Cyber Essentials is a UK government-backed certification scheme, run by the National Cyber Security Centre (NCSC) and delivered by IASME, that proves your business has the five basic technical controls needed to stop around 80% of common cyber attacks. Certification costs from £320 plus VAT for the self-assessed tier, rising to roughly £1,400 to £8,000 for the audited Cyber Essentials Plus version. It lasts 12 months. From 27 April 2026, under the IASME v3.3 update, multi-factor authentication becomes mandatory on every cloud service that offers it, passwords must be at least 12 characters, and critical security updates must be applied within 14 days. Certified UK organisations under £20m turnover qualify for free cyber liability insurance covering up to £25,000. Only about 3% of UK businesses are certified, yet many public sector and supply-chain contracts now require it, so the commercial case is increasingly hard to ignore.
Last updated: June 2026
Cyber Essentials is a UK government-backed certification scheme that verifies an organisation has implemented five fundamental technical security controls. It was launched in 2014 by the Department for Science, Innovation and Technology (DSIT), is governed by the National Cyber Security Centre (NCSC), and is delivered in practice by IASME, the scheme's sole accreditation body. When you hold a valid certificate, you are publicly stating that your firewalls, device configuration, user access, malware protection, and patching all meet a defined baseline.
The scheme exists because the overwhelming majority of cyber incidents are not sophisticated, targeted operations. They are opportunistic attacks that exploit unpatched software, default passwords, weak access controls, or an absent firewall. The NCSC's own position is that the five controls block roughly 80% of the most common internet-based threats. That figure is the entire point of the scheme: it is not designed to stop a state-sponsored adversary, it is designed to make your business a harder target than the unprotected firm next door.
Our honest view: Cyber Essentials is the single highest-leverage security investment a UK SME can make. It is cheap, structured, and externally validated, and it forces you to fix the boring fundamentals that almost every real-world breach exploits. We have seen businesses spend tens of thousands on advanced tooling while running unpatched servers and shared admin logins. Cyber Essentials makes you fix the basics first, in the right order.
Here is how the scheme's governance actually fits together:
| Body | Role in the scheme |
|---|---|
| DSIT (UK Government) | Owns the scheme and sets national cyber resilience policy |
| NCSC | Technical authority; defines the controls and the threat rationale |
| IASME Consortium | Sole delivery and accreditation partner; manages the question set and certification bodies |
| Certification Bodies | Accredited assessors who review your self-assessment and conduct Plus audits |
| Your organisation | Implements the controls, scopes the assessment, and applies for certification |
Crucially, Cyber Essentials is not a one-off badge. Threats evolve, the question set is updated annually, and your certificate is valid for exactly 12 months. Treating it as an annual cycle rather than a tick-box exercise is what separates genuinely secure businesses from those who merely passed once and quietly drifted out of compliance.
The core difference is verification: standard Cyber Essentials is a self-assessment that you complete and a certification body reviews, while Cyber Essentials Plus adds an independent, hands-on technical audit of your systems by a qualified assessor. Both tiers certify against the same five controls. The Plus version simply proves you actually do what you claimed.
With standard Cyber Essentials, you answer a structured questionnaire (the IASME question set) covering your scope, devices, cloud services, and configuration. A signed senior representative confirms the answers are accurate, and a certification body marks it. There is no site visit and no scan. It is a verified attestation, and it is genuinely useful, but it relies on your honesty and your technical understanding being correct.
Cyber Essentials Plus takes everything in the standard assessment and adds external and internal vulnerability scans, a test of a sample of your end-user devices, and verification that malware protection and patching actually work as described. An assessor effectively tries the front door. Because of this, Plus carries far more weight with procurement teams, insurers, and enterprise clients who want evidence rather than a declaration.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment type | Self-assessment, reviewed by assessor | Independent hands-on technical audit |
| Vulnerability scanning | No | Yes, internal and external |
| Device testing | No | Yes, on a sample of devices |
| Typical cost | From £320 plus VAT | Roughly £1,400 to £8,000 plus VAT |
| Typical timeline | Days to a few weeks | Two to six weeks after CE is passed |
| Best for | SMEs, contract eligibility, baseline assurance | Supply-chain contracts, MoD, NHS, high-trust clients |
One rule worth stating plainly: you must hold a valid standard Cyber Essentials certificate before, or at the same time as, you pursue Plus. Plus is not a separate route; it is an upgrade with an audit on top. Most certification bodies expect the Plus audit to take place within three months of the standard certificate being issued.
Which should you choose? The honest rule we give clients is simple. If you are certifying to win a public sector contract that specifies Cyber Essentials, the standard tier is usually enough. If you are bidding for defence, NHS, or large-enterprise supply-chain work, or you want the strongest possible signal to insurers and customers, go straight for Plus. Be sceptical of any reseller who pushes Plus on a five-person business with no contractual requirement for it, because the audit cost rarely pays for itself without a commercial driver.
The five Cyber Essentials controls are firewalls, secure configuration, user access control, malware protection, and security update management. Together they form a defensive baseline that, according to the NCSC, prevents around 80% of common internet-based attacks. Each control targets a specific, well-documented weakness that attackers exploit at scale.
Think of these five as the locks, alarms, and gates of your digital premises. None of them is glamorous. All of them are the difference between a breach and a near miss. Here is what each control actually requires in practice.
The table below maps each control to the threat it neutralises, which is the framing that makes the scheme click for most business owners.
| Control | Attack it stops |
|---|---|
| Firewalls | Unauthorised inbound access and exposed services |
| Secure configuration | Exploitation of default settings and unused features |
| User access control | Account takeover, privilege escalation, ex-staff access |
| Malware protection | Ransomware, trojans, and malicious downloads |
| Security update management | Exploitation of known, unpatched vulnerabilities |
If you are building or running custom systems, these controls also shape how software should be delivered. Our software development service in London bakes secure configuration and patch discipline into the build itself, so the application you deploy is already aligned with the Cyber Essentials baseline rather than being retrofitted to pass an audit later.
The biggest 2026 change is that multi-factor authentication (MFA) becomes mandatory on every cloud service that offers it, and missing MFA is now an automatic fail. These updates land under the IASME v3.3 question set, which takes effect for assessments started on or after 27 April 2026. If you certify after that date, you are assessed against the new, stricter rules, so you must prepare for them now.
This is the single area where most competitor guides go quiet, and it is the area most likely to catch businesses out at renewal. The tightening is deliberate. The scheme is closing the gaps that attackers exploited even on certified organisations. Here is the practical before-and-after.
| Requirement | Previous standard | From 27 April 2026 (v3.3) |
|---|---|---|
| Multi-factor authentication | Required on cloud admin accounts | Mandatory on all cloud services that offer it; missing it is an automatic fail |
| Minimum password length | 8 characters with additional controls | Minimum 12 characters where MFA is not in use |
| Critical patching window | Patch within 14 days (guidance) | Critical and high-severity updates within 14 days, strictly enforced |
| Passwordless and biometrics | Lightly addressed | Clearer recognition of passwordless, passkeys, and biometric methods |
Our blunt assessment: the MFA change is the one to act on immediately. A surprising number of UK businesses still have at least one cloud service (an old marketing tool, a finance portal, a legacy file share) where MFA is available but switched off. Under v3.3, that one oversight fails the entire assessment. Audit every cloud service you touch, enable MFA everywhere it is offered, and document anything where MFA is genuinely unavailable.
The 12-character password minimum is the second priority. If your password policy still enforces eight characters, raise it now and communicate the change to staff before renewal, not during it. The cleanest long-term answer is to move toward MFA and passkeys so that password length stops being your primary line of defence at all. For businesses running automated workflows and integrations, this is also a prompt to review how machine accounts and API credentials are secured. Our business process automation team in London regularly tightens service-account access and secret management as part of automation projects, which directly supports a clean Cyber Essentials pass.
The 14-day critical patching rule is the third. It demands a real process, not good intentions. You need to know which systems you run, where critical updates come from, and who applies them within the window. If you cannot answer those three questions today, that is your first job before any assessment.
Standard Cyber Essentials costs from £320 plus VAT, tiered by organisation size, while Cyber Essentials Plus typically ranges from roughly £1,400 to £8,000 plus VAT depending on the complexity and size of your environment. A well-prepared micro business can complete standard certification in a matter of days; Plus usually takes a further two to six weeks because of the audit and scan scheduling.
The standard tier is priced on a banded model linked to headcount, so the certificate cost is predictable. Where budgets get unpredictable is the remediation work needed to actually meet the controls, plus the Plus audit if you pursue it. The table below sets out realistic 2026 pricing.
| Organisation size | Standard CE (ex VAT) | CE Plus indicative (ex VAT) |
|---|---|---|
| Micro (up to 9 staff) | From £320 | £1,400 to £2,500 |
| Small (10 to 49 staff) | Around £400 | £2,000 to £4,000 |
| Medium (50 to 249 staff) | Around £500 | £3,500 to £6,000 |
| Large (250+ staff) | £600+ | £6,000 to £8,000+ |
Those Plus figures vary widely because the audit cost is driven by the number of devices sampled, the number of distinct operating systems and cloud services, and how clean your environment already is. A tidy, single-platform business of forty people will sit near the bottom of its band; a sprawling estate with multiple legacy systems will sit near the top.
On timeline, here is a realistic sequence for a typical SME going for both tiers:
Now weigh that against the return. Certified organisations with under £20m turnover qualify for free Cyber Liability Insurance covering the whole organisation, with 24/7 incident response and cover up to £25,000. The wider data is even more persuasive: certified organisations are reported to be around 92% less likely to make a claim on their cyber insurance. Set against an average significant incident cost of about £195,000 for UK firms, a few hundred pounds for the certificate is one of the clearest risk-reduction trades a business can make.
For most private-sector businesses, Cyber Essentials is not a legal requirement, but it is increasingly a contractual one. Since 2014, central government has mandated Cyber Essentials for suppliers handling certain sensitive or personal information, and that expectation has cascaded through public sector procurement and into private supply chains. So while the law rarely compels it, your customers and prospects increasingly do.
The clearest mandates apply to organisations bidding for UK government contracts that involve handling personal data, providing certain ICT services, or processing sensitive information. Defence supply chains, NHS suppliers, and many local authority frameworks now specify Cyber Essentials or Cyber Essentials Plus as a baseline condition of doing business. If you are below that tier in the supply chain, the prime contractor will frequently pass the requirement down to you.
There is also a regulatory backdrop worth understanding even though it does not name the scheme directly. UK GDPR and the Data Protection Act 2018 require organisations to implement appropriate technical and organisational measures to protect personal data. Cyber Essentials does not discharge that duty on its own, but holding it is strong, documented evidence that you have taken the basics seriously, which is exactly what the Information Commissioner's Office expects to see when something goes wrong.
| Scenario | Is Cyber Essentials needed? |
|---|---|
| Bidding for central government contracts with sensitive data | Often mandatory (CE or CE Plus) |
| NHS or defence supply chain | Frequently mandatory, often CE Plus |
| Sub-contractor to a certified prime contractor | Commonly required by contract |
| B2B services handling client data | Increasingly requested in due diligence |
| Small business, no public sector exposure | Not required, strongly recommended |
Our honest stance: do not wait for a tender to force your hand. With only around 3% of UK businesses certified, holding the badge is still a genuine differentiator in proposals and due-diligence questionnaires. We have watched clients win work simply because they could attach a valid certificate while a competitor could only promise to "look into it." When you build digital products that store client data, certification also reassures the people you are selling to. Our web application development services in London are delivered with that assurance baked in, so the platforms we build help rather than hinder your certification.
Most Cyber Essentials failures come down to five recurring issues: missing MFA, unsupported software still in scope, an unclear or overly broad scope, weak patching processes, and incorrect self-assessment answers. The encouraging news is that every one of these is preventable with a proper readiness review before you submit.
Failures are rarely about exotic security gaps. They are about the boring fundamentals not being in order, or being misdescribed in the questionnaire. Here are the five culprits and how to fix each.
| Reason for failure | Quick fix before assessment |
|---|---|
| MFA not enabled everywhere | Audit all cloud services; enable MFA universally |
| Unsupported OS or software | Upgrade, replace, or remove from scope |
| Scope too broad or unclear | Define and segregate scope deliberately |
| Patching gaps | Assign ownership; enable auto-updates; keep evidence |
| Wrong questionnaire answers | Technical review of every answer before submitting |
Be sceptical of any provider who promises a guaranteed pass without first reviewing your environment. A trustworthy partner will run a readiness assessment, tell you exactly where you fall short, and fix those gaps before you ever submit. That is the difference between paying for a certificate and paying for genuine assurance. Where automation can help (such as standardising device configuration or enforcing access policy), our AI automation agency in London can make those controls consistent across every machine rather than reliant on manual diligence.
Softomate Solutions runs a structured five-stage readiness and remediation process that takes a UK business from uncertain to assessment-ready, typically within two to four weeks, with a fixed quote agreed before any work begins. We do not issue the certificate itself (that is the certification body's role), but we get your systems, policies, and self-assessment answers into a state where passing is straightforward rather than stressful.
Our approach is deliberately practical. We focus on closing the gaps that cause real-world failures, aligning your environment to the v3.3 rules, and giving you the evidence you need. Here is how the engagement runs.
| Stage | Typical duration | Outcome |
|---|---|---|
| Discovery and scoping | 2 to 3 days | Agreed scope and asset inventory |
| Gap analysis | 3 to 5 days | Prioritised remediation report |
| Remediation | 1 to 2 weeks | Controls aligned to v3.3 |
| Self-assessment support | 2 to 3 days | Accurate, evidenced questionnaire |
| Submission and Plus prep | 1 to 4 weeks | Certificate, and Plus-audit readiness |
Engagements start from £2,500 plus VAT for a micro-business readiness and remediation package, with the exact figure fixed in writing after the scoping call so there are no surprises. Larger or more complex estates are quoted individually, always as a fixed price rather than open-ended day rates. We would rather scope properly once than bill endlessly.
Many of our clients also ask us to harden the systems we build or automate for them as part of the same project. If your operations run on a custom database, CRM, or automated workflow, we can align those systems to the controls at the source. Our custom CRM development in London and automation work are delivered with secure configuration and access control built in, so certification becomes a natural by-product of good engineering rather than a separate scramble.
A Cyber Essentials certificate is valid for 12 months from the date of issue. To stay certified you must reassess and recertify each year against the current IASME question set, which is updated annually. Many businesses set a calendar reminder around 60 days before expiry so remediation and renewal happen without a gap in coverage.
Yes, in most cases. Microsoft Defender is a fully acceptable malware protection solution for Cyber Essentials, provided it is enabled, set to update automatically, and configured for real-time protection on every in-scope device. The control is about having effective, current anti-malware in place, not about using a specific paid product. Just confirm it is active everywhere.
For most private businesses there is no general legal requirement, but it is frequently mandatory by contract. Central government requires it from suppliers handling certain data, and that expectation flows through public sector and private supply chains. It also provides strong evidence of the appropriate security measures expected under UK GDPR and the Data Protection Act 2018.
Cyber Essentials is a focused, low-cost certification covering five technical controls and is achievable in weeks. ISO 27001 is a comprehensive information security management system standard that takes months and significant resource to implement. Cyber Essentials is the sensible starting point; ISO 27001 suits larger organisations needing a full, audited management framework. Many firms hold both.
Cyber Essentials Plus typically costs between roughly £1,400 and £8,000 plus VAT, depending on the number of devices, operating systems, and cloud services in scope. The price is driven by the audit and vulnerability scanning rather than the certificate itself. A tidy, single-platform SME will sit near the lower end of that range.
If your self-assessment does not pass, the certification body explains exactly where you fell short and gives you a window to fix the issues and resubmit, often without an additional certificate fee within a set period. The most common failures are missing MFA, unsupported software, and patching gaps, all of which are straightforward to remediate before trying again.
The IASME v3.3 updates apply to assessments started on or after 27 April 2026. The headline changes are mandatory MFA on all cloud services that offer it, a minimum 12-character password length where MFA is not used, and strict 14-day patching of critical and high-severity vulnerabilities. Prepare before your next renewal date falls after that cut-off.
Yes, for eligible organisations. UK-domiciled organisations with annual turnover under £20m that certify the whole organisation qualify for free Cyber Liability Insurance, including 24/7 incident response support and cover up to £25,000. It is included automatically at certification unless you opt out, making the scheme even more cost-effective for smaller firms.
You can self-certify the standard tier directly through a certification body, and a technically confident business with a clean environment often does. Most SMEs, however, benefit from a readiness review to avoid the common failures and to navigate the 2026 changes. The remediation, not the paperwork, is usually where outside help saves the most time.
In 2025, around 55,995 certificates were issued, roughly 42,288 standard Cyber Essentials and 13,707 Cyber Essentials Plus. Despite that growth, only about 3% of UK businesses hold the certification. With 43% of UK businesses reporting an attack each year, that low adoption rate is precisely why holding the badge remains a genuine commercial advantage.
Cyber Essentials remains the highest-return security decision most UK businesses can make: from £320 plus VAT for the standard tier, free cyber insurance up to £25,000 for firms under £20m turnover, and protection against roughly 80% of common attacks. The five controls (firewalls, secure configuration, user access control, malware protection, and security update management) are deliberately simple, but the 2026 v3.3 changes raise the bar. From 27 April 2026, MFA is mandatory on every cloud service that offers it, passwords must reach 12 characters, and critical patches must land within 14 days. Standard certification suits most SMEs; Cyber Essentials Plus, at roughly £1,400 to £8,000, suits supply-chain and high-trust contracts. With only 3% of UK businesses certified and most failures caused by preventable basics, the businesses that prepare properly now will pass cleanly and win the contracts that increasingly demand the badge.
If you want a clean, stress-free pass aligned to the 2026 rules, our team can run your readiness review, close the gaps, and prepare your self-assessment. Talk to us through our contact page or explore our business process automation services in London to see how we harden systems as we build them.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software and automation systems for UK businesses, he has guided dozens of SMEs through secure system design, supplier due diligence, and certification readiness. Softomate Solutions is registered at Companies House and works with clients across London and the UK to make security a built-in feature of good engineering rather than an afterthought. Learn more about our team and approach.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
