Cyber Essentials gets mentioned frequently in conversations about business security but rarely explained clearly. Many business owners have a vague sense it’s “something to do with government contracts” without understanding whether it applies to them, what it actually involves, or whether the certification is genuinely worth pursuing beyond compliance box-ticking.

This article answers those questions plainly. Whether you’re being asked for Cyber Essentials by a client, considering a government tender, or simply want to understand whether your current security posture holds up — what follows is a straight account of what Cyber Essentials is, what it requires and how to decide if it’s the right next step for your business.

80%
Of common cyber attacks prevented by the five Cyber Essentials controls
£300
Cost of Cyber Essentials self-assessment for businesses with under 100 staff
5
Technical control areas the certification covers

What Cyber Essentials actually is

Cyber Essentials is a UK government-backed certification scheme, developed by the National Cyber Security Centre (NCSC) and managed through accredited certification bodies. It was introduced in 2014 and has been progressively updated since, with significant revisions to the technical requirements in recent years to reflect how modern businesses actually operate — particularly around cloud services and home working.

The scheme is built around five technical controls that the NCSC considers essential for defending against the majority of commodity cyber attacks — the opportunistic, automated threats that affect businesses of all sizes. The certification is not designed to protect against highly targeted or sophisticated attacks. It is designed to ensure that a business is not left vulnerable to the kind of automated scanning and exploitation that accounts for the vast majority of real-world incidents.

The five control areas

Firewalls
A properly configured boundary firewall controlling what network traffic can enter and leave. This includes routers, cloud-based firewalls and personal firewalls on individual devices.
Protects: network perimeter from unauthorised access
Secure configuration
Devices and software configured securely from the outset — default passwords changed, unnecessary services and software removed, auto-run disabled.
Protects: against exploitation of default or weak settings
User access control
User accounts with only the permissions they need. Admin accounts used only for admin tasks. Multi-factor authentication on accounts that can access sensitive data or cloud services.
Protects: against compromised or misused accounts
Malware protection
Anti-malware software active and up to date on all devices that connect to the internet. This can be traditional anti-virus or application whitelisting on managed devices.
Protects: against malicious software and ransomware
Patch management
Software kept up to date — operating systems, applications and firmware patched within 14 days of a critical update being released. Unsupported software removed.
Protects: against exploitation of known vulnerabilities

Who needs Cyber Essentials

Cyber Essentials is mandatory for businesses bidding for UK central government contracts that involve handling personal data or sensitive information. If your business does any government work or is considering it, this is non-negotiable — you need to hold a current certification before tender submission.

Beyond government contracts, Cyber Essentials is increasingly appearing in the supply chain requirements of larger private-sector organisations. Legal firms, financial institutions and healthcare providers in particular have started requiring suppliers to hold the certification as part of their own risk management processes. If you work with clients in regulated sectors, it is worth checking whether they currently require or are moving towards requiring it.

For businesses outside these categories, the honest answer is that Cyber Essentials is not compulsory — but the five controls it requires are sound practice regardless of certification. A business that genuinely meets all five criteria has substantially reduced its exposure to the most common attack types. The certification provides evidence of that, which has value in client conversations, insurance discussions and in the event of an incident.

“Cyber Essentials won’t protect you against a nation-state attack. It will protect you against the automated scanning and opportunistic exploitation that most actual breaches come from.”

The two certification levels

Cyber Essentials (self-assessment) involves completing a detailed questionnaire about your IT environment and how it meets each of the five control areas. The questionnaire is submitted to an accredited certification body, which reviews it and issues the certificate if it is satisfied. You are attesting to your own compliance — the certification body is not independently verifying your technical controls, though they will ask follow-up questions if answers appear inconsistent.

Cyber Essentials Plus includes everything in the standard certification plus an independent technical assessment carried out by a qualified assessor. They will attempt to verify your controls work in practice — testing firewall configuration, checking patch levels on devices, verifying MFA is properly implemented. It costs more and takes longer but provides a meaningfully higher level of assurance. Government contracts above a certain value require Plus specifically.

Cyber Security

Preparing for Cyber Essentials certification?

Techfident supports businesses through the gap analysis, remediation and certification process. We don’t sell the assessment itself — we make sure you pass it first time. Cyber Essentials support is part of our cyber security service for UK businesses.

What it costs and how long it takes

The Cyber Essentials self-assessment certification costs £300 plus VAT for organisations with up to 99 staff (as of 2026). This is the IASME fee, payable to the certification body when you submit your questionnaire.

Cyber Essentials Plus is priced by the certifying organisation based on the size and complexity of your environment. For a small business with a straightforward IT setup, expect £1,500–£2,500. For more complex environments with multiple sites or a large number of devices, costs rise accordingly.

Neither figure includes the cost of any remediation work required to meet the standard before certification. For a business that already has the basics in place — updated software, managed anti-virus, MFA on cloud accounts — remediation may be minimal. For a business with legacy systems, unsupported software or no patch management process, the remediation cost can exceed the certification cost significantly.

Timeline: most businesses achieve standard Cyber Essentials in two to four weeks. Plus typically adds another two to four weeks for the technical assessment phase. The limiting factor is usually the remediation work, not the assessment itself.

Should your business get certified?

Apply this straightforward test:

  • You bid for government work — you need it. No choice.
  • A client or prospect has asked for it — you almost certainly need it to retain or win that relationship.
  • You work in legal, financial or healthcare supply chains — get it now before it becomes a requirement mid-tender.
  • None of the above apply — consider whether your business genuinely meets all five controls. If yes, certification is a low-cost way to validate that. If no, the remediation work to meet the standard is worth doing regardless of the certificate.
 The bottom line

Cyber Essentials is not a silver bullet and it is not the ceiling of what good security looks like — it is the floor. The value of the certification is that it forces an honest assessment of whether you have the basics in place. For most UK SMEs, the answer to “do you need Cyber Essentials?” is either “yes, mandatorily” or “probably yes, and here’s why.”

Common questions about Cyber Essentials

Cyber Essentials is not a legal requirement for most UK businesses. However, it is mandatory for businesses bidding for UK government contracts that involve handling sensitive information or personal data. It is also increasingly required by larger organisations in their supplier due diligence. Some cyber insurance policies offer better terms for certified businesses.

For most small businesses with a straightforward IT environment, Cyber Essentials can be achieved in 2–4 weeks. Most of the time is spent on any remediation work required before assessment. The assessment itself — submitting the questionnaire and receiving a decision — typically takes a few days once you are ready.

Cyber Essentials is self-assessed — you complete a questionnaire confirming your controls are in place. Cyber Essentials Plus includes an independent technical audit where an assessor tests your systems directly. Plus costs more and takes longer but provides a higher level of assurance. Some government contracts specifically require Plus.

The self-assessment certification costs £300 plus VAT for organisations with up to 99 staff. Cyber Essentials Plus costs £1,500–£3,000 depending on your environment size. These are certification costs only — any remediation work required to meet the standard carries its own cost.