Engaiz

Menu
Sign Up

Cyber Essentials (UK)

UK government-backed, NCSC-endorsed cyber security certification that protects organisations from the most common attacks.
  • NCSC
  • IASME
  • Two Levels
  • Five Technical Controls
CyberEssentials
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cyber security certification scheme, overseen by the National Cyber Security Centre (NCSC) and delivered by IASME-approved Certification Bodies. It defines a core set of technical controls that, when implemented correctly, protect against the most common internet-borne attacks.
The scheme has two certification levels: Cyber Essentials (independently verified self-assessment) and Cyber Essentials Plus (includes a hands-on technical audit). Both levels are built on the same underlying technical requirements and five control areas.
For many organisations, Cyber Essentials is the minimum baseline expected by customers, insurers and regulators, and it is mandatory for certain UK government contracts that handle specific types of sensitive information or require remote administration of government systems.
Who Needs Cyber Essentials Certification?

Typical Organisations

  • UK SMEs, IT service providers and SaaS vendors handling client data.
  • Managed service providers (MSPs) and consultancies supporting multiple clients.
  • Charities and non-profits that process personal or sensitive data.
  • Public sector suppliers, including local authorities, NHS suppliers and education institutions.

Government & Supply Chain Requirements

  • Becomes a requirement for bidding on or executing select defence contracts.
  • Provides a clear, structured roadmap for improving cyber security maturity.
  • Reduces confusion by using a single Canadian framework recognized by government and primes.
  • Positions suppliers for cross-border opportunities where similar certification is needed.
Even when not explicitly mandated, Cyber Essentials is widely adopted as a “table stakes” security baseline for UK organisations of all sizes.
The Five Cyber Essentials Technical Control Areas

CPCSC uses a three-level model to match requirements with risk. Higher levels introduce more demanding controls and assessment requirements.

Perimeter & Endpoint

1. Firewalls & Internet Gateways

Protect devices and services that connect to the internet by ensuring that firewalls (network or host-based) are correctly configured and maintained.
  • All internet-connected devices must be protected by a properly configured firewall.
  • Inbound connections should be blocked by default and only explicitly required services opened.
  • Default passwords and insecure management interfaces must be changed/secured.
  • Remote administration ports should be restricted and protected (e.g. VPN, MFA).

Hardening

2. Secure Configuration

Systems and devices must be built and maintained in a secure state, reducing unnecessary attack surface.
  • Remove or disable unnecessary user accounts, services and software.
  • Change default passwords and settings on all devices and applications.
  • Use secure configuration baselines for operating systems, endpoints, servers and cloud services.
  • Encrypt devices such as laptops with full-disk encryption where supported.

Identity & Access

3. User Access Control

Limit user access to systems and data to the minimum required for their role and manage privileged accounts carefully.
  • Implement the principle of least privilege for all system and application access.
  • Use unique accounts; no generic/shared admin logins.
  • Separate standard day-to-day accounts from privileged/admin accounts.
  • Review user access regularly and promptly remove leavers and unused accounts.

Endpoint Protection

4. Malware Protection

Protect against malware and ransomware using appropriately configured anti-malware, EDR or application control tools.
  • Deploy anti-malware/EDR on all in-scope endpoints and servers where supported.
  • Enable automatic updates for malware definitions and engines.
  • Consider application allow-listing for critical or high-risk systems.
  • Configure email and web filtering to reduce malicious content reaching users.

Vulnerability Management

5. Security Update (Patch) Management

Keep software and devices up to date by applying security updates within a reasonable timeframe and removing unsupported products.
  • Maintain an accurate inventory of operating systems, devices and applications.
  • Apply critical/high security updates quickly, particularly for internet-facing systems.
  • Remove or isolate unsupported/legacy software that no longer receives security updates.
  • Use centralised patch management tools where practical and track patch compliance.

Vulnerability Management

5. Security Update (Patch) Management

Keep software and devices up to date by applying security updates within a reasonable timeframe and removing unsupported products.
  • Maintain an accurate inventory of operating systems, devices and applications.
  • Apply critical/high security updates quickly, particularly for internet-facing systems.
  • Remove or isolate unsupported/legacy software that no longer receives security updates.
  • Use centralised patch management tools where practical and track patch compliance.
Two Levels of Cyber Essentials Certification

Level One

Cyber Essentials (Self-Assessment)

Cyber Essentials is an independently verified self-assessment. Your organisation completes an online questionnaire covering your scope, devices, users, work locations and the five control areas.
  • Questionnaire completed via an IASME-approved Certification Body portal.
  • Signed off by a board member or equivalent senior responsible officer.
  • Reviewed and marked by an independent assessor; clarifications may be requested.
  • On success, you receive a certificate, branding/marks usage, and are listed as certified.
  • Certification is valid for 12 months and must be renewed annually.

Level Two

Cyber Essentials Plus (Technical Audit)

Cyber Essentials Plus uses the same technical controls but adds a hands-on technical audit to verify that your environment is actually configured as claimed in your self-assessment.
  • Cyber Essentials (self-assessment) is a mandatory prerequisite for Plus.
  • Includes internal and external vulnerability scans on in-scope systems.
  • Sample device build reviews (laptops, desktops, servers, mobile devices).
  • Verification of patching, malware protection, user access and secure configuration.
  • Additional assurance for customers, regulators and insurers that controls are effectively implemented.
Official Cyber Essentials Certification Pricing (Self-Assessment)
The base Cyber Essentials self-assessment fee is set centrally and depends on organisation size (assessment only, excluding any consultancy/managed support). Prices are typically:
Organisation Size (Employees) Typical Cyber Essentials Fee (excl. VAT) Notes
Micro (0–9)
~£320 + VAT
Entry-level price for very small organisations.
Small (10–49)
~£440 + VAT
Reflects increased complexity and infrastructure size.
Medium (50–249)
~£500 + VAT
More users, devices and potential scope.
Large (250+)
~£600 + VAT
Highest standard band; very large enterprises may pay more via support packages.
Cyber Essentials Plus pricing is not fixed and depends on the size and complexity of your network, number of locations and devices sampled. Most Certification Bodies will provide a tailored quote.
Cyber Liability Insurance Included with Cyber Essentials
When you achieve Cyber Essentials (self-assessed) through IASME or one of its licensed Certification Bodies, you may be eligible for built-in cyber liability insurance.
  • Eligibility : UK-domiciled organisation (or Crown Dependencies) with annual turnover under £20m.
  • Scope : Certification must cover the entire organisation (not just a subset of systems).
  • Opt-in : You must opt-in to the insurance during the certification process.
The included policy typically provides:
  • Up to £25,000 total limit of indemnity for covered incidents.
  • 24/7 incident response helpline for technical, legal and crisis management support.
  • Cover for certain event management costs, data recovery, regulatory investigations and business interruption (within policy limits).
The included insurance is intended as an entry-level safety net. Many organisations choose to upgrade to higher cover limits separately, especially if handling large volumes of sensitive data or facing higher business impact.
Cyber Essentials Certification Process — Step by Step
1. Define scope
Identify what will be included in your certification: office locations, cloud services (e.g. Microsoft 365, Google Workspace), servers, endpoints, and remote-working devices. For the built-in insurance and strongest assurance, scope your entire organisation.
2. Gather asset and configuration information
Compile inventories of devices, operating systems, applications, accounts, firewall/router details and security tools. This information directly feeds into the questionnaire and helps avoid last-minute surprises.
3. Perform an internal gap analysis
Review your current position against the five control areas: firewalls, secure configuration, access control, malware protection, and patch management. Identify non-compliant areas such as unsupported OS versions, missing MFA, weak passwords or unpatched systems.
4. Remediate key issues
Fix high-priority gaps:
  • Enforce strong passwords and (where applicable) multi-factor authentication.
  • Remove or isolate unsupported devices and software.
  • Enable and harden firewalls on all relevant devices.
  • Deploy or update anti-malware/EDR.
  • Implement a formal patching process and clear timelines.
5. Complete the online self-assessment
Purchase Cyber Essentials via your chosen Certification Body, log into the IASME assessment portal, and complete the structured question set. Provide clear, factual answers supported by evidence where requested.
6. Board-level sign-off
A board member or senior executive must review the responses and formally confirm that the assessment accurately reflects the organisation’s environment and practices. Identify what will be included in your certification: office locations, cloud services (e.g. Microsoft 365, Google Workspace), servers, endpoints, and remote-working devices. For the built-in insurance and strongest assurance, scope your entire organisation.
7. Assessor review & clarification
The Certification Body’s assessor checks your responses. They may:
  • Accept and pass the assessment.
  • Ask for additional information or clarification.
  • Highlight issues that must be remediated before passing.

The Certification Body’s assessor checks your responses. They may:

8. Certification issued
On passing, you receive:
  • Your Cyber Essentials certificate (valid for 12 months).
  • Use of the Cyber Essentials logo/mark for marketing and tender responses.
  • Inclusion in the public directory of certified organisations.
  • Cyber liability insurance (if eligible and opted in).
9. Optional: Progress to Cyber Essentials Plus

Within a defined timeframe (often three months), you can schedule a Cyber Essentials Plus audit, during which the assessor will perform technical testing and validation activities to confirm your controls are working as described.

10. Annual renewal
Cyber Essentials is not a one-off exercise. You must renew annually to maintain certification, keep insurance in force and stay on the list of certified organisations.
Common Reasons Organisations Fail Cyber Essentials the First Time

Technical & Configuration Issues

  • Unsupported or out-of-date operating systems still in active use.
  • Unpatched devices with critical/high vulnerabilities older than the allowed patch window.
  • Firewalls/router devices left with default passwords or open inbound ports that aren’t justified.
  • Endpoint malware protection not installed or not centrally monitored.

Process & Governance Gaps

  • No formal process for granting and reviewing admin privileges.
  • Inadequate joiner/mover/leaver procedures; ex-employee accounts still active.
  • Weak or inconsistent password policies without MFA on critical services.
  • Scope confusion — key systems, remote workers or cloud services omitted from the assessment unintentionally.
Conducting a pre-assessment review and fixing these issues before starting the formal questionnaire dramatically increases the likelihood of passing first time.
Cyber Essentials vs Cyber Essentials Plus
Aspect Cyber Essentials Cyber Essentials Plus
Assessment Type
Independently verified self-assessment questionnaire.
Self-assessment plus hands-on technical audit and testing.
Evidence Collection
Questionnaire responses, configuration descriptions, limited screenshots or artefacts.
Direct inspection of systems, vulnerability scans, device sampling and technical validation.
Assurance Level
Demonstrates baseline controls are designed and claimed to be in place.
Provides higher confidence that controls are implemented and operating effectively.
Cost
Fixed fee based on organisation size.
Variable; depends on size, complexity and number of locations/devices tested.
Typical Use Cases
Small organisations, early-stage security programmes, basic supply chain requirements.
Higher-risk environments, MSPs, SaaS vendors, regulated sectors, and clients demanding stronger assurance.
How ComplySec360 Helps You Achieve & Maintain Cyber Essentials
ComplySec360 can streamline Cyber Essentials and Cyber Essentials Plus readiness by automating evidence collection, mapping controls and orchestrating remediation across your environment.
  • Automatic discovery : Identify users, devices, apps and cloud services in scope.
  • Control mapping : Map your existing controls to the five Cyber Essentials areas and highlight gaps.
  • AI-assisted policies : Generate access control, patch management, backup and secure configuration policies that align to Cyber Essentials expectations.
  • Evidence automation : Pull configuration data, patch status, AV/EDR deployment and firewall information from integrated tools.
  • Readiness dashboards : Track progress towards Cyber Essentials and Plus across sites, teams and technologies.
  • Multi-framework view : Reuse evidence and controls across Cyber Essentials, IASME Cyber Assurance, ISO 27001, NIST CSF, CPCSC, CMMC and more.
Schedule a Cyber Essentials Demo with ComplySec360
Cyber Essentials Resources & Downloadable Guides
Provide your customers and internal teams with clear, practical resources that explain Cyber Essentials and how to prepare for assessment.

Cyber Essentials Readiness Checklist

  • A one-page checklist covering scope, firewalls, secure configuration, access control, malware protection and updates — ideal for pre-assessment reviews.
Download Checklist

Five Controls Explainer for Non-Technical Teams

  • Plain-language explanation of what each control means in practice for staff, managers and board members.
Download Explainer

Cyber Essentials vs Plus Buyer’s Guide

  • Compare costs, assurance levels and use cases to decide whether you should aim for Cyber Essentials or Cyber Essentials Plus (or both).
Download Buyer’s Guide