Cyber Essentials is a UK government-backed certification scheme that shows your organisation has put the five fundamental cyber security controls in place to defend against the most common online threats. It is overseen by the National Cyber Security Centre (NCSC) and delivered by IASME, and it comes in two levels: Cyber Essentials (a verified self-assessment) and Cyber Essentials Plus (the same controls confirmed by a hands-on technical audit). For most UK businesses it is the quickest, most recognised way to prove a baseline of security to customers, insurers and public-sector buyers.
If you have been asked for Cyber Essentials by a client, an insurer or a tender, or you simply want to reduce your risk of a breach, this guide explains exactly what the certification covers, how to get it, what it costs and how long it lasts.
What is Cyber Essentials?
Cyber Essentials is a scheme launched by the UK government in 2014 to help organisations protect themselves against the most common cyber attacks, such as phishing, malware and unauthorised access. According to the NCSC, the controls it mandates guard against the large majority of internet-based attacks, which typically rely on well-known weaknesses rather than sophisticated techniques.
There are two certification levels:
- Cyber Essentials: a self-assessment questionnaire covering the five controls, independently reviewed and verified by a certification body.
- Cyber Essentials Plus: includes everything in Cyber Essentials, plus a hands-on technical audit where an assessor tests your systems to confirm the controls are genuinely working.
Both levels assess the same five technical controls. The difference is the level of assurance: Cyber Essentials is verified from your answers and supporting evidence, while Cyber Essentials Plus is confirmed by an assessor through vulnerability scans and testing of a sample of your devices.
The five Cyber Essentials controls explained
Cyber Essentials is built around five technical controls. Getting certified means demonstrating that each one is in place across the devices, software and cloud services in scope.
1. Firewalls
Every device that connects to the internet must sit behind a properly configured firewall, whether that is a boundary firewall on your network or the software firewall built into each device. Default passwords on firewalls and routers must be changed, and unnecessary inbound connections must be blocked.
2. Secure configuration
Systems and devices should be set up to reduce their attack surface. That means removing or disabling unused software and accounts, changing default passwords, and turning off features you do not need. Strong authentication, including multi-factor authentication where available, is expected on accounts that matter.
3. Security update management
Software and operating systems must be kept up to date and supported. Critical and high-risk security updates should be applied within 14 days of release, and any software that is no longer supported by the vendor must be removed from scope. Reliable patch management is one of the areas businesses most often fall down on.
4. User access control
Accounts should only have the access each person actually needs to do their job, and administrator accounts should be used sparingly and only for administrative tasks. User access must be granted through a proper process, removed promptly when people leave, and protected with strong, unique credentials.
5. Malware protection
Devices must be protected against malware, either through anti-malware software, application allow-listing, or sandboxing. This control works alongside good cyber security practices and user awareness to reduce the chance of a malicious file or link causing damage.
How do you get Cyber Essentials certified?
Certification is straightforward, especially with support from an IT partner who manages your systems day to day. The process looks like this:
- Define your scope. Decide what is included: typically your whole organisation, but it can be a defined sub-set. The scope must cover all devices and cloud services that access organisational data.
- Assess yourself against the five controls. Review your firewalls, configuration, updates, access control and malware protection, and fix any gaps before you apply.
- Complete the self-assessment questionnaire through a certification body on the IASME platform.
- Submit for verification. Your answers are reviewed, and for Cyber Essentials Plus an assessor carries out the technical audit and scans.
- Receive your certificate once you pass, and display it to customers and in tenders.
For most small and medium businesses the hardest part is closing the gaps the assessment exposes, not the paperwork. This is where working with a managed IT support provider makes the difference: patching, access control and secure configuration are exactly the things a good provider already handles for you. If you would prefer end-to-end help, our IT security and compliance team guides organisations through both Cyber Essentials and Cyber Essentials Plus.
How much does Cyber Essentials cost?
Cyber Essentials self-assessment pricing is set by IASME and tiered by organisation size. As a guide for 2026, the basic Cyber Essentials certification ranges from around £320 +VAT for a micro organisation up to roughly £600 +VAT for a large one. Cyber Essentials Plus costs more because of the technical audit involved, and is usually priced by the assessor based on the size and complexity of your environment, often running to several thousand pounds.
Because pricing and tiers are reviewed periodically, always confirm the current figures with your certification body before you budget. The bigger cost for most businesses is the remediation work needed to meet the controls, which is far cheaper than the cost of a breach.
How long does Cyber Essentials last?
A Cyber Essentials or Cyber Essentials Plus certificate is valid for 12 months. After that you need to recertify to keep your certification current and to remain eligible for contracts or insurance terms that require it. Treating it as an annual checkpoint, rather than a one-off, is the healthiest approach, because your systems, staff and threats all change over the year.
Is Cyber Essentials worth it for your business?
For most UK organisations, yes. The certification delivers several tangible benefits:
- Win more work. Cyber Essentials is mandatory for many UK government contracts that involve handling certain information, and it is increasingly required in private-sector tenders and supply chains.
- Reduce your risk. The five controls block the overwhelming majority of common attacks, which is why the scheme exists.
- Strengthen cyber insurance. Many insurers expect, or reward, a recognised baseline like Cyber Essentials.
- Build customer trust. Displaying certification reassures clients that you take protecting their data seriously.
- Create a foundation. It is a sensible stepping stone towards more advanced standards such as ISO 27001.
Cyber Essentials is a baseline, not a complete security strategy. It works best as part of a broader, proactive approach that also covers monitoring, backups and user training. To understand how the pieces fit together, see our guides on cyber security essentials for SMEs and managed cyber security versus traditional antivirus.
Frequently asked questions
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both cover the same five technical controls. Cyber Essentials is a self-assessment that is independently verified, while Cyber Essentials Plus adds a hands-on technical audit, including vulnerability scanning and testing of a sample of your devices, to confirm the controls are genuinely working. Cyber Essentials Plus provides a higher level of assurance.
How much does Cyber Essentials cost?
Basic Cyber Essentials is tiered by organisation size, ranging from around £320 +VAT for a micro business to roughly £600 +VAT for a large one in 2026. Cyber Essentials Plus costs more due to the technical audit and is priced by the assessor. Always confirm current pricing with your certification body.
How long does Cyber Essentials certification last?
Certification is valid for 12 months. You need to recertify each year to keep it current and to stay eligible for any contracts, insurance or supply-chain requirements that depend on it.
Is Cyber Essentials mandatory?
It is mandatory for certain UK central government contracts that involve handling specific types of information, and many private-sector buyers and insurers now require it too. Even where it is not strictly required, it is strongly recommended as a security baseline.
How long does it take to get Cyber Essentials certified?
If your controls are already in good shape, the self-assessment can often be completed and verified within a few days. Where gaps exist, the timeline depends on how long the remediation work takes, which is where a managed IT provider can speed things up considerably.
Do I need Cyber Essentials for my small business?
If you bid for public-sector work, handle client data, or want stronger cyber insurance, Cyber Essentials is well worth pursuing. Even without those drivers, the five controls represent good practice that protects any small business from the most common attacks.
Getting certified with the right partner
Cyber Essentials is achievable for any organisation, but the speed and ease of getting there depends on how well your IT is already managed. Firewalls, patching, access control, secure configuration and malware protection are the day-to-day fundamentals a good IT partner keeps on top of for you.
At Synergi Tech, we help UK businesses prepare for and achieve both Cyber Essentials and Cyber Essentials Plus, close the gaps the assessment exposes, and maintain certification year after year as part of proactive managed IT support. To learn more about the scheme and our certification support, visit our Cyber Essentials page or get in touch for a free, no-obligation appraisal.