The UK Government-backed certification that demonstrates your business has the essential cyber security controls in place. Guided support throughout. Remote. Jargon-free. View pricing →
All prices include the IASME certification fee — you certify directly with us, with no middlemen and no hidden costs. View full pricing →
5
Core Security Controls
1yr
Certificate Validity
100%
Remote Assessment
✓
IASME Approved Body
→
Up to 80% of common cyber attacks are mitigated by the five CE controls (NCSC)
→
Mandatory for UK Government contracts involving personal data or sensitive technical services
🔐
Free cyber insurance up to £25,000 included for eligible UK organisations — automatically with certification
// What Is It
WHAT IS CYBER ESSENTIALS?
Cyber Essentials is a UK Government-backed cyber security certification scheme, developed by the NCSC, that helps organisations demonstrate they have essential protections in place against the most common cyber threats.
Certification is increasingly required for UK Government contracts — any contract involving the handling of personal data or certain technical products and services will require it. It also provides a strong signal of trust to clients, partners, and the supply chain.
As an IASME Approved Certification Body, Vincent Cyber Defence can assess and certify your organisation directly, with a focus on getting you through first time.
Who Needs It?
Businesses tendering for UK Government contracts
Organisations in regulated supply chains
SMEs wanting to demonstrate cyber maturity to clients
Any business handling personal or sensitive data
Some contracts — particularly in the MOD supply chain and enterprise sector — require Cyber Essentials Plus, which adds an independent technical audit on top of the self-assessment. Find out if you need CE Plus → or compare CE and CE Plus →
THE 5 CONTROLS
Cyber Essentials focuses on five technical controls that protect against the vast majority of common cyber attacks. Under the current v3.3 (Danzell) standard, all controls apply across every in-scope system — including cloud services. Platforms such as Microsoft 365 and Google Workspace cannot be excluded from scope if used for business purposes.
🔥
FIREWALLS
Boundary firewalls and internet gateways to control network traffic.
⚙️
SECURE CONFIGURATION
Ensuring systems are configured securely and unnecessary features disabled.
👤
ACCESS CONTROL
User accounts managed and limited to what's needed for the role.
🔐
MALWARE PROTECTION
Protecting against viruses and other malicious software.
🔄
SECURITY UPDATE MANAGEMENT
Keeping devices and software up to date with the latest security updates within 14 days of release.
// The Process
HOW WE CERTIFY YOU
Our streamlined process is designed to get you certified quickly, accurately, and first time.
1
SCOPE
We assist with what's in scope for your assessment and explain requirements in plain English.
2
REVIEW
Guided support reviewing your current controls against the five Cyber Essentials requirements.
3
SUBMIT
We explain each requirement and review your draft responses. You complete and sign the declaration yourself — we advise, we do not answer for you.
4
CERTIFIED
Your IASME certificate is issued, listed on the NCSC public register.
// Next Level
Need independent verification? Cyber Essentials Plus adds a technical audit by our IASME-approved assessors — confirming your controls are working, not just documented.
Pricing is based on your organisation's size. All prices are fixed and exclude VAT:
Size
Employees
Price + VAT
Micro
1–9
£320
Small
10–49
£440
Medium
50–249
£500
Large
250+
£600
These fees are set by IASME and are consistent across all Approved Certification Bodies. Build Your Quote →
Your certification fee covers the IASME assessment fee, your verified certificate, and listing on the NCSC public register of certified organisations. Our service also includes a pre-assessment gap review and guided questionnaire support throughout — at no extra cost. We explain each requirement and review your draft responses; you complete and sign the self-assessment declaration yourself. There are no hidden charges.
Cyber Essentials is mandatory for all UK Government contracts that involve handling personal data or the supply of certain technical products and services. This includes contracts with central government departments, the NHS, and MOD-related supply chains in many cases. Even where it is not contractually required, certification is increasingly expected by commercial clients and insurance providers, and provides important protections against the most common cyber attacks.
We don't offer a monetary guarantee, but our process is specifically designed around first-time pass. Before you submit, we conduct a thorough pre-assessment review to identify and resolve any gaps. Our team supports you through every question in the questionnaire to ensure your answers are accurate and compliant. The majority of our clients achieve certification on their first attempt as a result.
// The Certification Process
The time from starting the process to receiving your certificate depends on your current readiness. If your controls are largely in place, certification can be completed within a few days. If there are gaps to address, it typically takes one to three weeks. We work to your timeline and can support urgent certification for tender deadlines.
Once your Cyber Essentials assessment application is opened, you have up to six months to complete and submit it. This window gives you time to implement any required controls before submission, rather than having to be fully ready on day one. However, your certificate validity date runs from the date of certification — so the sooner you submit, the longer your certificate is active. We recommend not delaying unnecessarily.
Note: If you are proceeding to Cyber Essentials Plus, a separate and shorter window applies — you have 90 days (3 months) from your CE basic certification date to complete and pass CE Plus. If CE Plus is not passed within 90 days, you will need to re-certify at CE basic level before restarting the Plus process, which incurs an additional cost. Learn more about CE Plus →
If your submission does not meet the requirements, you will receive detailed feedback explaining exactly which controls were not satisfied and why. You then have the opportunity to address those issues and resubmit within your assessment window — there is no additional fee for resubmission. Our team will help you understand the feedback and make the necessary changes as quickly as possible.
Feedback is specific and actionable. You will be told which questions were answered incorrectly or incompletely, which controls were not met, and what the requirement is. This is not a vague pass or fail — it is a detailed report that tells you exactly what to fix. Our team will translate this into practical steps and help you remediate efficiently.
Cyber Essentials certificates are valid for 12 months from the date of certification. Annual renewal is required to maintain certified status, which is important for ongoing government contracts and supply chain requirements. We can help you manage your renewal cycle to avoid any gaps in certification.
// Requirements & Compliance
The official document is called the Cyber Essentials Requirements for IT Infrastructure and is published by IASME on their website (iasme.co.uk). The current version reflects the Danzell (v3.3) update introduced in April 2026, which includes new auto-fail rules for MFA on cloud services and updated patching requirements. We always assess against the current version and will make sure you understand what applies to your organisation.
Cyber Essentials (basic) is a self-assessed certification — you complete a questionnaire about your security controls, which is reviewed and verified by your Certification Body. Cyber Essentials Plus includes everything in the basic level, plus an independent technical audit where an assessor actively tests your systems to verify the controls are working as described. Plus provides a higher level of assurance and is required for some government and MOD contracts. Learn more about CE Plus →
The CE Plus audit is a hands-on technical assessment conducted by our team. It includes: external vulnerability scanning of your internet-facing systems, internal vulnerability scanning of a sample of in-scope devices, checks on email and web browser configuration, and verification that security controls such as patching, malware protection, and access control are correctly implemented — not just documented. The audit is conducted remotely and typically takes a few hours depending on scope. See the full CE Plus audit process →
Yes — Cyber Essentials is recognised as a foundation for several other frameworks. It is a mandatory prerequisite for Defence Cyber Certification (DCC) Level 0, which is assessed against Def Stan 05-138 for MOD supply chain organisations. It also aligns with elements of ISO 27001, the DSPT (Data Security and Protection Toolkit), and various supply chain assurance programmes. Many organisations use CE as the first step in a broader cyber security improvement journey — often following it with Cyber Essentials Plus before progressing toward ISO 27001, where independently verified controls provide a strong starting point.
Certain issues automatically result in a failed assessment, regardless of other controls being in place. These include: use of unsupported or end-of-life software within scope, failure to apply high or critical security updates within 14 days of release, internet-facing services with known exploitable vulnerabilities, and — from the Danzell (v3.3) update — failure to enforce MFA on all cloud services accessible from the internet. A further key Danzell rule: broad cloud platforms such as Microsoft 365 or Google Workspace cannot be excluded to artificially narrow your assessment scope. If your organisation uses them for business purposes, they are in scope. Our pre-assessment review is specifically designed to identify these issues before you submit, so they can be resolved in advance.
// Procurement & Support
Cyber Essentials is mandatory for all UK central government contracts that involve handling personal data or the provision of certain ICT products and services. This requirement is set by the Cabinet Office and applies across government departments. Many NHS organisations, local authorities, and MOD supply chain contracts also mandate it, either directly or through contractual flow-down. If your contract tender mentions cyber security requirements, Cyber Essentials is almost always the minimum expected standard.
Our team is available throughout your assessment to answer any questions in plain English — no jargon. Whether you are unsure how a question applies to your environment, need help understanding a technical requirement, or want to check whether something falls within scope, just get in touch. We believe assessors should be helpful and approachable, not a barrier to certification.
Yes, in two important ways. First, all UK organisations that achieve Cyber Essentials certification through an IASME Approved Body are automatically eligible for free cyber insurance up to £25,000 — this is included as part of the IASME scheme at no additional cost. Second, many commercial cyber insurers offer reduced premiums or improved policy terms for CE-certified organisations, as certification demonstrates that baseline security controls are in place. It is worth informing your broker of your certification status.
READY TO GET CERTIFIED?
Talk to our UK-based team. Clear, jargon-free guidance with expert support at every step.