<< BACK TO BLOG

4 July 2026

What is Cyber Essentials? A Plain-English Guide for UK Businesses

Cyber Essentials is the UK government-backed scheme that helps businesses protect against the most common cyber threats. Here's what it covers, who needs it, and how to get certified.

Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber threats. It was developed by the NCSC (National Cyber Security Centre) and is managed by IASME on behalf of the UK government.

The scheme covers five technical control areas that, when implemented correctly, protect against the vast majority of commodity cyber attacks — the kind that target businesses opportunistically rather than specifically.

The 5 Cyber Essentials Control Areas

  • -Firewalls — protecting your network boundary and individual devices from unauthorised access.
  • -Secure Configuration — ensuring devices and software are configured securely, not left on default settings.
  • -User Access Control — managing who can access what, enforcing least privilege, and requiring MFA.
  • -Malware Protection — keeping anti-malware active and up to date on all in-scope devices.
  • -Patch Management — ensuring software and operating systems are updated within 14 days of a critical patch release.

Who Needs Cyber Essentials?

Cyber Essentials certification is mandatory for any UK business that wants to bid for UK central government contracts involving the handling of sensitive or personal information. Beyond government contracts, it is increasingly required by larger organisations in their supplier questionnaires — particularly in sectors like defence, finance, healthcare, and legal services.

Even if it is not required by a client, certification demonstrates to customers and partners that your business takes cyber security seriously. With cyber attacks on small businesses rising year on year, it also provides genuine protection — not just a certificate.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of Cyber Essentials certification. Standard Cyber Essentials is a self-assessment — your business answers a questionnaire about your controls, and a Certification Body verifies your answers. Cyber Essentials Plus includes an independent technical verification, where an assessor remotely tests your systems to confirm the controls are genuinely in place.

Most small businesses start with standard Cyber Essentials. CE Plus is required for some government contracts and gives a higher level of assurance to clients.

How Much Does Cyber Essentials Cost?

The certification fee depends on your organisation's size and your chosen Certification Body. For small businesses (fewer than 50 employees), the assessment fee is typically £300–£500 for standard Cyber Essentials. CE Plus typically costs £1,500–£3,000+ depending on the scope and complexity of your IT estate.

Before paying for the formal assessment, it is worth completing a pre-check to understand where your gaps are. Many businesses fail their first assessment because they didn't know about specific requirements — such as MFA being mandatory on all cloud services — until the assessor flagged it.

Ready to Check Your Readiness?

Our free RADAR_CHECK questionnaire takes around 10 minutes and gives you an instant view of how your business measures up across all five control areas. Book a free 30-minute call with our team and we'll walk you through your results and tell you exactly what to fix before you apply.

// TAKE THE NEXT STEP

CHECK YOUR READINESS — FREE

Our RADAR_CHECK questionnaire takes 10 minutes. Book a free 30-minute call and we'll walk you through your results and tell you exactly what to fix.

START FREE CHECK >>