Cyber Essentials Certification: What It Is, How It Works and Why It Matters

Cyber Essentials certification is a UK Government-backed scheme that proves your organisation has the five basic technical controls needed to stop the most common cyber-attacks. It was created by the National Cyber Security Centre (NCSC) and is run by the IASME Consortium through a network of certification bodies across the UK. For most small businesses it is the cheapest, fastest and most recognised way to show customers, insurers and public-sector buyers that your security meets a sensible minimum. This guide explains what the certificate covers, how the assessment actually works, what it costs, and the changes landing in April 2026 that you need to plan for.

What Cyber Essentials actually checks

The whole scheme is built around five technical controls. Get these right and you have closed off most of the routes attackers use.

1. Firewalls. Every device that connects to the internet sits behind a properly configured firewall.
2. Secure configuration. Devices and software are set up to reduce vulnerabilities: no default passwords, no unnecessary accounts or services switched on.
3. Security update management. Operating systems and applications are kept patched, with high-risk and critical updates applied quickly.
4. User access control. People only have the access they need, accounts are managed properly, and administrator rights are restricted.
5. Malware protection. Anti-malware is in place on devices, whether through built-in tools, third-party software or application allow-listing.

The NCSC’s case for the scheme is blunt: most cyber-attacks are basic in nature, and these five controls protect against roughly 80% of them. There is supporting real-world evidence too. Insurer claims data cited around the scheme suggests certified organisations are significantly less likely to make a cyber-insurance claim, with figures of around 80% (and more recent estimates higher still) reported. That is claims data, not a guarantee, but it is a strong signal that the basics work.

The two levels: Cyber Essentials and Cyber Essentials Plus

There are two certificates, and the difference matters when you plan.

Cyber Essentials is a verified self-assessment. You answer a structured questionnaire about how you meet the five controls, and a certification body reviews your answers. It is not a technical test of your network, so a clean self-assessment is mostly about being honest and organised.

Cyber Essentials Plus covers the exact same five controls, but a qualified assessor independently tests them: they carry out a hands-on technical audit, including vulnerability scans and checks on a sample of your devices. You must hold the basic certificate first, and you have to complete Plus within three months of achieving it. Miss that window and you start the self-assessment again.

A useful way to think about it: the standard certificate says “we have told an assessor we do these things.” Plus says “an assessor checked, and we do.” If you are bidding for contracts that demand it, or you simply want the stronger assurance, go for Plus.

How the process works, step by step

The mechanics are straightforward, and it helps to walk through them before you start.

• Read the controls and self-assess. Work through the five controls and find the gaps. The most common fixes are enabling multi-factor authentication, removing unsupported software, and tightening administrator accounts.
• Choose a certification body and create a portal account. Once your account is created you have up to six months to complete and submit the questionnaire, so there is no rush to finish in one sitting.
• Complete and submit the questionnaire. Answer every question for your whole scope. Vague or contradictory answers are what slow people down.
• Get the result. Once a clean self-assessment is submitted, a pass can come back the same day. For most SMEs the full journey from starting to certified runs two to four weeks, faster if you were already close.
• Renew annually. The certificate is valid for twelve months from the date on it. There is no grace period, so diary the renewal.

If you fail, you usually get feedback on what to fix and a chance to resubmit. It is not a one-shot exam.

What it costs

IASME sets flat assessment fees by organisation size, and they are published, so be wary of anyone quoting fuzzy numbers. The self-assessment starts from around £300 to £330 plus VAT for the smallest businesses, then rises by headcount band: micro (up to 9 staff), small (10 to 49), medium (50 to 249) and large (250 and over) each pay a higher fixed fee. You can see the current tiers on the IASME Cyber Essentials page.

Cyber Essentials Plus is priced separately by each certification body because it depends on the size and complexity of your network, and there may be travel costs for on-site testing. Expect it to cost several times the self-assessment fee, more for large or complex estates. We break the numbers down further in our guide to Cyber Essentials cost in the UK and the April 2026 MFA rule.

The free cyber insurance most businesses miss

Here is the benefit buyers routinely overlook. If your organisation is based in the UK with annual turnover under £20 million, achieving Cyber Essentials lets you opt in to £25,000 of cyber liability insurance at no extra cost, including access to a 24/7 incident-response helpline for technical, legal and crisis support. The cover runs for twelve months from certification.

There is one catch worth stating plainly: the whole organisation must be certified, not just one department or site, and the turnover limit applies. For a genuinely small business that already needs the certificate, this is close to free baseline cover. We explain exactly how it works in our guide to free cyber insurance with Cyber Essentials, and if you are weighing whether you need more than the basic policy, start with do I need cyber insurance.

The April 2026 changes you need to plan for

The questions change over time, and a common accuracy gap on competing pages is that they reference old versions. The live question set is Willow (requirements v3.2), in force since 28 April 2025. Willow already brought cloud-based AI and large-language-model tools, such as Microsoft Copilot and ChatGPT Enterprise, into scope as cloud services, and tightened update timeframes.

The new Danzell question set (requirements v3.3) applies to assessment accounts created on or after 28 April 2026. Accounts created before that date are assessed under the current Willow question set, even if you finish later. The headline changes:

• Multi-factor authentication becomes mandatory for all cloud services where it is available. No MFA where it could be enabled is now an automatic fail.
• Tighter patching rules mean high-risk and critical updates to operating systems, firmware and applications must be applied within 14 days, or you fail.
• Updated scoping and definitions, including clearer guidance on cloud services, application development and backups.

If your renewal falls after April 2026, sort out MFA everywhere and a reliable patching routine now. IASME has published the full April 2026 changes if you want the detail.

Cyber Essentials vs ISO 27001: which do you need

These two get confused constantly, so the short version: Cyber Essentials is narrow, fast and UK-focused; ISO/IEC 27001 is broad, slower and recognised internationally.

Cyber Essentials checks five technical controls and you can be certified in weeks. ISO 27001 certifies an entire information security management system, the policies, processes and risk management around your data, typically takes the better part of a year, and stays valid for three years with annual surveillance audits.

For most UK small businesses, Cyber Essentials is the right starting point, and it is a recognised stepping-stone towards ISO 27001 later. IASME also offers Cyber Assurance, its own next-step standard that sits above Cyber Essentials if you want more than the basics without the full ISO commitment. Choose based on who is asking: UK public-sector and SME customers usually want Cyber Essentials; large enterprise and overseas clients often ask for ISO 27001.

Do you legally need it?

There is no general law requiring every business to hold Cyber Essentials. But it is mandatory in practice for many UK central government and public-sector contracts that involve handling personal data or certain technical services, and some Ministry of Defence contracts specifically require Cyber Essentials Plus. If you bid for, or want to bid for, government work, treat it as a requirement rather than a nice-to-have. Even where it is not demanded, more private buyers now ask for it during procurement, and it pairs naturally with a sensible cyber insurance approach for UK small businesses.

Frequently asked questions

How much does Cyber Essentials certification cost? The self-assessment starts from around £300 to £330 plus VAT for the smallest businesses and rises by headcount band, with fixed fees for micro, small, medium and large organisations. Cyber Essentials Plus is quoted separately by your certification body based on network size and complexity, and costs several times the self-assessment fee.

How long does certification take, and how long is it valid? Most SMEs certify within two to four weeks, and a pass can come back the same day once a clean self-assessment is submitted. The certificate is valid for twelve months, so you renew annually. You have up to six months to complete the questionnaire after creating your portal account.

What is the difference between Cyber Essentials and Cyber Essentials Plus? Both cover the same five controls. Cyber Essentials is a verified self-assessment reviewed by a certification body. Cyber Essentials Plus adds an independent hands-on technical audit, including device checks and scans, and must be completed within three months of the basic certificate.

Do I really get free cyber insurance with it? Yes, if your organisation is UK-based with annual turnover under £20 million and the whole organisation is certified. You can opt in to £25,000 of cyber liability cover at no extra cost, with a 24/7 incident-response helpline, running for twelve months from certification.

Can I do the self-assessment myself, or do I need an IT provider? You can complete it yourself, especially if your setup is simple. If your devices, cloud services or remote-working setup are more complex, an IT provider can help you close gaps before you submit and avoid a fail.

Is Cyber Essentials mandatory? Not by general law, but it is required for many UK government and public-sector contracts, and some MoD contracts require Cyber Essentials Plus. For private work it is increasingly expected during procurement.