What Is Cyber Essentials and Does Your Business Need It?

If you work with the public sector, handle sensitive data, or have clients in regulated industries, you've probably been asked: "Do you have Cyber Essentials?" It's increasingly appearing in tender documents, supplier questionnaires, and procurement requirements — and for good reason.

But what exactly is Cyber Essentials, how much does it cost, and is it worth the effort for your business? This guide explains everything in plain English.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed cyber security certification scheme, developed by the National Cyber Security Centre (NCSC) in collaboration with industry. Launched in 2014, it's designed to help organisations protect themselves against the most common cyber threats.

The scheme focuses on five key technical controls that, when properly implemented, can prevent around 80% of cyber attacks:

1. Firewalls

A firewall creates a barrier between your internal network and the internet. Cyber Essentials requires that all devices connecting to the internet are protected by a properly configured firewall. This includes not just dedicated hardware firewalls, but also software firewalls on individual devices — particularly relevant for laptops used outside the office.

2. Secure Configuration

Computers and network devices are often shipped with default settings that prioritise ease of use over security. Cyber Essentials requires that you change default passwords, remove unnecessary software and services, and disable features you don't use. The principle is simple: reduce the attack surface by removing things attackers could exploit.

3. User Access Control

Not everyone in your organisation needs admin-level access to every system. Cyber Essentials requires that user accounts are properly managed: unique accounts per person, strong passwords, admin privileges restricted to those who genuinely need them, and unused accounts removed promptly when people leave.

4. Malware Protection

You need active protection against malware — viruses, ransomware, spyware, and other malicious software. This can be traditional antivirus, next-generation endpoint protection, or application whitelisting. The key requirement is that it's active, up-to-date, and configured to scan for threats automatically.

5. Security Update Management (Patching)

Software vulnerabilities are discovered and patched constantly. Cyber Essentials requires that you apply security patches within 14 days of release for critical and high-severity vulnerabilities. This applies to operating systems, web browsers, email clients, and any other software in your environment.

Two Levels of Certification

Cyber Essentials is a self-assessment: you answer an online questionnaire about your security controls, and a certification body reviews your answers. It's the entry-level certification and is sufficient for many purposes.

Cyber Essentials Plus includes everything in the basic certification, plus a hands-on technical assessment. An authorised assessor will visit (physically or remotely) and test your systems — running vulnerability scans, checking configurations, and attempting a simulated phishing attack. This provides much stronger assurance that your controls are actually working, not just documented.

Who Needs Cyber Essentials?

Mandatory for:

• Government contracts: Since 2014, Cyber Essentials has been mandatory for all central government contracts involving the handling of sensitive or personal data. Many local authorities and NHS trusts have followed suit.
• Ministry of Defence suppliers: The Defence Cyber Protection Partnership (DCPP) requires Cyber Essentials as a minimum for suppliers handling MOD information.

Increasingly Expected for:

• Supply chain requirements: Large enterprises — particularly in financial services, legal, and healthcare — are increasingly requiring their suppliers to hold Cyber Essentials. It's becoming a standard part of supplier due diligence.
• Insurance purposes: Some cyber insurance providers offer reduced premiums or require Cyber Essentials as a condition of coverage.
• Competitive tenders: Even in the private sector, Cyber Essentials is appearing in RFPs as either a requirement or a scored criterion.

Beneficial for Everyone:

Even if no one is asking you to get certified, the process of achieving Cyber Essentials forces you to review and improve your basic security posture. The five controls it covers are genuinely effective at preventing common attacks. Think of it as a structured health check for your IT security.

The Certification Process

Step 1: Prepare

Review the five control areas and identify any gaps in your current setup. Common issues include: staff using admin accounts for daily work, unpatched software, default passwords on network equipment, and missing firewalls on remote worker laptops.

Step 2: Remediate

Fix any gaps identified. This might involve updating your password policy, configuring Windows Update properly, restricting admin access, or deploying endpoint protection across all devices. For most SMEs, this takes 1-2 weeks.

Step 3: Choose a Certification Body

Cyber Essentials assessments must be conducted through an NCSC-approved certification body. The IASME Consortium is the primary accreditation body, and you can find approved assessors through their website or the NCSC's list. Several reputable certification bodies include IASME, Crest, and QG Certifications.

Step 4: Complete the Assessment

For basic Cyber Essentials, you'll complete an online self-assessment questionnaire. Answer honestly — making false claims undermines the entire purpose and could have legal implications if you suffer a breach.

For Cyber Essentials Plus, schedule the technical assessment with your chosen certification body. They'll need remote access to sample devices and will run their testing tools.

Step 5: Receive Your Certificate

If you pass, you'll receive your certificate (valid for 12 months) and can display the Cyber Essentials badge on your website, marketing materials, and tender responses. You'll also be listed on the NCSC's public directory of certified organisations.

Common Reasons Businesses Fail

Based on industry data from certification bodies, the most common failure points are:

• Unsupported software: Running Windows 10 after its end-of-support date, or using old versions of web browsers or plugins
• Missing patches: Security updates not applied within the 14-day window
• Admin accounts used daily: Staff — including directors — using admin-level accounts for everyday work like email and web browsing
• Weak password policies: Not enforcing minimum password length or complexity requirements
• BYOD devices: Personal devices accessing company data without proper security controls

Is It Worth It?

For the basic certification at £300-500, absolutely. Even if you never need to show the certificate to a client, the process forces you to implement security controls that genuinely protect your business. It's one of the highest-value security investments an SME can make.

Cyber Essentials Plus at £1,500-3,500 is worth it if you work in supply chains where it's expected, handle sensitive data, or want the confidence that comes from independent technical verification. The cost is a fraction of what even a minor security incident would cost in disruption, remediation, and reputational damage.