnerabilities; all services patched and correctly configured |
| Internal Vulnerability Scan | Scans a representative sample of internal devices for vulnerabilities | All devices patched within 14 days; no end-of-life software; secure configurations |
| Device Configuration Checks | Examines a sample of devices (laptops, desktops, servers, mobiles) against the five controls | Firewalls enabled, antivirus running and updated, no unnecessary software, strong passwords |
| Multi-Factor Authentication Check | Verifies MFA is configured on cloud services and admin accounts | MFA active on all applicable accounts, not just some |
| Simulated Phishing Test | Sends simulated phishing emails to a sample of users and tests whether malicious attachments or links can execute | Email filtering blocks malicious payloads; user devices do not auto-execute suspicious content |
| User Account Review | Reviews user account configurations, admin accounts, and privilege levels | Unique accounts, minimal admin privileges, leavers removed, password policy enforced |
Preparing for the CE Plus Audit
The key to passing CE Plus is that your systems must actually be configured as you described in the self-assessment questionnaire. There should be no gap between what you said and what the assessor finds. Specific preparation steps include:
- Run your own vulnerability scans beforehand (using tools like Nessus, Qualys, or OpenVAS) and remediate any findings
- Ensure all devices have been patched within the last 14 days
- Verify MFA is enabled on all cloud services and cannot be bypassed
- Check that anti-malware software is running and updated on every in-scope device
- Remove any end-of-life software that may have slipped through
- Brief your staff — they do not need to know the exact date, but they should be aware that simulated phishing tests may occur
The CE Plus assessor will typically test a sample of your devices, not every single one. However, the sample is selected to be representative — it will include different operating systems, different roles (desktop, laptop, server, mobile), and different locations (office, remote). Ensure consistency across your entire estate, not just a subset. One non-compliant device in the sample can fail your entire assessment.
Common Mistakes and How to Avoid Them
Having guided hundreds of organisations through the cyber essentials certification process, we at Cloudswitched have seen the same mistakes repeated time and again. Here are the most common pitfalls and how to avoid them:
1. Underestimating the Scope
Many organisations submit their cyber essentials application with an incomplete asset register. They forget cloud infrastructure, mobile devices, home workers' laptops, or network equipment. The assessor will question any gaps, and an incomplete scope is grounds for failure. Solution: start with a comprehensive asset audit and be thorough.
2. Leaving Patches Too Late
The 14-day patching window is not a suggestion — it is a hard requirement. If your assessor finds a critical patch that was released more than 14 days ago and has not been applied, you will fail. Solution: enable automatic updates everywhere possible and check manually for anything that cannot auto-update.
3. Ignoring Personal Devices (BYOD)
If staff access work email or data from personal phones, tablets, or home computers, those devices are in scope. Many organisations try to exclude BYOD and are caught out. Solution: either implement mobile device management (MDM) on BYOD devices or prohibit personal devices from accessing work systems entirely.
4. Not Implementing MFA
Multi-factor authentication is now a core requirement for cloud services and any internet-accessible admin interfaces. Simply having MFA available is not enough — it must be enforced. Solution: enable and enforce MFA on Microsoft 365, Google Workspace, VPN access, remote desktop, and any other cloud or admin service.
5. Using End-of-Life Software
Windows 7, Windows Server 2012, Office 2013, macOS versions no longer receiving security updates — any software past its end-of-support date is an automatic fail. Solution: audit all software versions and upgrade or replace anything that is no longer supported.
6. Vague Questionnaire Answers
The assessor needs specific, verifiable information. Answers like "we use a firewall" or "staff are trained in security" are insufficient. Solution: name products, describe configurations, specify processes, and provide evidence where possible.
7. Rushing the Process
Organisations that skip the gap analysis and rush to submit their questionnaire have a significantly lower pass rate. Solution: invest time in preparation. A few weeks of remediation work can save months of rework after a failed assessment.
Timeline: How Long Does the Cyber Essentials Certification Process Take?
One of the most common questions we hear is: "How long will this take?" The honest answer is that it depends on your starting point. An organisation with good IT practices and a managed service provider may breeze through in two weeks. An organisation with legacy systems, ad-hoc IT management, and no patch process may need two to three months of preparation.
| Phase | Typical Duration | Key Activities |
|---|---|---|
| Scoping & Gap Analysis | 1–2 weeks | Asset register, control review, gap identification |
| Remediation | 1–6 weeks | Patching, configuration changes, policy updates, MFA deployment |
| Questionnaire Completion | 3–5 days | Answering all questions accurately and thoroughly |
| Assessment & Feedback | 3–10 business days | Assessor reviews answers, may request clarification |
| Certificate Issued (CE) | 1–2 business days after passing | Certificate and badge issued, listing on NCSC directory |
| CE Plus Audit (if applicable) | 1–3 weeks to schedule + 1–2 days for the audit | Vulnerability scans, device checks, phishing test |
| CE Plus Certificate | 1–5 business days after passing audit | CE Plus certificate and badge issued |
Total timeline for Cyber Essentials (basic): 2–8 weeks from start to certificate, depending on your readiness. Total timeline for Cyber Essentials Plus: 4–12 weeks, as the CE Plus audit can only begin after you hold a valid CE certificate.
If you have a contract deadline, work backwards from it. Add at least a two-week buffer for unexpected remediation work. Certification bodies often have waiting lists, especially at financial year-end when many organisations rush to renew. Book your assessment early. Cloudswitched clients with managed IT services typically complete the entire process within 2–3 weeks because their systems are already maintained to the required standard.
What Happens If You Fail Your Assessment?
Failing your cyber essentials application is not the end of the world, but it does cost time and potentially money. Understanding what happens if you fail — and how to recover — is an important part of the cyber essentials certification process.
For Cyber Essentials (Basic)
If your self-assessment questionnaire does not meet the requirements, your assessor will typically provide feedback on what needs to change. Depending on the certification body, you may have the opportunity to revise and resubmit your answers within a grace period (often 30 days) at no extra cost. If the issues are more fundamental, you may need to purchase a new assessment after remediating. The specific policy varies by certification body, so check before you begin.
For Cyber Essentials Plus
If you fail the CE Plus technical audit, the assessor will document the specific failures and explain what needs to be fixed. You will typically need to remediate the issues and schedule a re-test. Re-test costs vary — some certification bodies include one re-test in their fee, while others charge separately. Importantly, your CE Plus assessment must be completed within three months of your CE certificate date. If you run out of time, you may need to renew your CE certificate before attempting CE Plus again.
Recovery Strategy
- Review the feedback carefully: The assessor's feedback is your roadmap. Address every point specifically.
- Fix the root cause, not just the symptom: If a device failed because of a missing patch, implement a proper patch management process rather than just patching that one device.
- Get expert help if needed: If you are struggling with remediation, an experienced IT partner like Cloudswitched can identify and fix issues quickly.
- Resubmit with confidence: Only resubmit once you are certain all issues have been addressed. Rushing a resubmission wastes time and money.
Costs of Cyber Essentials Certification
Understanding the costs involved helps you budget appropriately and avoid surprises. The costs of the cyber essentials certification process vary depending on your organisation's size, complexity, and choice of certification body.
The IASME-set fees for the self-assessment are tiered based on organisation size. For micro businesses (0–9 employees), the fee starts at approximately £300 + VAT. Larger organisations pay more, with fees scaling up to around £500 + VAT for the largest organisations. CE Plus fees are set by individual certification bodies and vary significantly based on the size and complexity of your IT estate.
Beyond the assessment fees, you should budget for any remediation costs — new software licences, hardware upgrades, consultant time if you need expert help. However, for many organisations, the remediation work is a good investment in its own right, improving your security posture beyond just passing the assessment.
Maintaining and Renewing Your Certification
Cyber Essentials certification is not a one-and-done exercise. Your certificate is valid for exactly 12 months, after which you must renew by going through the assessment process again. Treating certification as an annual event rather than an ongoing practice is a recipe for last-minute panic and potential failure.
Best Practices for Ongoing Compliance
- Maintain your asset register: Update it whenever devices are added, removed, or replaced
- Patch continuously: Do not let patches accumulate. Apply critical patches within 14 days year-round, not just at certification time
- Review user accounts quarterly: Remove leavers, review admin privileges, check MFA is still enforced
- Monitor your firewall rules: Review and clean up firewall rules at least quarterly
- Track software lifecycles: Know when your software reaches end-of-life and plan replacements in advance
- Document changes: Keep a log of significant IT changes so that questionnaire completion at renewal time is straightforward
- Start renewal early: Begin your renewal process at least six weeks before your certificate expires
Organisations that maintain their security controls continuously throughout the year see renewal pass rates of approximately 90 per cent, compared to around 60 per cent for those who only address security at renewal time. The difference is significant and directly impacts your business continuity and contractual obligations.
What Changes at Renewal?
The Cyber Essentials scheme is updated periodically. The NCSC and IASME may introduce new requirements, tighten existing ones, or change the questionnaire format. At renewal, you are assessed against the current version of the scheme, not the version you originally certified against. Stay informed about upcoming changes by following the NCSC and IASME announcements.
Recent changes have included stricter MFA requirements, updated guidance on cloud services, new questions about thin clients and zero clients, and expanded coverage of home-working environments. Each renewal is an opportunity to raise your security bar, not just maintain it.
The Business Benefits Beyond Compliance
While many organisations pursue Cyber Essentials for contractual or regulatory reasons, the benefits extend far beyond a certificate on the wall. Understanding these broader benefits can help justify the investment to stakeholders and build support for the ongoing effort.
Competitive Advantage
In competitive tenders, Cyber Essentials certification can be the differentiator. When two suppliers offer similar services at similar prices, the one with certified security credentials wins. Increasingly, procurement teams include Cyber Essentials as a scored criterion, not just a pass/fail requirement.
Reduced Insurance Costs
Many cyber insurance providers offer reduced premiums to Cyber Essentials certified organisations. The basic Cyber Essentials certificate also comes with automatic cyber liability insurance cover (currently £25,000 for micro enterprises), provided through the IASME scheme.
Improved Security Culture
The process of achieving Cyber Essentials forces organisations to think systematically about their security. This drives improvements in security awareness, policy documentation, and IT governance that persist long after the certificate is issued.
Supply Chain Confidence
Your certification gives your customers and partners confidence that you meet a recognised baseline of security. In an era of supply-chain attacks, this assurance is increasingly valuable.
IASME Certification: Beyond Cyber Essentials
For organisations looking to go beyond the basics, IASME certification offers additional pathways. The IASME Consortium manages not only Cyber Essentials but also the IASME Cyber Assurance standard, which provides a more comprehensive governance-focused certification that covers areas like risk management, incident response, data protection, and business continuity.
IASME certification through the Cyber Assurance standard is sometimes described as an affordable alternative to ISO 27001 for smaller organisations. It includes all Cyber Essentials requirements plus additional governance, risk management, and operational controls. If your organisation needs to demonstrate a more mature security posture — perhaps for financial services clients or healthcare contracts — the IASME Cyber Assurance standard may be the logical next step after Cyber Essentials.
The progression typically looks like this:
- Cyber Essentials — baseline technical controls (self-assessed)
- Cyber Essentials Plus — baseline technical controls (independently verified)
- IASME Cyber Assurance — governance + technical controls (comprehensive)
- ISO 27001 — full information security management system (for larger organisations)
Each level builds on the previous one, and your Cyber Essentials work directly feeds into higher-level certifications. The controls you implement for CE form the technical foundation for everything that follows.
Cloud Services and Cyber Essentials: What You Need to Know
Cloud adoption has fundamentally changed how organisations approach the cyber essentials certification process. If your organisation uses Microsoft 365, Google Workspace, AWS, Azure, or any other cloud service, you need to understand the shared responsibility model and how it applies to your assessment.
The Shared Responsibility Model
For cloud services, security responsibility is shared between you and the cloud provider. The split depends on the service model:
| Service Model | Provider Responsibility | Your Responsibility | In Scope for CE? |
|---|---|---|---|
| SaaS (e.g., Salesforce, Slack) | Infrastructure, platform, application | User configuration, access control, data | Your configuration is in scope |
| PaaS (e.g., Heroku, Azure App Service) | Infrastructure, platform | Application, configuration, access control | Yes — your configuration and applications |
| IaaS (e.g., AWS EC2, Azure VMs) | Physical infrastructure | Everything else: OS, patching, firewall, applications | Yes — fully in scope, treated like on-premises |
The critical point is that using cloud services does not remove your responsibilities. If you run virtual machines in AWS, you are responsible for patching the operating system, configuring the firewall (security groups), managing user access, and installing malware protection — exactly as you would for a physical server in your office.
For SaaS services like Microsoft 365, you are responsible for your tenant configuration: MFA enforcement, conditional access policies, user account management, sharing settings, and data loss prevention configurations. The assessor will expect you to demonstrate control over these settings.
Remote and Hybrid Working: Implications for Certification
The shift to remote and hybrid working has significant implications for how to get Cyber Essentials. If your staff work from home — even occasionally — their home-working setup is within scope. This includes:
- The device they use (whether company-provided or personal)
- The VPN or remote access solution they use to connect
- Their home router (as the boundary firewall for their connection)
- Any software installed on their device
For home routers, the requirement is that the router's firmware is still supported and receiving updates, and that the default admin password has been changed. You do not need to manage every home router, but you do need to provide guidance to staff and ideally verify compliance.
Many organisations address home-working challenges by:
- Providing company-managed devices to all remote workers
- Using a VPN with MFA for all remote access
- Deploying mobile device management (MDM) to ensure compliance
- Providing written guidance on home router security
- Using cloud-based security tools that protect devices regardless of location
If managing home workers' devices feels overwhelming, consider a zero-trust approach where devices connect through a cloud-based security gateway regardless of location. This simplifies your scope and provides consistent protection. Cloudswitched deploys cloud-managed security solutions that protect devices whether they are in the office, at home, or on the move — making Cyber Essentials compliance straightforward for hybrid workforces.
Industry-Specific Considerations
While the cyber essentials certification process is the same regardless of your industry, certain sectors face unique challenges that require additional attention:
Healthcare
NHS organisations and healthcare providers often deal with legacy medical devices that cannot be patched or updated. These devices must be segregated from the main network and documented as out-of-scope. The Data Security and Protection Toolkit (DSPT) aligns with Cyber Essentials, and many healthcare organisations pursue both simultaneously.
Financial Services
FCA-regulated firms face additional scrutiny around access controls and data protection. Cyber Essentials is often the starting point, with clients expecting CE Plus or IASME Cyber Assurance as a minimum. The overlap with operational resilience requirements means that Cyber Essentials work directly supports regulatory compliance.
Legal Sector
Law firms handle highly sensitive client data and are frequent targets for cyber attacks. The Solicitors Regulation Authority (SRA) expects firms to demonstrate adequate cyber security, and Cyber Essentials provides a recognised framework. Many insurers now require Cyber Essentials for professional indemnity renewal.
Education
Schools, colleges, and universities face unique challenges with large numbers of devices, BYOD, and guest networks. The Department for Education recommends Cyber Essentials as a minimum standard, and many academy trusts now require it across their schools.
Construction and Engineering
Supply-chain requirements in construction increasingly include Cyber Essentials. Large contractors and government-funded projects often mandate certification, making it essential for subcontractors and consultants who want to win work.
Tools and Resources for Your Cyber Essentials Journey
A number of tools and resources can support your cyber essentials application and ongoing compliance:
Free Resources from the NCSC
- NCSC Cyber Essentials guidance: Detailed technical guidance on implementing each of the five controls
- NCSC Small Business Guide: Practical security advice tailored to small businesses
- NCSC Exercise in a Box: Free cyber security exercises to test your incident response
- NCSC Cyber Action Plan: A personalised action plan based on your organisation type
Technical Tools
- Vulnerability scanners: Nessus, Qualys, OpenVAS (for pre-assessment vulnerability checks)
- Patch management: Microsoft Intune, WSUS, ManageEngine, NinjaRMM
- MDM solutions: Microsoft Intune, Jamf, Kandji (for managing mobile devices)
- Password managers: Bitwarden, 1Password, Keeper (to support strong password policies)
- MFA solutions: Microsoft Authenticator, Google Authenticator, Duo Security
Professional Support
If you lack in-house IT expertise, working with a managed service provider (MSP) that has Cyber Essentials experience can dramatically simplify the process. An experienced MSP like Cloudswitched can handle scoping, gap analysis, remediation, and ongoing compliance management — letting you focus on running your business while we handle the technical requirements.
Frequently Asked Questions About Cyber Essentials
How much does Cyber Essentials cost?
The self-assessment fee for Cyber Essentials starts at approximately £300 + VAT for micro businesses and scales up based on organisation size. CE Plus typically costs between £1,500 and £3,500 + VAT. Additional costs may include remediation work if your systems need changes to meet the requirements.
How long is a Cyber Essentials certificate valid?
Both Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months from the date of issue. You must renew annually.
Can I do Cyber Essentials myself or do I need a consultant?
The self-assessment questionnaire can be completed by anyone with sufficient knowledge of your IT systems. However, if you do not have in-house IT expertise, a consultant or MSP can significantly improve your chances of passing first time and reduce the time required. The technical remediation work often requires specialist skills.
Do I need Cyber Essentials before applying for Cyber Essentials Plus?
Yes. You must hold a valid Cyber Essentials certificate before you can be assessed for CE Plus. The CE Plus assessment must be completed within three months of your CE certificate date.
What happens to my data during the assessment?
For basic Cyber Essentials, no data is accessed — it is a questionnaire-based assessment. For CE Plus, the assessor will scan your systems for vulnerabilities and check configurations, but they do not access or extract your data. All assessment activities are governed by the certification body's data protection policies.
Is Cyber Essentials recognised internationally?
Cyber Essentials is a UK scheme and is primarily recognised within the UK. However, it is increasingly accepted by international organisations operating in the UK. For international recognition, ISO 27001 may be more appropriate, though Cyber Essentials is an excellent stepping stone.
Can I include only part of my organisation in scope?
The current NCSC guidance requires that the entire organisation is in scope, unless specific systems can be legitimately excluded because they are on a segregated network with no internet access. You cannot simply exclude a department or office to avoid addressing their non-compliance.
What if we use Macs instead of Windows?
Cyber Essentials applies equally to macOS, Windows, Linux, iOS, Android, and ChromeOS devices. The same five controls apply regardless of operating system. macOS devices must have their firewall enabled, anti-malware protection (macOS has built-in XProtect, but additional protection is recommended), current patches, and strong access controls.
Next Steps After Getting Certified
Congratulations — you have your Cyber Essentials certificate. Now what? Certification is a milestone, not a destination. Here is what to do after you receive your certificate:
- Display your badge: Add the Cyber Essentials badge to your website, email signatures, and marketing materials. The badge is a recognisable trust signal.
- Update your tender responses: Include your certification in all procurement and tender documents. Proactively mention it to existing clients.
- List on the NCSC directory: Your certification is automatically listed on the NCSC directory of certified organisations, which is publicly searchable.
- Maintain compliance: Do not let your security posture slip after certification. Continue patching, reviewing access, and monitoring your firewall.
- Plan your next level: If you achieved basic CE, plan for CE Plus. If you have CE Plus, consider IASME Cyber Assurance or ISO 27001.
- Review your insurance: Notify your insurer of your certification and ask about premium reductions or enhanced coverage.
- Train your staff: Cyber Essentials covers technical controls, but human awareness is equally important. Invest in security awareness training.
- Set a renewal reminder: Your certificate expires in 12 months. Set a reminder for 8–10 weeks before expiry to begin the renewal process.
Why Choose Cloudswitched for Your Cyber Essentials Journey
At Cloudswitched, we are a London-based UK IT managed service provider with deep expertise in cyber security and the Cyber Essentials scheme. We have guided organisations of every size — from two-person consultancies to 500-employee enterprises — through the cyber essentials certification process, and our approach is built on practical, no-nonsense support that gets you certified efficiently.
Our Cyber Essentials support includes:
- Comprehensive scoping and gap analysis: We audit your entire IT estate and identify exactly what needs to change
- Hands-on remediation: We do not just tell you what to fix — we fix it. Patching, configuration, MFA deployment, firewall hardening
- Questionnaire support: We help you complete the self-assessment accurately, with specific, verifiable answers
- CE Plus preparation: Pre-audit vulnerability scanning and configuration review to ensure you pass the technical assessment
- Ongoing compliance management: Year-round monitoring, patching, and access management so renewal is straightforward
- Flexible engagement: Whether you need full managed IT services or project-based Cyber Essentials support, we tailor our approach to your needs
We understand that for most organisations, Cyber Essentials is a means to an end — whether that end is winning a government contract, satisfying a client requirement, or simply sleeping better at night knowing your business is protected. Our job is to make the process as smooth and painless as possible so you can focus on what you do best.
Ready to Get Cyber Essentials Certified?
Whether you are starting from scratch or preparing for renewal, Cloudswitched provides expert, end-to-end support for the entire Cyber Essentials certification process. Our London-based team has helped hundreds of UK organisations achieve certification — let us help you next.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
