Guide · Cyber Essentials
What is Cyber Essentials?
Cyber Essentials is the UK government-backed cyber security certification that shows your business has the five basic technical controls in place to defend against the most common internet-based attacks. This guide explains what it covers, who needs it, and how to get certified.
A short definition
Cyber Essentials is a certification scheme run by IASME on behalf of the National Cyber Security Centre (NCSC), part of GCHQ. Certification confirms that a business has implemented five specific technical controls across its devices, networks and cloud services. There are two levels: Cyber Essentials (self-assessment verified by a certifying body) and Cyber Essentials Plus (the same controls verified by an independent technical audit).
The five controls
Firewalls
Boundary firewalls and software firewalls configured to block unwanted inbound traffic on every device, including remote and home workers.
Secure configuration
Devices and software set up so that only what is needed is enabled — default passwords removed, unnecessary accounts and services disabled.
User access control
Staff have only the access they need, admin rights are limited and protected, and multi-factor authentication is in place on cloud services.
Malware protection
Approved anti-malware or application allow-listing in place on all devices, kept up to date and actively monitored.
Security update management
Operating systems, browsers and applications patched promptly — critical updates within 14 days of release.
Why it matters
Cyber Essentials is now a contractual requirement for many UK government contracts and a growing number of private-sector frameworks. Larger clients increasingly request it before signing supplier agreements, and many cyber insurance policies either require it or reduce premiums for certified businesses. Beyond the badge, the five controls genuinely block the bulk of opportunistic attacks aimed at SMEs.
Who it is for
Any UK organisation — from a five-person consultancy to a 200-person manufacturer — that wants to demonstrate baseline cyber hygiene. It is particularly relevant for businesses bidding on public-sector work, handling client or personal data, or looking to formalise their cyber security posture.
How long it takes
For a well-prepared SME, certification typically takes between two and eight weeks. Most of the timeline is preparation — closing gaps in patching, MFA coverage, admin accounts and device configuration before the assessment is submitted. The assessment itself is a structured questionnaire reviewed by an accredited certifying body.
How we help
Our Cyber Essentials certification support service handles the whole process: gap analysis, remediation, evidence gathering, the assessment submission, and (where required) the independent Cyber Essentials Plus audit. Most clients reach certification within a few weeks of starting.
Cyber Essentials is the foundation, not the finish line. Once certified, most SMEs layer on managed EDR and MDR services, Cyber Shield awareness training, and phishing simulation to cover the threats that the five technical controls do not address on their own.
Not sure if you are ready? Book a no-obligation free cyber security review and we will tell you exactly what stands between you and certification.
Frequently asked questions
What are the five Cyber Essentials controls?
Firewalls, secure configuration, user access control, malware protection, and security update management (patching).
Who needs Cyber Essentials?
Any UK business that wants to demonstrate basic cyber hygiene. It is mandatory for many UK government contracts, increasingly requested by larger private-sector clients, and often required to qualify for cyber insurance.
How long does Cyber Essentials take?
For a well-prepared SME, certification typically takes 2 to 8 weeks. Most of the time is spent fixing gaps before assessment.
Cyber Essentials vs Cyber Essentials Plus?
Cyber Essentials is a self-assessment verified by a certifying body. Cyber Essentials Plus adds an independent technical audit including vulnerability scans on a sample of devices.
How long is the certification valid?
Certification is valid for 12 months. Businesses recertify annually to keep the badge and maintain compliance with insurance and contract requirements.
