Key takeaways

Understand the core concepts and terminology behind Preparing for Cyber Essentials Certification: How to get certified with an 8-step process guide.
Learn practical steps to apply the guidance and stay audit-ready.
See where SecureSlate can help centralize evidence, ownership, and ongoing compliance workflows.

If you’re working toward a UK government contract, responding to a customer due diligence request, or simply want a proven baseline for your security controls, Cyber Essentials is one of the most practical places to start.

Cyber Essentials is a UK government-backed cybersecurity certification that covers devices, accounts, networks, and software configuration. This guide walks you through a practical eight-step process for getting certified efficiently—from scoping and gap analysis to SAQ submission and the optional Cyber Essentials Plus audit.

Related guides:

When “audit prep” becomes a project

GIF via GIPHY

What is Cyber Essentials?

Cyber Essentials is a UK government-backed security certification designed to help organizations of all sizes implement fundamental cybersecurity measures to protect their networks and systems.

The scheme was launched by the National Cyber Security Centre (NCSC) in 2014 and is UK-focused. Organizations outside the UK can also pursue certification by working with an accredited certification body.

Benefits of Cyber Essentials accreditation

Obtaining a Cyber Essentials certificate can deliver strategic and long-term benefits, including:

Eligibility for certain UK government contracts (for UK-based organizations)
Better protection against common attacks through baseline, industry-aligned controls
Greater stakeholder trust by demonstrating a recognized security standard
Clear visibility into your tech stack and the controls protecting it

Cyber Essentials also supports a self-assessment path. You don’t need an external audit unless you’re pursuing Cyber Essentials Plus.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials and Cyber Essentials Plus share the same core requirements, but they differ in how assurance is validated:

Cyber Essentials: questionnaire-based self-assessment (with senior sign-off)
Cyber Essentials Plus: includes the self-assessment, plus an independent technical audit (testing and vulnerability scanning) by an assessor

If you need a higher level of assurance for customers or procurement, Plus can carry more weight because it’s externally tested rather than solely self-attested.

When you realize there’s an audit option

GIF via GIPHY

8 steps to obtaining a Cyber Essentials certificate

Whether you’re pursuing Cyber Essentials or Cyber Essentials Plus, the workflow is similar:

Download the Cyber Essentials self-assessment questionnaire (SAQ)
Define your Cyber Essentials scope and requirements
Conduct a gap analysis
Implement the identified controls
Set up monitoring of networks and devices
Train relevant team members
Complete the self-assessment and apply for certification
Pursue Cyber Essentials Plus (optional)

Step 1: Download the Cyber Essentials SAQ

Start by downloading the self-assessment questionnaire (SAQ) from the IASME website. The SAQ helps your team understand the control expectations relative to your technology footprint.

Two additional resources worth reviewing alongside the SAQ are:

NCSC Requirements for Infrastructure
Cyber Essentials Plus Illustrative Test Specification

The SAQ is updated periodically, with each version effective from a specific date. Make sure you use the version that applies to your certification timeframe.

Once you’ve reviewed the SAQ, define a timeline with owners and milestones so implementation stays accountable.

Step 2: Define your Cyber Essentials scope and requirements

Define the scope for your Cyber Essentials certification. Ideally, scope includes your full technology landscape, because the goal is comprehensive protection across systems, networks, and devices.

In some cases, it may be reasonable to exclude truly isolated environments (for example, guest networks that do not connect to confidential systems or data). If you exclude anything, document it clearly and ensure the exclusion aligns to the scheme requirements.

Cyber Essentials controls are grouped into five core areas:

Firewalls: use firewalls to buffer internal systems from untrusted networks
Secure configuration: ensure devices and software are hardened and not easily exploitable
User access control: prevent unauthorized access to data and services
Malware protection: protect systems from malicious code and infection
Security update management: keep devices and software patched with current security updates

Step 3: Conduct a gap analysis

Assess your current state against the in-scope Cyber Essentials requirements. This is often the most time-consuming step, but it drives everything that follows.

Example: Cyber Essentials requires MFA for authentication to cloud-based services. During your review, you might find a subset of user accounts authenticating without MFA. That becomes a clear remediation item: enforce MFA universally (or document exceptions only if permitted and justified by the scheme guidance).

Document each gap and its action item so you can track implementation, ownership, and completion.

Step 4: Implement the identified controls

Execute your remediation plan in priority order. If you prioritize secure configuration and access control, common implementation work includes:

Disable or remove unnecessary accounts
Change default or easy-to-guess passwords
Harden remote access to reduce brute-force exposure
Deploy anti-malware tooling where required
Enforce MFA for user access to cloud services and admin interfaces

This step typically spans multiple teams (IT, engineering, operations). Assign owners per workstream and keep communication tight so readiness doesn’t stall.

Step 5: Monitor networks and devices

After implementing controls, verify they’re effective by monitoring your networks and devices. This reduces last-minute surprises before you submit your assessment.

Create a lightweight readiness report that captures:

Control application and maintenance status
Key configuration baselines for devices and network components
Access control policy outcomes (e.g., MFA coverage, admin accounts, review cadence)
Patch/update cadence and exceptions handling
Malware protection coverage and alerting approach

Have a senior executive review the report so the organization is aligned on readiness before sign-off.

Step 6: Train relevant team members

Cyber Essentials works best when it’s not just “a certification project,” but a baseline security culture.

Focus training on:

Account and password management: approved devices, secure networks, strong passwords, and password manager use
Social engineering awareness: spotting phishing, reporting procedures, and escalation paths
Data sharing practices: secure sharing methods for sensitive information (especially for remote work)

Step 7: Complete the self-assessment and apply for certification

Complete the online self-assessment questionnaire and have it validated by a senior team member who can attest to its accuracy.

Then apply through your chosen certification body. You’ll typically submit the questionnaire, provide any supporting evidence as requested, and pay the certification fee.

If the certification body identifies gaps, address the remediation items and resubmit.

Step 8: Pursue Cyber Essentials Plus (optional)

After obtaining Cyber Essentials, you can pursue Cyber Essentials Plus (typically within three months) to add independent technical verification.

A key point: the Plus assessment scope must match the scope of your base Cyber Essentials certification. You’ll also need to maintain evidence and verification artifacts (as requested by your assessor), such as:

IT inventories
Access control logs
Firewall configurations
Patch management policies

Cyber Essentials certifications are valid for 12 months, after which you’ll need to renew.

Streamline Cyber Essentials certification with SecureSlate

Cyber Essentials certification can become a documentation and evidence chase—especially if you’re doing it manually across spreadsheets, screenshots, and ticket systems.

SecureSlate helps teams speed up readiness by centralizing the work:

Evidence collection workflows for faster, audit-ready documentation
Control tracking across devices, accounts, and systems
Clear ownership and reminders so gaps don’t linger
Executive-ready status views for sign-off and accountability

If you’re pursuing Cyber Essentials (or planning for Plus) and want a more repeatable process, SecureSlate can help you operationalize controls and keep readiness on track year-round.

FAQ

Do we need an external audit for Cyber Essentials?

Not for the base Cyber Essentials certification. You complete a self-assessment questionnaire with senior sign-off. Cyber Essentials Plus adds an independent technical audit.

Can organizations outside the UK get Cyber Essentials certified?

Yes. While Cyber Essentials is UK-focused, organizations outside the UK can work with an accredited certification body to pursue certification.

How long is Cyber Essentials certification valid?

Cyber Essentials certifications are valid for 12 months, and you’ll need to renew annually.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.