WHAT IS CYBER ESSENTIALS AND DO I REALLY NEED IT?

WHAT IS CYBER ESSENTIALS?

Cyber Essentials is a UK Government-backed certification scheme, managed by the NCSC and delivered through IASME Approved Certification Bodies. It defines five core technical controls that protect organisations against the most common cyber attacks — the kind that account for the vast majority of successful breaches targeting UK businesses every day.

Achieving Cyber Essentials certification demonstrates that your organisation has these controls in place, properly implemented. Your certificate is issued by an IASME-approved body and listed on the NCSC public register.

THE FIVE CORE CONTROLS

• Firewalls — boundary controls that manage what traffic can enter and leave your network
• Secure configuration — systems and devices configured securely, with unnecessary features and default accounts removed
• User access control — accounts managed carefully, with people only having access to what they need
• Malware protection — protection against viruses and malicious software
• Patch management — keeping devices and software up to date with the latest security fixes

DO YOU REALLY NEED IT?

For many UK businesses, the answer is yes — and the reasons go beyond compliance:

• It is mandatory for government contracts — any UK central government contract involving personal data or certain technical services requires Cyber Essentials
• It is increasingly expected in commercial supply chains — large enterprises now include it in supplier questionnaires and tender requirements
• It provides real protection — the five controls protect against the phishing, malware, and credential attacks that hit UK businesses every day
• It comes with free cyber insurance — eligible UK organisations (turnover under £20m) automatically receive up to £25,000 of free cyber insurance
• It builds client confidence — the Cyber Essentials badge signals to clients and partners that you take data security seriously

WHO MUST HAVE IT?

Cyber Essentials is mandatory if you bid for UK central government contracts that involve handling personal data or supplying certain technical products and services. It is also a mandatory prerequisite for DCC Level 0 — the entry-level MOD supply chain certification assessed against Def Stan 05-138 (DCC is expected to become mandatory across MOD procurement, though not yet enforced). Many NHS trusts, local councils, and large enterprise clients now require it from suppliers as a standard condition.

HOW MUCH DOES IT COST AND HOW LONG DOES IT TAKE?

Cyber Essentials starts from £320 + VAT for micro organisations (0–9 employees) through to £600 + VAT for large organisations (250+ employees). These are the IASME-set fees — see our pricing page for a full breakdown. For most well-prepared organisations, the self-assessment can be completed within a few days. Our guided submission support at the start helps identify anything that needs addressing in advance.

WHAT ABOUT CYBER ESSENTIALS PLUS?

Cyber Essentials Plus is the independently verified version — an IASME-approved assessor conducts a technical audit of your systems to confirm controls are correctly implemented. It is required for some higher-value government contracts and provides a higher level of assurance. If you are unsure which level you need, contact us and we will advise based on your contracts and clients.

Two time limits apply to the CE Plus process. Once you pass Cyber Essentials basic, you have 90 days (3 months) from that certification date to complete and pass CE Plus. If issues are found during the audit, you have 30 days from the date the assessment started to remediate and have checks revisited. Both windows apply simultaneously. If either expires before CE Plus is passed, you must re-certify at CE basic level before restarting — at additional cost. Preparation and prompt action once CE basic is certified are essential.