Our use of cookies 
What is Cyber Essentials certification?
Cyber Essentials is a UK Government-backed scheme that helps businesses protect themselves against common cybersecurity threats. It sets out a clear framework of basic security measures that all organisations should have in place, no matter their size or sector.
This guide explains how to get certified and how achieving Cyber Essentials can support your organisation’s cybersecurity compliance.
- What is Cyber Essentials
- What Cyber Essentials covers
- Why your business should get Cyber Essentials certification
- Cyber Essentials for small businesses
What is Cyber Essentials?
Cyber Essentials is a recognised UK cybersecurity certification designed to help organisations build strong defences against everyday online threats.
Created by the National Cyber Security Centre (NCSC) and administered by the IASME Consortium, it sets out five key technical controls that stop the majority of common cyber attacks.
Achieving Cyber Essentials certification shows that your business has the essential security measures in place to defend its data, devices and systems. It is not a legal requirement, but it is widely recognised as a baseline for cybersecurity compliance and is often required for public sector contracts and private sector tenders.
By following Cyber Essentials, businesses can block around 80% of routine cyber threats, giving them a strong foundation for long-term cyberattack survival.
What does Cyber Essentials cover?
Cyber Essentials focuses on five technical controls designed to prevent the most common forms of cyber attack. These are:
Firewalls and routers
Protecting your broadband connection with properly configured business broadband routers and firewalls to block unauthorised access to your network.
Secure configuration
Ensuring all company devices and software are set up securely, with unnecessary services or accounts removed or disabled.
Access control
Limiting user accounts and permissions to only those who require them, and utilising strong authentication methods to minimise the risk of compromise.
Malware protection
Installing and maintaining anti-malware software, and implementing measures such as application allow-listing to prevent malicious code from running.
Security update management
Keeping all cybersecurity software, operating systems and devices up to date with the latest security patches to close known vulnerabilities.
The difference between Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is available at two levels. The core controls are the same, but the level of verification is different. The table below shows how they compare:
| Category | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment method | Online self-assessment questionnaire | Independent technical audit by a certification body |
| Verification level | Internal confirmation of controls | External testing to prove controls are working |
| Typical users | Small and medium-sized businesses | Larger or regulated organisations |
| Time and complexity | Quick to complete, minimal disruption | More in-depth, requires planning and preparation |
| Certification validity | 12 months | 12 months |
Why your business should get Cyber Essentials certification?
Cyber Essentials is more than just a security badge; it’s a practical way to reduce risk and build confidence with customers, suppliers and insurers. Here are the key benefits of obtaining Cyber Essential certification.
- Protects your business from common threats: Blocks around 80% of basic cyber attacks such as phishing, malware and hacking attempts.
- Shows you meet recognised security standards: Demonstrates alignment with UK Government-backed guidance from the NCSC and IASME.
- Builds trust with customers and partners: Reassures clients that you take data protection seriously and handle their information securely.
- Opens the door to new contracts: Many public sector contracts and large private tenders now require Cyber Essentials as a minimum.
- Reduces operational risk and disruption: Fewer incidents mean less downtime, lost data and costly recovery work.
Cyber Essentials for small businesses
Cyber Essentials was created to provide small and medium-sized enterprises (SMEs) with a clear and affordable way to protect themselves against common cyber threats. It’s designed to be achievable without specialist IT teams, making it ideal for organisations that want to build strong defences as they grow.
Although larger companies also use the scheme, Cyber Essentials for small businesses is especially valuable because it helps prove to customers, suppliers and insurers that even a small organisation takes security seriously. It also supports broader cybersecurity compliance by establishing clear policies and protections from the outset.
The table below shows how Cyber Essentials applies to different sizes of SME and the main benefits it delivers:
| Business size | Typical challenges | How Cyber Essentials helps |
|---|---|---|
| Micro (1–9 staff) | Limited IT expertise or budget | Provides a ready-made framework of security basics to follow with minimal cost or complexity |
| Small (10–49 staff) | Growing customer base and handling more data | Demonstrates data protection practices, reduces cyber risk, and builds client trust |
| Medium (50–249 staff) | Expanding operations and seeking larger contracts | Formalises security processes, supports tender bids, and reassures supply chain partners |
Cyber Essentials password requirements and policies
Passwords are a crucial component of any effective cybersecurity strategy. Under Cyber Essentials, having strong password policies is not just best practice; it’s a requirement for cybersecurity compliance.
Below are the key rules, best practices, and rationale businesses need to follow to meet standards and reduce risk.
Multi-factor authentication (MFA)
MFA must be enabled wherever possible, especially for administrator accounts and any accounts that can be accessed from the internet. Adding a second verification factor makes it far harder for attackers to break in, even if a password is stolen.
Minimum password length
Passwords must be at least 8 characters long if MFA is in place, but 12 characters or more are required where MFA cannot be used. Longer passphrases are strongly recommended, as they are easier to remember and harder to crack.
Preventing weak or reused passwords
Businesses must block obvious and commonly used passwords through a deny list and ensure users cannot reuse the same password across multiple services. This helps prevent credential stuffing attacks, where stolen passwords are tested across different systems.
Password changes
Regular password resets are not required unless there is evidence of compromise. Forcing users to change passwords on a set schedule often leads to weaker choices, so resets are only necessary if there is a suspected breach.
Default passwords
Any default-supplied passwords must be changed before deploying devices or software on your network. Default credentials are widely known and one of the easiest entry points for cyber criminals.
Protection against brute-force attacks
Cyber Essentials requires businesses to implement measures that prevent attackers from repeatedly guessing passwords. This includes account lockouts or throttling after multiple failed login attempts.
Supporting strong password practices
The scheme encourages businesses to use password managers, educate staff on creating strong passphrases, and ensure passwords are stored and handled securely. These measures help staff follow policy without creating usability issues.
How much does Cyber Essentials cost?
The cost of Cyber Essentials depends on the level you choose and the size of your organisation.
The basic Cyber Essentials certification usually costs between £300 and £500 (excluding VAT). This covers the self-assessment questionnaire, which is reviewed by an IASME-accredited certification body.
Cyber Essentials Plus is more expensive, starting from around £1,000 and rising for larger or more complex organisations. This includes the same self-assessment questionnaire and an independent technical audit to verify that the controls are working in practice.
Smaller businesses often start with Cyber Essentials as an affordable way to prove good security practices. Larger or more regulated organisations usually choose Cyber Essentials Plus to provide stronger external assurance.
How to get certified with Cyber Essentials
Getting Cyber Essentials is straightforward if you follow a clear step-by-step process. Here’s how to move from planning to certification:
1. Set your scope
Decide which parts of your business will be included in the certification, such as offices, home workers, laptops, mobiles, cloud services (like business VoiP phone systems), internet-facing systems, and any third-party managed devices. Create a short written scope and a basic asset list.
2. Check your readiness
Use IASME’s free Cyber Essentials Readiness tool to see how close you are to meeting the requirements.
3. Review the question set
Familiarise yourself with the questions you’ll be asked during the real assessment: Free download of Cyber Essentials self-assessment questions
4. Fix the basics
Close any obvious gaps in the five controls. Change default passwords, turn on multi-factor authentication (MFA), remove unused accounts, enable malware protection everywhere, apply current security updates, and restrict firewall rules to only what is needed.
5. Choose a certification body
Pick an IASME-accredited certification body to assess your application.
When choosing, ask about pricing, turnaround times, and whether they can deliver the optional Plus audit if you need it.
6. Complete the self-assessment
Your chosen certification body will provide you with access to the IASME portal, where you can complete the official questionnaire. Answer the questions based on your defined scope and have a senior responsible person in your organisation approve and submit the assessment.
7. Respond to feedback
Your assessor may ask for clarifications or supporting evidence before issuing the certificate, so keep simple records and screenshots of your settings and policies.
8. Receive your certificate
Once approved, you’ll get your certificate, compliance report and logo pack. Cyber Essentials certification lasts for 12 months, so plan ahead for renewal.
Cyber Essentials renewal process
Cyber Essentials certification is valid for 12 months, and you must renew annually to remain certified. Renewal is usually quicker than your first assessment, but you still need to prove your controls are in place and up to date.
How the renewal process works
Renewing Cyber Essentials is straightforward, but there are a few key steps to follow each year to make sure your certification remains valid:
- Start early: Begin planning your renewal about a month before your certificate expires. This avoids any gap in certification, which could affect tenders or contracts.
- Review your scope: Confirm which parts of your organisation are still in scope. Update your asset list to reflect any new sites, devices, or cloud services.
- Reassess your controls: Make sure all five Cyber Essentials controls are still active and working. Apply the latest security updates, confirm malware protection is enabled, review access permissions, and check firewall rules.
- Complete the self-assessment again: Your chosen certification body will invite you to resubmit the self-assessment questionnaire through the IASME portal. A senior responsible person must approve it just as before.
- Respond to any assessor feedback: If anything has changed or is unclear, your assessor may ask for further information or evidence before renewing the certificate.
- Receive your renewed certificate: Once approved, you’ll receive a new certificate and report confirming your continued compliance.
Renewal for Cyber Essentials Plus
If you have Cyber Essentials Plus, you must first renew the basic Cyber Essentials certificate. Then you can book a new Plus audit within three months. The assessor will carry out fresh technical testing to confirm your security controls are still effective.
Back to blog
