Most business owners have heard the term Cyber Essentials at some point. Fewer know what it actually means. And almost none realise they can probably achieve it for a few hundred pounds.
Here’s what it is, why it matters, and how to get there.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, launched in 2014 and supported by the National Cyber Security Centre (NCSC). It’s now administered by IASME, which oversees the certification bodies that carry out assessments.
The idea is straightforward. Most cyber attacks on UK businesses are not sophisticated. They target basic, fixable weaknesses. Cyber Essentials focuses on five controls that, if properly implemented, would stop the vast majority of them. The NCSC puts that figure at around 80%.
The five controls are:
- Firewalls. Your internet-facing devices need properly configured firewalls. Only the services that genuinely need to be accessible from the internet should be.
- Secure configuration. Unnecessary software, default accounts, and unused features should be removed or disabled. Every extra component is a potential entry point.
- User access control. Staff should only have access to what they need to do their job. Admin privileges need to be tightly controlled and regularly reviewed.
- Malware protection. Anti-malware software, application allow-listing, sandboxing, or a combination of these. The method matters less than having something in place that actually works.
- Patch management. Software, applications, and firmware need to be kept up to date. Most ransomware attacks exploit vulnerabilities that already have a patch available. There’s no excuse for leaving them open.
Cyber Essentials is a self-assessment. You work through a questionnaire covering each of the five controls, and a certifying body verifies your answers. Pass, and you get certified. The certification lasts 12 months and then needs to be renewed.
What is Cyber Essentials Plus?
Cyber Essentials Plus covers the same five controls. The difference is how they’re verified.
With CE+, you don’t self-assess. An accredited external assessor tests your systems directly. They run vulnerability scans, check your configurations, and verify that your controls actually do what you’re claiming. It’s not about trust. It’s about proof.
CE+ is more expensive and takes longer. But if you’re in a sector that handles sensitive data, or your clients are asking for it as a condition of doing business, it’s the right choice.
What are they designed to protect against?
The five controls are specifically designed to address the most common types of cyber attack on UK businesses:
- Phishing emails and malicious attachments
- Ransomware delivered through unpatched software
- Credential theft and account takeover
- Attacks on misconfigured systems or open network ports
- Malware spread through software vulnerabilities
Cyber Essentials won’t protect you against a targeted, sophisticated attack. It was never meant to. It’s built for the reality most SMEs actually face: opportunistic attacks that rely on easy, preventable weaknesses.
Who needs to get certified?
Realistically, most businesses should have it. But for some, it’s not optional.
If you’re bidding for UK government contracts that involve handling personal data or providing technical services, Cyber Essentials is a requirement. You won’t win the work without it.
If you supply into larger private sector organisations in finance, legal, healthcare, or defence, there is a growing expectation that suppliers hold CE or CE+ as a baseline. Some are now writing it into contracts.
If your business handles any kind of personal or sensitive data, certification is a clear and recognised way to demonstrate that your security meets a national standard.
And if you’re thinking about cyber insurance: UK businesses with annual turnover under £20 million receive a free NCSC-backed cyber insurance policy as part of the certification. That alone is worth taking seriously.
CE vs CE+ at a glance
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Verification | Self-assessment | External technical audit |
| Assessed by | You (verified by certifier) | Accredited assessor |
| Certification fee* | ~£300–£500 | ~£1,500–£3,000+ |
| Time to achieve | Days to weeks | Weeks to months |
| NCSC cyber insurance | Included (UK orgs <£20m turnover) | Included (UK orgs <£20m turnover) |
| Best for | Most SMEs | Higher-risk sectors and supply chain requirements |
* The figures in the certification fee row cover the assessment and certificate charged by the certifying body. They do not include any IT consultancy or remediation work needed to bring your systems up to standard before you apply. That cost varies depending on your current setup and what needs fixing. Some businesses are close already. Others have more work to do.
How do you actually achieve it?
Step 1: Find out where you stand
Before you apply, you need to know what gaps exist. A good IT provider will go through the five controls with you, flag what’s missing, and work out what needs to change. This is where costs vary. Some businesses need very little. Others need a proper remediation project. There’s no way to know without looking.
Step 2: Choose a certifying body
You apply through an IASME-accredited certification body. There are several to choose from. For CE, the certification fee is typically in the £300 to £500 range for an SME. That’s the cost of the assessment and certificate. Nothing else.
Step 3: Complete the questionnaire
The self-assessment covers all five controls across every device and piece of software in scope, including cloud services. Your IT provider should be working through this alongside you. It keeps the answers accurate and makes the whole process faster.
Step 4: Get verified and certified
For CE, the certifying body reviews your answers and issues the certificate if everything checks out. For CE+, an assessor runs technical tests against your live systems before the certificate is issued.
Step 5: Renew every year
Certification lasts 12 months. Annual renewal keeps your status current and makes sure your controls are keeping up with changes to your environment.
How long does it take?
For Cyber Essentials, if you’re broadly in good shape already, you can be certified within days. If there are gaps to fix first, such as outdated software or missing MFA, it typically takes a few weeks once the work is done.
CE+ takes longer. Factor in six to twelve weeks for the full process, depending on the size of your environment and when your chosen certifying body can schedule the assessment.
Want to know where your business stands?
At Attenu8 we offer a free IT audit for SMEs across Hertfordshire. We’ll go through the five Cyber Essentials controls with you, tell you honestly where you are, and explain what it would take to get certified. No sales pitch. No obligation.
Get in touch at book a free IT audit to book your free audit.
