Cyber Essentials certification guide for UK businesses

Cyber Essentials is not a complex framework. It is not a multi-year project. For most UK businesses, it should not require a consultant to interpret. But a surprisingly large number of organisations either avoid it, fail it on the first attempt, or implement it badly and get certified for things that do not actually protect them.

This guide covers what Cyber Essentials is, why it matters, how the two tiers differ, what the five technical controls actually require, and how to avoid the failure points that trip up most organisations. It is written for IT leads, operations managers, and business owners who want a straight account of what is involved, not a sales pitch.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme managed by the National Cyber Security Centre (NCSC). It was introduced in 2014 as a baseline standard to help businesses protect themselves against common cyber threats — specifically the kinds of opportunistic attacks that make up the vast majority of incidents: phishing, malware, unpatched vulnerabilities, and weak access controls.

The scheme is intentionally accessible. It is not aimed at defence contractors or financial institutions with dedicated security teams. It is designed for SMEs, charities, schools, GP surgeries, and any other organisation that handles data or relies on IT but has limited security resource. The controls are practical and the certification process is proportionate.

There are two certification levels:

• Cyber Essentials (CE) — a self-assessment questionnaire that is reviewed and verified by an accredited certifying body
• Cyber Essentials Plus (CE+) — builds on CE with an independent technical audit carried out by an assessor

Both levels cover the same five technical controls. The difference is how those controls are verified.

Why UK businesses need Cyber Essentials

The most direct reason is procurement. Since 2014, Cyber Essentials has been mandatory for suppliers bidding on UK central government contracts that involve handling personal data or providing certain technical services. That requirement has since expanded, with many public sector bodies, NHS organisations, and local authorities adding it to their supplier requirements.

Beyond procurement, Cyber Essentials creates three meaningful business benefits:

Cyber insurance. Many insurers now require Cyber Essentials as a minimum baseline before offering cyber cover. Some offer reduced premiums for certified organisations. For SMEs where a ransomware incident could be genuinely business-threatening, having that policy in place matters.

Customer and partner trust. Displaying the Cyber Essentials badge signals that your organisation meets a government-verified baseline. For B2B businesses, that increasingly shows up in due diligence questionnaires and procurement qualification criteria.

Internal improvement. Going through the process, particularly CE+, surfaces real gaps. Many organisations discover that their patch management is inconsistent, that legacy devices are out of support scope, or that access controls are looser than assumed. The certification is useful because the controls themselves are useful.

CE versus CE+: which level do you need?

Both tiers certify against the same five controls. The difference is verification.

Cyber Essentials (CE)

The organisation completes an online self-assessment questionnaire covering the five control areas. The answers are reviewed by a certifying body — one accredited by IASME, which manages the scheme on behalf of NCSC — and if they meet the standard, the certification is issued.

The questionnaire is not trivial. It asks specific questions about how each control is implemented. But it is self-reported, which means the certifying body is relying on your answers rather than independently testing your systems.

CE is appropriate for most SMEs seeking to meet a minimum procurement requirement or demonstrate baseline commitment to security. It is the starting point.

Cyber Essentials Plus (CE+)

CE+ involves everything in CE plus an independent technical assessment carried out by an assessor. That assessment includes:

• Authenticated vulnerability scanning of internet-facing infrastructure
• Internal network vulnerability scanning
• Phishing simulation testing
• Testing of end-user devices against the control requirements
• Review of patch status and configuration

The assessor is testing whether your controls actually work, not whether you have described them correctly. This is why organisations that have a CE certificate but sloppy implementations sometimes fail CE+ on the first attempt.

CE+ is required for some government contracts and is worth pursuing if your organisation wants stronger assurance, processes genuinely sensitive data, or wants to demonstrate security capability to large enterprise clients.

The two certifications are separate. You need a valid CE before you can achieve CE+. CE is renewed annually; CE+ is also renewed annually and requires a fresh technical assessment each time.

The five technical controls

The core of Cyber Essentials is five control areas. These have not changed significantly since the scheme launched, though the technical requirements within each have been updated — most recently in 2022 and 2023 to account for cloud services and home working.

1. Firewalls

Every internet-connected device must be protected by a firewall. For most organisations, this means a boundary firewall for the network perimeter, plus host-based firewalls on individual devices.

The requirements are:

• The firewall must be configured to block unapproved inbound connections
• Only services that the business needs to be publicly accessible should be reachable from the internet
• Default administrative interfaces must not be exposed to the internet
• Default passwords on network devices must be changed
• Wireless network access points must be treated as boundary devices

The key failure point here is exposing administrative ports (RDP, SSH, management panels) to the internet without restriction. This is one of the most common reasons for CE+ failures.

2. Secure configuration

Devices and software should be configured to reduce attack surface. Default settings are designed for ease of setup, not security, and attackers know them.

The requirements include:

• Remove or disable software, user accounts, and services that are not needed
• Change default passwords before any device is connected to the internet or to the organisation's network
• Auto-run and auto-play features should be disabled where possible
• Only approved applications should be installable without administrator approval

For cloud environments, secure configuration extends to cloud services and SaaS platforms — specifically, that administrative features and unused services are not left on by default.

3. User access control

Access to systems and data should be restricted to those who need it. Privileged accounts should be limited and protected.

The requirements:

• User accounts should only be created for individuals who genuinely need access
• Administrative accounts should be separate from standard user accounts and used only for administrative tasks
• Multi-factor authentication (MFA) must be enabled for all cloud services and internet-facing services
• Passwords must meet minimum complexity and length requirements, and be unique per service

The MFA requirement was strengthened in recent years and applies to all accounts with access to cloud services, web-based admin interfaces, and remote access. This is a requirement that catches many organisations out — particularly where staff have been using shared credentials or where personal email accounts are used to access corporate systems.

4. Malware protection

Devices must be protected against malware. This is achieved through one of three approaches:

• Signature-based anti-malware — traditional antivirus from a reputable vendor, kept up to date
• Application allowlisting — only approved applications can execute, blocking unknown executables entirely
• Sandboxing — executing unknown files in a controlled environment before permitting them to run

For most SMEs, the practical answer is a reputable EDR or antivirus solution with real-time scanning and automatic definition updates enabled. The key requirements are that it is active, current, and covers all in-scope devices.

The 2022 update clarified that mobile devices and tablets in scope for the certification must also have malware protection — typically through managed device policies rather than traditional AV.

5. Security update management (patching)

Software vulnerabilities are the entry point for a significant proportion of successful attacks. The patch management control requires that:

• Operating systems on all in-scope devices are supported by a vendor (no end-of-life software)
• High or critical security patches are applied within 14 days of release
• Software that is no longer supported and cannot be patched must be removed or isolated from the network

The 14-day window is the specific requirement that surprises many organisations. It does not mean 14 days from when you notice it — it means 14 days from the vendor release date. For teams without automated patch management or a regular patching cadence, this creates real operational pressure.

End-of-life operating systems are an automatic failure. Windows 10 will reach end of support in October 2025. Any organisation still running it in production at certification time will not pass.

The assessment process

CE: self-assessment pathway

1. Choose an IASME-accredited certifying body (a list is available on the IASME website)
2. Purchase the assessment — pricing varies by certifying body and organisation size
3. Complete the online self-assessment questionnaire. This covers all five control areas and asks about the specific configuration and implementation of each
4. Submit the questionnaire for review
5. The certifying body reviews your answers and issues a pass or fail. If they have questions, they may follow up before issuing a decision

Turnaround time from submission to certification is typically one to five working days for a straightforward submission.

CE+: technical assessment pathway

CE+ starts with a valid CE certificate (within the last three months for most certifying bodies). The technical assessment then involves:

1. Agreeing an assessment scope with your certifying body — all internet-facing assets, all in-scope end-user devices
2. Internet-facing vulnerability scan — typically conducted remotely
3. On-site or remote internal assessment — scanning internal network infrastructure and a sample of end-user devices
4. Phishing test — simulated phishing emails sent to a sample of staff
5. Assessor review and findings report
6. Certification issued if controls are confirmed, or a remediation period offered for minor gaps

CE+ typically takes one to three days of assessor time. Organisations with simple infrastructure complete it faster; those with complex environments, lots of device types, or legacy systems take longer.

Costs and timeframes

Costs vary depending on the certifying body and organisation size, but typical ranges:

Cyber Essentials (CE):

• Small organisations (up to 24 employees): £300–£500
• Medium organisations (25–249 employees): £400–£700
• Larger organisations: prices vary, typically £600–£1,200

Cyber Essentials Plus (CE+):

• Add assessor time on top of CE. Expect £1,500–£4,000 for SMEs, depending on infrastructure complexity and assessor day rates

Many IASME-accredited certifying bodies bundle CE and CE+ together if pursued in the same cycle. If you are planning to achieve CE+, it is worth asking certifying bodies for a combined quote.

Internal preparation time is where the real cost lies. Organisations that have not addressed patching, MFA, or device controls before starting often spend two to six weeks on remediation before they are ready to certify. The certification fee is the easy part.

Common failure points

Based on what assessors consistently report, these are the areas that cause first-attempt failures:

MFA not enabled on cloud services. The requirement is clear — MFA must be enabled on all accounts that access cloud services. Organisations often have MFA on some accounts or some services and assume that is sufficient. It is not. Every account, every cloud service in scope.

End-of-life devices in scope. A single laptop running an unsupported OS — even one rarely used — will fail the certification if it is in scope. The answer is to remove it from the network or document that it is isolated and out of scope, but assessors will ask.

Administrative interfaces exposed to the internet. RDP open to the world, NAS devices with remote management enabled, router admin panels accessible externally. Firewalls must block this.

Patch lag beyond 14 days. Organisations without automated patch management or a clear patching schedule frequently discover they are weeks or months behind on updates. The 14-day requirement is enforced.

Shared accounts. User accounts must be individual. Shared administrative credentials are not acceptable under the standard.

Inconsistent MFA configuration. MFA enabled for some users but not administrators, or enabled on Microsoft 365 but not on other cloud services used by the business.

Pre-assessment checklist

Before engaging a certifying body, work through these checks:

• All operating systems on in-scope devices are on supported versions (no end-of-life OSes)
• High and critical patches applied within 14 days — verify against the last 90 days of patch history
• MFA enabled on all cloud services for all user accounts, including administrators
• Separate admin accounts used only for administrative tasks
• All default passwords changed on network devices and routers
• Firewall configured to block inbound connections by default — verify no admin ports exposed
• Anti-malware active and current on all in-scope devices
• Unnecessary services and software removed from devices
• All user accounts belong to named individuals — no shared accounts

Running through this list honestly before the formal assessment saves time and money. Most organisations find at least one issue they had not expected.

Getting started

Cyber Essentials is achievable for virtually any UK business with a reasonable IT setup. The barrier is not technical complexity — it is doing the basic things consistently across all in-scope systems.

If your organisation handles personal data, works with public sector clients, or wants to demonstrate security baseline to enterprise customers, it is worth prioritising. The controls are good practice regardless of certification, and the annual renewal creates a useful forcing function for maintaining standards.

If you need help preparing for Cyber Essentials, identifying gaps in your current controls, or supporting a CE+ assessment, my IT compliance services are designed for exactly this kind of practical readiness work. Get in touch to discuss where your organisation currently stands.