What is Cyber Essentials? It is a UK government-backed cybersecurity assurance scheme that helps organizations implement a practical baseline of controls to reduce common internet-based threats. Launched in 2014, it has become one of the most widely recognized entry-level certifications for UK businesses—and a common requirement when bidding on government and supply-chain contracts.

This guide explains what Cyber Essentials covers, how certification works, who typically needs it, and how it compares to broader security programs.

This guide covers: what Cyber Essentials is; the five control areas; Cyber Essentials vs Plus; who needs it; the certification process; scope and cloud; comparison to other frameworks; and practical next steps.

Understanding Cyber Essentials baseline security

GIF via GIPHY

Related guides:

Key takeaways

Cyber Essentials is a prescriptive baseline, not a broad security program—it focuses on five control areas that address the most common attack paths.
Two certification levels exist: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independent technical validation).
Certificates are typically valid for 12 months, so ongoing maintenance matters as much as the initial pass.
Cloud services, remote devices, and identity controls are in scope for modern environments—not just on-premises servers.
It is commonly required for UK government contracts and is increasingly expected by security-conscious buyers in the private sector.
Evidence reuse is possible with ISO 27001, SOC 2, and other programs, though Cyber Essentials is more directive about what "good" looks like at the baseline level.

What is Cyber Essentials?

Cyber Essentials is a UK government-endorsed scheme designed to help organizations of all sizes protect against the most common cyber threats. Rather than asking you to build a custom security program from scratch, it defines a focused set of technical and procedural controls that, when implemented correctly, materially reduce risk from commodity attacks such as phishing, malware, and opportunistic exploitation of misconfigurations.

The scheme was developed by the UK National Cyber Security Centre (NCSC) in partnership with industry, and it launched in June 2014. From October 2014, Cyber Essentials became a common prerequisite for bidding on many UK government contracts—a pattern that continues today across central government, local authorities, and the wider public-sector supply chain.

At its core, Cyber Essentials answers a straightforward question: Has your organization implemented the baseline controls that stop the majority of untargeted attacks? It is intentionally narrower than enterprise-grade frameworks like ISO 27001 or SOC 2, but that narrowness is a feature—it gives teams a clear, achievable target rather than an open-ended security roadmap.

Organizations that certify receive a certificate they can share with customers, partners, and procurement teams as evidence of baseline cyber hygiene. For many small and mid-sized businesses, it is the first formal security certification they pursue—and for good reason: the requirements map directly to everyday IT operations like patching, access management, and endpoint protection.

Who runs Cyber Essentials?

Cyber Essentials is overseen by IASME Consortium, which operates the certification scheme on behalf of the UK government. IASME sets the assessment requirements, maintains the Self-Assessment Questionnaire (SAQ), and accredits Certification Bodies that review submissions and issue certificates.

In practice, your certification journey typically involves:

Choosing a Certification Body accredited by IASME.
Completing the SAQ (for Cyber Essentials) or the SAQ plus a technical assessment (for Cyber Essentials Plus).
Receiving your certificate if your submission meets the requirements.

The NCSC continues to provide strategic guidance and updates to the scheme's technical requirements. When requirements change—such as expanded expectations for cloud services, multi-factor authentication, or password handling—IASME publishes updated guidance that Certification Bodies apply during assessments.

This governance model means Cyber Essentials is not a static checklist. It evolves with the threat landscape, but it remains focused on practical, implementable controls rather than abstract policy statements.

The five control areas

Every Cyber Essentials certification—whether base level or Plus—is built around the same five control themes. Together, they address the attack paths most commonly exploited in untargeted and semi-targeted incidents.

1. Firewalls and internet gateways

Firewalls create a boundary between your internal network and the internet. Cyber Essentials expects you to configure firewalls (network-level and/or host-based) to restrict inbound traffic to approved services, block unnecessary ports, and prevent unauthorized access from outside your perimeter.

Typical evidence: firewall rule exports, configuration screenshots, change-management records, and documentation of default-deny policies.

2. Secure configuration

Default settings on operating systems, applications, and cloud services often expose more attack surface than necessary. Secure configuration means hardening devices and services: disabling unused features, removing default accounts, restricting administrative interfaces, and applying vendor-recommended security baselines.

Typical evidence: endpoint baseline policies, cloud configuration reviews, and records showing default credentials have been changed or removed.

3. User access control

Not everyone needs access to everything. Cyber Essentials requires organizations to enforce least privilege, manage user accounts consistently (including joiner/mover/leaver processes), limit administrative privileges, and protect authentication credentials— increasingly including expectations for multi-factor authentication on cloud and administrative access.

Typical evidence: access review records, role definitions, MFA enrollment reports, and account provisioning/deprovisioning workflows.

4. Malware protection

Malware remains one of the most common initial access vectors. The scheme expects appropriate anti-malware defenses on endpoints and servers, with mechanisms to detect, block, and remediate malicious software. For some environments, application allowlisting or other advanced controls may supplement traditional antivirus.

Typical evidence: endpoint protection deployment reports, policy configurations, and evidence that protection is active and updated.

5. Security update management

Unpatched software is a leading cause of successful breaches. Cyber Essentials requires a defined process for applying security patches to operating systems and applications within a reasonable timeframe—typically within 14 days for critical updates, though exact expectations depend on the current scheme version and your Certification Body's guidance.

Typical evidence: patch compliance reports, vulnerability scan results, exception logs with time-bound approvals, and change tickets for applied updates.

For a deeper look at why these controls matter, see How Cyber Essentials controls stop 80% of cyber attacks.

Control area	Primary goal	Common failure mode
Firewalls	Restrict inbound access to approved services	Overly permissive rules or missing host firewalls
Secure configuration	Reduce exposed services and default weaknesses	Unchanged default passwords or unnecessary open ports
User access control	Limit who can access what	Shared admin accounts or stale user access
Malware protection	Block and detect malicious software	Endpoints without active protection
Security updates	Close known vulnerabilities quickly	Delayed patching or untracked exceptions

Cyber Essentials vs Cyber Essentials Plus

Both levels assess the same five control areas. The difference is how compliance is validated.

Cyber Essentials (base level)

Assessment method: Self-Assessment Questionnaire (SAQ) reviewed by a Certification Body.
Validation depth: You attest that controls are in place; the assessor reviews your answers for consistency and completeness.
Best for: Organizations needing baseline assurance, meeting tender requirements where Plus is not mandated, or getting started quickly.
Typical timeline: Weeks, depending on readiness and remediation needs.

Cyber Essentials Plus

Assessment method: SAQ plus independent technical testing by a Certification Body.
Validation depth: Assessors verify controls through hands-on checks—sampling devices, testing configurations, and confirming that what you documented matches reality.
Best for: Higher-assurance buyer expectations, organizations that want external proof of implementation, and teams preparing for more rigorous security programs.
Typical timeline: Adds scheduling and testing time; Plus assessments are commonly expected within three months of passing the base SAQ.

Factor	Cyber Essentials	Cyber Essentials Plus
Assessment style	Self-assessment + review	Self-assessment + technical audit
Independent testing	No	Yes
Cost	Lower	Higher (assessor time)
Assurance level	Baseline	Stronger
Certificate validity	12 months	12 months

If you are unsure which level to pursue, start with your customer's or procurement team's requirements. Many tenders specify Cyber Essentials; some sensitive contracts require Plus.

Who needs Cyber Essentials?

Cyber Essentials is relevant to a wider set of organizations than its UK origins might suggest.

UK government and public-sector supply chains

Since 2014, Cyber Essentials has been a common requirement for organizations bidding on UK government contracts. If you sell software, IT services, or professional services to UK public-sector buyers, certification is often mandatory or strongly preferred.

Private-sector buyers in the UK

Large enterprises, financial services firms, and regulated industries increasingly ask suppliers to demonstrate baseline security. A Cyber Essentials certificate provides a recognized, low-friction answer during vendor due diligence.

Organizations outside the UK

Non-UK companies that serve UK customers—especially SaaS providers, managed service providers, and consultants—often pursue Cyber Essentials to reduce procurement friction. The controls themselves are universally applicable even when certification is not contractually required.

Small and mid-sized businesses

For organizations without a dedicated security team, Cyber Essentials offers a structured starting point. The five control areas map to operational IT tasks that every business should be doing anyway—making the scheme as much a security improvement program as a certification exercise.

For a fuller picture of the business case, see 7 key benefits of Cyber Essentials for your organization.

How certification works

While exact steps vary slightly by Certification Body, the process generally follows this pattern:

Step 1: Define your scope

Identify every device, user account, network, and cloud service that handles your organization's data or connects to the internet. Scope definition is critical—gaps here cause the most certification delays.

Step 2: Assess and remediate gaps

Review your current state against the five control areas. Common remediation work includes enabling MFA, tightening firewall rules, deploying endpoint protection, and establishing a patch management cadence.

Step 3: Complete the Self-Assessment Questionnaire (SAQ)

The SAQ asks detailed questions about how you meet each control requirement. Answers must reflect your actual environment—not aspirational policies.

Step 4: Submit for review

Your Certification Body reviews the SAQ. They may ask clarifying questions or request supporting evidence (screenshots, policy documents, configuration exports).

Step 5: Receive your certificate (or remediate and resubmit)

If accepted, you receive a certificate valid for 12 months. If gaps are found, you remediate and resubmit.

Step 6 (optional): Pursue Cyber Essentials Plus

If you choose Plus, schedule a technical assessment—typically within three months of your base certification. The assessor performs hands-on validation of your controls.

For a step-by-step walkthrough, see Preparing for Cyber Essentials certification: process guide.

Scope, cloud, and remote work

Modern Cyber Essentials assessments account for environments that look very different from a traditional office network.

Cloud services are in scope

If your organization uses cloud platforms (Microsoft 365, Google Workspace, AWS, Azure, and similar services), the controls apply to cloud identity, authentication, configuration, and access management—not just on-premises infrastructure.

Remote and hybrid work

Laptops, mobile devices, and home networks used for business purposes typically fall within scope. Endpoint protection, secure configuration, and patch management must cover these devices—not only office-based workstations.

Third-party and supplier access

Organizations that grant external parties access to systems or data should ensure those access paths meet the scheme's expectations for authentication, least privilege, and monitoring.

What is typically out of scope

Personal devices not used for business, and systems that are fully air-gapped from your in-scope environment, may fall outside scope—but the boundary must be documented and defensible. When in doubt, include rather than exclude; assessors commonly challenge overly narrow scope definitions.

Cyber Essentials vs other frameworks

Cyber Essentials is often the first certification an organization pursues, but it is not the only one. Understanding how it relates to other programs helps you plan evidence reuse and avoid duplicate work.

Framework	Relationship to Cyber Essentials
ISO 27001	Broader ISMS program; Cyber Essentials controls overlap substantially but ISO 27001 allows more flexibility in implementation
SOC 2	US-focused attestation; security criteria overlap with Cyber Essentials intent but SOC 2 covers additional trust categories
NIST CSF	Voluntary framework; Cyber Essentials maps to a subset of Identify/Protect functions
PCI DSS	Payment-card specific; Cyber Essentials does not replace PCI requirements for cardholder data environments

Many teams find that Cyber Essentials evidence—patch reports, access reviews, firewall configurations, endpoint protection records—feeds directly into ISO 27001 or SOC 2 audits. The reverse is also true: if you already maintain controls for a broader program, Cyber Essentials certification may require less net-new work than starting from scratch.

Cyber Essentials is more prescriptive than ISO 27001 or SOC 2. It tells you more directly what "good" looks like at the baseline level, which makes it faster to implement but less flexible for organizations with non-standard architectures.

How to get started

If you are evaluating Cyber Essentials for the first time, this practical sequence keeps the work manageable:

Confirm the requirement. Check whether your customers, tenders, or insurance providers specify Cyber Essentials, Cyber Essentials Plus, or either level.
Choose a Certification Body. Select an IASME-accredited body that fits your organization size and timeline.
Define scope early. Document every in-scope device, user, network segment, and cloud service before you start remediation.
Run a gap assessment. Compare your current controls against the five areas and prioritize fixes that block certification.
Assign owners. Each control area needs a named owner who can produce evidence and answer assessor questions.
Centralize evidence. Store policies, screenshots, exports, and tickets in one place so SAQ completion and renewal are repeatable.
Submit the SAQ. Answer honestly—"paper compliance" that does not match your real environment is the most common reason for delays or failures.
Plan for renewal. Treat Cyber Essentials as an operating baseline, not a one-time project. Certificates expire after 12 months.

Teams that run controls continuously—rather than scrambling before each renewal—typically spend less time and money on certification over the long term.

Streamline Cyber Essentials with SecureSlate

Cyber Essentials is straightforward on paper, but teams still lose time to scattered evidence, unclear ownership, and last-minute scrambling before submission or renewal.

SecureSlate helps you run Cyber Essentials as a repeatable system by:

Mapping work to the five control categories so nothing falls through the cracks
Assigning clear owners for each requirement and remediation item
Centralizing evidence (exports, screenshots, policies, tickets) so you can reuse it for Plus and annual renewal
Keeping controls audit-ready year-round to reduce renewal stress and surprise gaps

If you want Cyber Essentials to become a reliable baseline—not a recurring fire drill—SecureSlate helps you standardize the process and stay ready.

Get started for free

FAQ

What is Cyber Essentials in simple terms?

Cyber Essentials is a UK government-backed certification that confirms your organization has implemented five baseline security controls: firewalls, secure configuration, access control, malware protection, and security updates. It is designed to protect against the most common cyber attacks.

Is Cyber Essentials mandatory?

It is not legally mandatory for all organizations, but it is commonly required for UK government contracts and is increasingly requested by private-sector buyers. Some cyber insurance programs also reference certification as a qualifying factor.

How long does Cyber Essentials certification take?

Timelines vary with readiness. Organizations with controls already in place may complete certification in a few weeks. Environments requiring significant remediation can take several months. Cyber Essentials Plus adds time for scheduling and technical testing.

How much does Cyber Essentials cost?

Costs depend on organization size, Certification Body pricing, and whether you pursue base level or Plus. Certification Body fees typically range from a few hundred to several thousand pounds, with Plus costing more due to assessor time. Internal remediation costs vary widely.

How long is a Cyber Essentials certificate valid?

Certificates are typically valid for 12 months. Renewal requires re-submission of the SAQ (and re-assessment for Plus). Plan renewal early to avoid gaps in your certification status.

Does Cyber Essentials cover cloud services?

Yes. Modern scheme requirements commonly apply to cloud identity, authentication, configuration, and access management—not only on-premises infrastructure.

Can small businesses get Cyber Essentials certified?

Yes. The scheme is designed for organizations of all sizes. Small businesses often benefit most because it provides a structured, achievable security baseline without the complexity of larger frameworks.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both assess the same five control areas. Cyber Essentials relies on self-assessment; Cyber Essentials Plus adds independent technical testing to verify that controls are actually implemented—not just documented.

Does Cyber Essentials include cyber insurance?

Organizations that meet certain criteria (including UK domicile and turnover below £20 million) may qualify for complimentary cyber liability insurance coverage up to £25,000 when they opt in through the scheme. Coverage terms and eligibility should be confirmed with your Certification Body.

Can I reuse Cyber Essentials evidence for ISO 27001 or SOC 2?

Often, yes. Control evidence such as patch reports, access reviews, and endpoint protection records commonly supports broader certification programs. A GRC platform that maps controls across frameworks reduces duplicate effort during audits.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney. Certification requirements, assessor expectations, and scheme guidance may change; always confirm current requirements with your chosen Certification Body and IASME Consortium publications before submitting for assessment.