Cyber Essentials is a UK government-backed certification scheme developed by the National Cyber Security Centre (NCSC) in partnership with industry groups. It defines five fundamental technical controls that protect organisations against the most common cyber attacks. Any UK business, from a sole trader to a listed company, can apply for certification through an NCSC-accredited body. The scheme was launched in 2014 and has since certified tens of thousands of UK organisations, making it one of the most widely adopted cyber security standards in the country.
The scheme exists because research consistently shows that the vast majority of cyber breaches exploit well-known, preventable vulnerabilities. The NCSC estimates that implementing the five Cyber Essentials controls would prevent approximately 80% of common cyber attacks. Certification is therefore not just a badge for a website footer - it represents a genuine, measurable improvement in your security posture.
Softomate Solutions has guided businesses across London and the wider UK through Cyber Essentials certification, and we consistently find that the process surfaces security gaps that business owners were previously unaware of. The certification process is as valuable for what it teaches as for the credential it provides.
The five controls address the attack vectors responsible for the overwhelming majority of cyber incidents affecting UK businesses. Each control is described in the Cyber Essentials Requirements document published by the NCSC, which is updated periodically to reflect the evolving threat landscape.
A firewall acts as a barrier between your internal network and the internet, controlling what traffic is allowed in and out. For most small businesses, this means ensuring your router or network firewall is properly configured - not left with factory default settings - and that it blocks unsolicited incoming connections. Cloud services increasingly come with their own network-level protections, which count towards this control when configured correctly. The key requirement is that your internet-facing systems are protected by a properly configured firewall that blocks access to services that are not deliberately intended to be public.
Every device and piece of software comes with default settings, and those defaults are often insecure. "Secure configuration" means reviewing and changing those defaults - removing unnecessary software, disabling services you do not use, changing default usernames and passwords, and restricting which applications can be installed. Many breaches exploit the simple fact that organisations use software with its factory settings intact. This control requires you to actively harden your systems rather than accepting whatever configuration comes out of the box.
Access control means ensuring that the right people can access the right systems - and no one else. This involves creating individual user accounts for each person rather than sharing logins, ensuring administrative (admin) accounts are only used when genuinely needed and are not used for day-to-day tasks, removing access promptly when someone leaves the organisation, and requiring strong, unique passwords. Cyber Essentials also now requires multi-factor authentication (MFA) for all accounts that can access sensitive data from the internet, including email, cloud services, and remote access systems.
Malware - malicious software including viruses, ransomware, spyware, and trojans - is one of the most common ways attackers compromise business systems. This control requires you to have active, updated malware protection across all devices. For most businesses, this means installing and maintaining reputable anti-malware software on every computer, laptop, and server. Modern endpoint detection and response (EDR) tools go further than traditional antivirus by monitoring for suspicious behaviour rather than relying solely on known malware signatures - important given that new malware variants are created daily.
Software vendors regularly release updates that fix security vulnerabilities. Attackers actively scan for systems running outdated software, because the vulnerabilities are publicly documented. Patch management means applying software updates promptly - ideally within 14 days of release for high-severity patches, as the NCSC recommends. This applies to operating systems, browsers, business applications, and the firmware on routers and other network devices. For software that is no longer receiving security updates (end-of-life software), the Cyber Essentials requirement is to remove or replace it.
Cyber Essentials and Cyber Essentials Plus both assess the same five controls, but the verification process differs significantly. Cyber Essentials is a self-assessment: you answer a questionnaire about your controls, an NCSC-approved assessor reviews your answers, and if satisfied, you receive certification. The questionnaire is rigorous and requires honest answers about your actual configurations, but the verification is largely based on trust.
Cyber Essentials Plus involves an independent technical audit. An NCSC-accredited assessor performs hands-on testing of your systems to verify that the controls you have described are actually in place and working as claimed. This includes vulnerability scanning, testing that MFA is functioning, verifying patch levels on devices, and confirming malware protection is active and updated. Plus certification carries significantly more weight because it is independently verified rather than self-declared.
For businesses that supply services to central government, Cyber Essentials (at the self-assessment level) is mandatory. Many defence contractors, NHS suppliers, and regulated organisations require Cyber Essentials Plus from their supply chain. Even where not mandated, Plus certification is increasingly becoming a differentiator in competitive tendering situations.
Certification fees depend on the tier and the certification body you choose. As of 2024, Cyber Essentials self-assessment typically costs between ยฃ300 and ยฃ500 including the assessment fee. Cyber Essentials Plus costs more due to the hands-on technical audit - typically ยฃ1,500 to ยฃ3,000 for a small business, rising for larger or more complex organisations. Some certification bodies charge separately for preparatory gap assessments, which are worth considering if you are uncertain whether your controls meet the standard.
The certification is valid for 12 months, after which you must recertify. This annual cycle is intentional - the threat landscape and the controls required evolve, and annual recertification ensures your security does not stagnate.
Beyond the direct certification cost, there may be remediation costs if the assessment surfaces gaps you need to fix. Common examples include the cost of purchasing endpoint protection software for devices that do not currently have it, or the time involved in applying outstanding patches. Our cyber security consultancy in London can conduct a pre-assessment gap review to identify what remediation is needed before you formally submit for certification - often saving time and avoiding the embarrassment of a failed first attempt.
Cyber Essentials certification is mandatory for all organisations bidding for UK central government contracts that involve handling sensitive or personal information, or providing certain technical products and services. The UK Ministry of Defence and NHS Digital both require it across their supply chains. Beyond these formal mandates, any UK business that wants to demonstrate credible cyber security practices to customers, partners, or insurers has a strong commercial reason to certify.
The scheme is deliberately designed to be accessible to small organisations. The questionnaire covers the five controls in plain language, and the NCSC publishes detailed guidance documents that walk through each requirement. A business with no dedicated IT staff can work through the process with appropriate external support.
Sectors where Cyber Essentials certification is becoming standard practice include: professional services (legal, accountancy, consultancy), healthcare (GP practices, dental surgeries, care homes), financial services, charities that hold donor data, and technology companies. If you operate in London's competitive professional services sector, not holding Cyber Essentials is increasingly a disadvantage when pitching for work.
Failing a Cyber Essentials assessment is not unusual for first-time applicants. The most common reasons for failure include: end-of-life software still in use, MFA not enabled on cloud services, devices without active endpoint protection, accounts with unnecessarily broad administrator privileges, and routers with default credentials still set. None of these failures reflect badly on the business - they reflect that many organisations have never had reason to audit these things systematically before.
After a failed assessment, the certification body provides feedback explaining which controls are not yet met. You have an opportunity to remediate and resubmit. Many organisations find that the remediation process is where the real security value is created - the certification itself is almost a by-product of doing the underlying work correctly.
Our testing services include a Cyber Essentials pre-assessment that mirrors the actual certification questionnaire, identifying gaps before you formally apply. This means you approach the certification with confidence rather than uncertainty.
Cyber Essentials certification does not guarantee GDPR compliance - the two frameworks have different scopes. UK GDPR, enforced by the Information Commissioner's Office (ICO), requires "appropriate technical and organisational measures" to protect personal data. Cyber Essentials addresses the technical dimension, but UK GDPR also requires organisational measures such as data mapping, privacy notices, lawful basis documentation, subject access request procedures, and breach notification processes.
That said, Cyber Essentials significantly strengthens your technical security posture, which is a meaningful part of GDPR compliance. If your business suffers a breach and the ICO investigates, demonstrating that you hold Cyber Essentials certification - and therefore had implemented the five fundamental controls - is strong evidence of having taken appropriate technical measures. Several ICO enforcement decisions have noted the absence of basic technical controls as an aggravating factor in breach cases.
The DSIT (Department for Science, Innovation and Technology) position is that Cyber Essentials, combined with appropriate organisational measures and staff training, represents a credible baseline of compliance for most small and medium-sized businesses processing personal data.
For an organisation that already has reasonable security practices in place, the Cyber Essentials self-assessment can be completed within one to two weeks. The questionnaire itself takes a few hours for someone with knowledge of your IT systems. Review and approval by the certification body typically takes 3 - 5 business days.
If your organisation needs remediation work before it can certify, timescales depend on the complexity of the gaps. Applying outstanding patches and enabling MFA can often be done within a few days. Replacing end-of-life operating systems or restructuring user access permissions takes longer. A realistic timeline for an organisation starting from scratch, with professional support, is four to eight weeks from initial assessment to certification.
Understanding the full assessment journey helps you plan your time and resources effectively. Here is how the process works from start to finish for a UK business pursuing self-assessment certification.
Step 1 - Choose a certification body. The NCSC does not conduct assessments directly. Instead, it works with a network of NCSC-approved certification bodies, including CREST-member organisations and the IASME Consortium. Prices and service levels vary, so it is worth comparing a few options. IASME administers Cyber Essentials on behalf of the NCSC and provides an accessible, SME-friendly portal.
Step 2 - Complete the self-assessment questionnaire. The questionnaire (accessed through your chosen certification body's online portal) covers the five controls in detail. You will need to describe the boundaries of your assessment scope - which devices, software, and users are included - and answer questions about each control. Be honest: the self-assessment is a declaration, and providing inaccurate answers to obtain certification has legal consequences. Budget two to four hours to complete the questionnaire if you have a good understanding of your IT environment.
Step 3 - Assessor review. Your certification body's assessor reviews your submission. They may come back with clarifying questions. If your answers demonstrate the five controls are in place, they award certification and issue your certificate. If gaps are identified, you receive a failure notice detailing what needs to be addressed.
Step 4 - Remediation (if required). Address the identified gaps, update your questionnaire responses, and resubmit. Most certification bodies allow resubmission within the same assessment period without additional cost, though this varies by provider.
Step 5 - Certification issued. You receive your Cyber Essentials certificate, which is valid for 12 months. Your organisation is listed on the NCSC's public register of certified organisations, which customers and procurement teams can search. You can use the Cyber Essentials logo on your website, proposals, and marketing materials.
Knowing the most common failure reasons helps you address them before submitting. The IASME Consortium, which administers the majority of UK Cyber Essentials assessments, reports that the following issues are responsible for most first-attempt failures.
End-of-life software. Any device running a supported operating system that is no longer receiving security updates (Windows 7, Windows 8.1, older versions of macOS) will fail the patch management control. You must either upgrade to a supported version or provide a documented and compensating control - though in practice, the latter is difficult to satisfy under the standard.
MFA not enabled on cloud services. The 2022 update to Cyber Essentials (the "Evendine" refresh) made MFA mandatory for all internet-accessible accounts, not just administrative ones. Businesses that have email, cloud storage, or CRM systems without MFA enabled will fail this control. This is also one of the easiest gaps to close - most cloud services support MFA natively.
Default credentials not changed. Routers, network switches, printers, and other devices that are still using manufacturer default usernames and passwords fail the secure configuration control. Carry out an audit of every networked device and change any defaults you find.
Scope errors. Including devices or services that are not actually in scope, or excluding devices that should be, creates inconsistencies that assessors flag. Define your scope carefully at the outset - all devices that can access your organisation's data or services should be included unless there is a documented reason to exclude them.
Yes, unambiguously. Even a two-person business holds data that criminals value - customer contact details, payment information, business banking credentials. The five Cyber Essentials controls are the minimum sensible security baseline for any business that uses the internet, which is essentially all of them. The certification cost is modest, the process is educational, and the credential opens commercial doors that would otherwise be closed.
Yes. The questionnaire is designed to be completed by someone with general business knowledge rather than deep technical expertise. You need to know what devices your business uses, what software is installed, how user accounts are managed, and what security tools are in place. If you are uncertain about any of these, a brief consultation with a cyber security professional will help you gather the information needed without requiring ongoing IT support.
Yes, mobile devices that access business email, cloud services, or internal systems are in scope for Cyber Essentials. The controls require that mobile devices have screen lock enabled, are kept up to date, and do not connect to unknown Wi-Fi networks without VPN protection. The updated Cyber Essentials requirements (Evendine, introduced in 2022) specifically addressed cloud services and mobile devices to reflect how most businesses actually work today.
ISO 27001 is a comprehensive international information security management standard that covers governance, risk management, policies, and procedures, in addition to technical controls. It requires a significant ongoing commitment of time and resource to achieve and maintain. Cyber Essentials is intentionally simpler and more focused, covering the five technical controls most likely to prevent common attacks. Most small businesses should start with Cyber Essentials and consider ISO 27001 only when their risk profile and customer requirements demand a more comprehensive standard.
You will need to document: a list of all devices within scope, which software and operating system versions are installed, how user accounts are structured and which accounts have administrative privileges, what firewall and network boundary controls are in place, what endpoint protection software is deployed, and how software updates are managed. For Cyber Essentials Plus, an assessor will verify this evidence through technical testing rather than relying on your documentation alone.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
