Cyber threats aren’t limited to large enterprises. Small and medium-sized businesses across the UK are increasingly targeted by automated attacks such as phishing, credential stuffing, ransomware, and exploitation of unpatched systems. These attacks succeed because they exploit common, preventable weaknesses.
The Cyber Essentials(fereastră nouă) scheme was designed to help UK organizations of all sizes protect themselves against cyber security threats. Backed by the National Cyber Security Centre, Cyber Essentials is a UK government-supported certification scheme. It focuses on five high-impact controls that, when implemented properly, significantly reduce risk.
For many UK organizations, having a Cyber Essentials certification is increasingly necessary for procurement requirements, supply chain expectations, and customer trust. Whether you’re strengthening your internal security posture or positioning your business for growth, understanding how the scheme works is the first step to becoming compliant and gaining a crucial competitive advantage.
What is Cyber Essentials?
Cyber Essentials is a certification scheme designed to help organizations implement essential cybersecurity controls in a structured and measurable way. The scheme is designed to answer a simple question: have you taken the fundamental steps needed to protect your systems from common threats?
Rather than attempting to address every possible risk scenario, the scheme focuses on five technical controls that target the most common entry points for attacks. These include weak authentication, poor configuration, unpatched systems, and excessive access privileges, which are the five main areas consistently exploited in real-world breaches.
This focused approach is what makes Cyber Essentials effective. Instead of attempting to eliminate all risk, it ensures your organization isn’t vulnerable to the types of automated attacks that account for the majority of incidents across the UK.
For SMEs, this makes Cyber Essentials particularly valuable because it provides a practical, achievable framework for improving security without requiring enterprise-scale resources or complexity.
Cyber Essentials UK requirements: the 5 core controls explained
The Cyber Essentials UK requirements are built around five technical controls. These form the foundation of both Cyber Essentials and Cyber Essentials Plus.
1. Firewalls and internet gateways
Firewalls(fereastră nouă) act as the boundary between your internal systems and external networks. They determine what traffic is allowed and what is blocked.
In practice, this means:
- All internet-connected devices are protected by a configured firewall
- Unnecessary ports and services are blocked by default
- Internal systems are not directly exposed to the internet
- Remote access is routed through controlled solutions such as business VPNs
In real assessments, certification bodies look beyond whether a firewall exists. They assess whether rules are actively managed, whether unnecessary services are exposed, and whether remote access is properly controlled. Open ports such as RDP or SSH exposed to the internet are a common reason organizations fail.
2. Secure configuration
Default configurations are designed for usability, not security. Leaving them unchanged creates unnecessary exposure.
A secure configuration approach includes:
- Changing default passwords before deployment
- Removing or disabling unnecessary accounts and services
- Hardening systems before use
- Applying consistent configuration standards
In practice, auditors are looking for evidence of a repeatable process. It is not enough for one system to be configured correctly; organizations must demonstrate that all systems are consistently secured. Cloud misconfigurations, such as publicly accessible storage or open APIs, are frequently identified during certification.
3. User access control
Access control governs who can access systems and data, and at what level.
Key requirements include:
- Access based on least privilege
- Separate admin and standard user accounts
- Regular access reviews
- Immediate removal of access for leavers
- No shared credentials
Assessments often reveal issues with account lifecycle management. Dormant accounts, excessive permissions, and shared credentials are among the most common findings. Increasingly, two-factor authentication (2FA) is expected as a baseline control.
4. Malware protection
Malware protection ensures systems are actively defended against malicious software.
This includes:
- Up-to-date endpoint protection across all devices
- Real-time scanning enabled
- Automatic updates for threat definitions
- Controls to prevent execution of unknown software
Protection needs to be consistently active. Expired licenses, disabled scanning, or gaps in coverage, particularly on remote devices, are common reasons organizations fail this control.
5. Security update management
Unpatched systems are one of the most frequent entry points for attackers. That’s why Cyber Essentials requires:
- Critical updates applied within 14 days of release
- Automatic updates enabled where possible
- Unsupported software removed
- All systems kept up to date
This is a strict requirement for data breach protection. Organizations that rely on slower patching cycles or continue using end-of-life systems often encounter challenges here. Unsupported software can’t meet certification requirements.
Together, these five controls form the backbone of Cyber Essentials certification, ensuring organizations address the most common and exploitable vulnerabilities.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials is available at two certification levels: Cyber Essentials (CE) and Cyber Essentials Plus (CE+).
| Feature | Cyber Essentials | Cyber Essentials Plus |
| Assessment method | Self-assessment questionnaire | Independent technical testing |
| Verification | Reviewed by certification body | Hands-on validation |
| Assurance level | Baseline | High |
| Testing scope | Documentation and declarations | Vulnerability scans and endpoint checks |
| Typical use case | Entry-level cybersecurity compliance | High-trust environments and contracts |
Cyber Essentials confirms that your business has implemented the required controls, while Cyber Essentials Plus goes further by independently verifying that those controls are working in practice.
For organizations operating in regulated environments, handling sensitive data, or competing for high-value contracts, Cyber Essentials Plus provides a stronger level of assurance that could give your business a competitive edge.
Which businesses need Cyber Essentials certification?
Cyber Essentials is not legally mandatory for all organizations, but it has become a baseline expectation in many sectors.
You should strongly consider a Cyber Essentials certification if your organization:
- Works with the public sector or bids for government contracts
- Handles sensitive customer, financial, or employee data
- Operates within supply chains where security standards are enforced
- Provides IT, consulting, or digital services
- Is scaling and needs structured security practices
In many procurement environments, Cyber Essentials is an unofficial requirement. Organizations without a certification are often excluded before capability or pricing is even considered.
Cyber Essentials certification process and timeline
The process for achieving Cyber Essentials certification is relatively structured, but the real work happens before you submit anything. Most delays and failures occur during preparation, not during the assessment itself.
At a practical level, organizations move through the process in five stages, but each stage involves more than it might initially appear.
1. Define your scope
The first step is to clearly define what is in scope for certification. This typically includes all devices, systems, and services that connect to the internet and handle organizational data.
In practice, this means identifying:
- End-user devices such as laptops, desktops, and mobile devices
- Cloud platforms and SaaS applications (e.g. Microsoft 365, Google Workspace)
- Internal networks and internet-facing systems
- Remote access points, including VPNs and home-working environments
Scope definition is critical. If it’s too narrow, the certification won’t reflect your actual risk. If it’s too broad, you introduce unnecessary complexity and slow down the process. One of the most common issues at this stage is overlooking remote devices or cloud services, which are fully in scope under Cyber Essentials.
2. Assess your environment against the requirements
Once the scope is defined, the next step is to assess your systems against the five Cyber Essentials requirements.
This is where most of the work happens. You’re effectively running an internal audit to identify gaps such as:
- Misconfigured firewalls or exposed services
- Default, reused or weak passwords
- Excessive user permissions
- Missing or delayed security updates
- Inconsistent malware protection across devices
In practice, this step often reveals inconsistencies rather than complete failures. Controls may exist, but they are not applied uniformly across all systems. The goal is to identify and document those gaps before moving to formal assessment.
3. Complete the assessment (CE or CE+)
For Cyber Essentials, you’ll need to complete a structured self-assessment questionnaire. The questions are specific and technical, and they require you to accurately describe how your controls are implemented across your environment.
Certification bodies review your responses and may request clarification if anything is unclear or inconsistent.
For Cyber Essentials Plus, the process goes further. An external auditor will validate your controls through hands-on testing, which typically includes:
- Vulnerability scanning of internet-facing systems
- Endpoint checks to verify configuration and patching
- Attempts to confirm that malware protection and access controls are working as expected
At this stage, accuracy matters. Overstating controls or misunderstanding requirements often leads to delays or failure during review.
4. Remediate gaps and refine controls
It’s common for organizations to identify issues during assessment, particularly on the first attempt. These are usually not complex technical failures, but operational gaps such as:
- Accounts with excessive permissions
- Devices missing recent updates
- Inconsistent enforcement of security policies
Remediation involves addressing these issues and ensuring controls are applied consistently across all in-scope systems.
This stage is also where organizations benefit from standardization. Rather than fixing issues individually, it is often more effective to implement repeatable processes; for example, standardizing device configuration or centralizing access control.
In many cases, this includes introducing structured credential management tools that allow teams to enforce password policies, manage permissions centrally, and quickly revoke access when roles change. These capabilities can be difficult to maintain through manual processes alone.
That’s why adopting a business password manager such as Proton Pass for Business helps standardize how credentials are created, stored, and shared across your organization, reducing reliance on informal processes that often lead to security gaps.
5. Achieve certification
Once your responses are validated, or in the case of Cyber Essentials Plus, your systems successfully pass independent testing, you’ll receive your certification.
It’s important to remember that a Cyber Essentials certification is valid for 12 months and must be renewed annually to maintain your certified status. Renewal involves completing a new assessment, which can be a fresh self-assessment for Cyber Essentials or another independent technical assessment for Cyber Essentials Plus. If your certification expires, your organization is no longer recognized as Cyber Essentials certified until it successfully completes the renewal process.
Becoming certified isn’t the end of the process. Throughout the year, you should continue applying security updates, reviewing user access, maintaining secure configurations, and onboarding new systems according to the same standards. In other words, organizations should view Cyber Essentials as an ongoing operational discipline rather than an annual exercise.
What the assessment involves
The Cyber Essentials questionnaire is structured around specific, technical yes/no questions. These require accurate interpretation of your environment. Many organizations struggle not because controls are absent, but because they’re inconsistently applied or poorly documented.
For Cyber Essentials Plus, independent assessors validate your controls through:
- Vulnerability scanning
- Endpoint configuration checks
- Verification of patching and malware protection
What timeline should you expect for Cyber Essentials certification?
There is no fixed timeline for Cyber Essentials certification, but most organizations can expect the following:
- Weeks 1–2: Scoping and initial assessment
- Weeks 2–4: Remediation and control alignment
- Weeks 4–6: Submission, review, and certification
Well-prepared organizations with structured environments may complete the process more quickly. Those with fragmented systems, unclear ownership, or inconsistent controls may require additional time to identify and resolve gaps.
Getting certified isn’t difficult in principle, but it requires clarity, consistency, and attention to detail. The more structured your environment is before you begin, the smoother the certification process will be.
How much does the Cyber Essentials certification cost?
The cost of the Cyber Essentials certification depends on your organization’s size and whether you’re pursuing Cyber Essentials or Cyber Essentials Plus.
For the standard Cyber Essentials certification, IASME uses a fixed pricing(fereastră nouă) model based on organization size. At the time of writing, official assessment fees range from £320 + VAT for micro businesses (1–9 employees) to £600 + VAT for large organizations (250+ employees). Most small and medium-sized businesses can expect to pay £440–£500 + VAT (approximately $580–$660 USD) for the assessment.
Cyber Essentials Plus is priced differently because it includes independent technical testing rather than a self-assessment. There is no fixed national fee, and costs are determined by the certification body and the complexity of your IT environment. For most SMEs, pricing typically starts around £1,500 (approximately $2,000 USD) and can exceed £3,000 (approximately $4,000 USD) for larger or more complex environments.
It’s also worth factoring in preparation costs. For many organizations, the largest investment isn’t the certification fee itself, but the time spent reviewing systems, remediating security gaps, and standardizing controls before the assessment. Those improvements strengthen your overall security posture regardless of the certification outcome.
Pre-certification checklist for Cyber Essentials
Before applying, it’s useful to run a structured internal check. This checklist will give your organization a comprehensive list to follow.
| Requirement | What to check | Status |
| Scope definition | All systems, devices, and services identified, including remote environments | ☐ |
| Secure configuration | Default settings changed, unnecessary services removed, systems hardened | ☐ |
| Access control | Permissions reviewed, least privilege enforced, no shared credentials | ☐ |
| Credential management | Strong, unique passwords in place, secure storage and sharing | ☐ |
| Malware protection | Active and up-to-date protection across all devices | ☐ |
| Patch management | All systems updated, no unsupported software in use | ☐ |
| Remote work security | Remote and BYOD devices secured and included in scope | ☐ |
| Cloud access | SaaS platforms reviewed, access controlled, unused accounts removed | ☐ |
| Evidence readiness | Documentation and system-level proof available | ☐ |
| Certification path | CE or CE+ clearly defined | ☐ |
What Cyber Essentials doesn’t cover
Cyber Essentials is intentionally focused, and that focus is part of its strength. However, it doesn’t address every aspect of cyber security within your organization.
It doesn’t cover:
- Formal risk management frameworks
- Comprehensive governance structures
- Advanced threat detection or monitoring
- Deep incident response maturity
- Organization-wide security culture
This is why Cyber Essentials is best understood as a baseline. It ensures fundamental controls are in place, but it doesn’t replace broader frameworks such as ISO 27001.
For many organizations, Cyber Essentials serves as the starting point for a more comprehensive security strategy.
Access control and password management in Cyber Essentials
Access control is one of the most critical areas within Cyber Essentials, and one of the hardest to enforce consistently.
In practice, most issues arise from everyday behavior:
- Password reuse across systems
- Informal credential sharing
- Excessive permissions
- Lack of visibility over access
- Lack of two-factor authentication (2FA)
- Weak password policies and poor organizational controls
Over time, these small compromises create significant risk.
Under Cyber Essentials, access control is not just about defining permissions but about demonstrating that those permissions are enforced consistently across all systems in scope.
A structured approach to credential management helps achieve this. This includes enforcing strong, unique passwords, maintaining visibility over access, and ensuring credentials are securely stored and shared across teams. Find out more in our guide to password management best practices for businesses.
In practice, many organizations move away from manual credential handling and adopt dedicated solutions that centralize access control and make enforcement consistent. For example, a password manager for IT teams, such as Proton Pass for Business, allows organizations to manage credentials at scale, assign access based on roles, and maintain clear visibility over who has access to what.






