IT Guidance

What is Cyber Essentials, and should your UK business get certified?

James Holloway · Cyber Security Lead20 May 20259 min read

Cyber Essentials is a UK government-backed scheme that proves your business has the basic cyber-security controls in place to fend off the vast majority of common attacks. Think of it as a recognised badge that says 'we have done the security fundamentals properly'. It is increasingly demanded in contracts and tenders, it can lower your insurance, and for most small businesses it is far more achievable than the name suggests. Here is what it covers and whether it is worth pursuing.

The five Cyber Essentials controls

What Cyber Essentials actually is

Cyber Essentials was created by the UK government, backed by the National Cyber Security Centre (NCSC), to give organisations a clear, affordable baseline of cyber hygiene. Its founding insight is reassuring: the overwhelming majority of cyber-attacks are not sophisticated - they are opportunists exploiting basic weaknesses that the scheme is designed to close.

It is a recognised certification, not just advice. Achieving it gives you a badge you can show customers, insurers and tender panels - evidence that you take security seriously and have the fundamentals covered. That recognition is a big part of why businesses pursue it.

The five technical controls

Cyber Essentials boils security down to five practical areas. Get these right and you have closed the doors most attackers walk through.

•Firewalls: a properly configured boundary between your network and the internet - the basics covered in do you still need a firewall.
•Secure configuration: devices and software set up safely, with default passwords changed and unnecessary features turned off.
•Access control: people get only the access they need, admin rights are restricted, and accounts are properly managed.
•Malware protection: anti-malware or equivalent on devices to stop and remove malicious software.
•Security update management: keeping everything patched and up to date - the heart of good patch management.

Cyber Essentials vs Cyber Essentials Plus

There are two levels, and the difference matters when you are deciding what to aim for. Both cover the same five controls; what changes is how your compliance is checked.

Basic Cyber Essentials is a verified self-assessment - you complete a questionnaire about your controls and it is reviewed. Cyber Essentials Plus adds a hands-on technical audit, where an assessor actually tests your systems to confirm the controls genuinely work. Plus carries more weight and is sometimes mandated, but the standard certification is the right starting point for most. The deeper, technical detail of achieving the Plus audit lives in our Cyber Essentials Plus guide; this article is the plain-English overview.

Why businesses get certified

Beyond simply being more secure, certification brings concrete commercial benefits that often justify the effort on their own.

•Winning work: many public-sector contracts and a growing number of private tenders require Cyber Essentials to bid at all.
•Cheaper insurance: insurers increasingly favour or discount certified businesses - we cover this in the cyber insurance and CE Plus discount guide.
•Customer trust: the badge reassures clients that you protect the data they share with you.
•Real protection: the controls genuinely block the bulk of common, opportunistic attacks.
•A solid foundation: it is a stepping stone toward bigger standards like ISO 27001 if you grow into them.

Cyber Essentials vs Plus vs ISO 27001

How hard is it to achieve?

Here is the part that surprises people: for a well-run small business, Cyber Essentials is usually quite achievable, often within a few weeks. The five controls are things you arguably should be doing anyway, so much of the work is confirming and tidying rather than building from scratch.

The basic certification is a self-assessment questionnaire reviewed by a certifying body, with a modest fee that scales by organisation size. The common stumbling blocks are mundane - unpatched devices, leftover admin accounts, default passwords, or unsupported software still in use - all fixable. A short readiness review against the five controls is the quickest route in, and it dovetails neatly with a wider risk assessment.

Is it right for you?

For most UK small and medium businesses, the answer is a fairly easy yes - especially if you bid for public-sector work, handle customer data, or want to demonstrate credible security without the cost of a full standard. It is the best value, highest-impact security credential available to a small firm.

Whether you do it yourself or get help, the smart move is to treat the five controls as your security baseline regardless of certification. Our dedicated Cyber Essentials service can take you through it, and it slots in beside everyday protections like endpoint security and the staff-side defences in phishing awareness. Certified or not, doing these things is simply running a sensible business in 2025.

Key takeaways

✓Cyber Essentials is a UK government-backed badge proving you have the basic security controls to stop most common attacks.
✓It covers five areas: firewalls, secure configuration, access control, malware protection and security updates.
✓Basic certification is a verified self-assessment; Cyber Essentials Plus adds a hands-on technical audit.
✓It wins contracts, can lower insurance and builds customer trust - benefits that often justify it on their own.
✓For a well-run small business it is genuinely achievable, often within weeks, since the controls are things you should do anyway.

Frequently asked

FAQs — What is Cyber Essentials, and should your UK business get certified?

The scheme

What's the difference between Cyber Essentials and Cyber Essentials Plus?

Both cover the same five technical controls. Basic Cyber Essentials is a verified self-assessment questionnaire, while Cyber Essentials Plus adds a hands-on technical audit where an assessor tests your systems to confirm the controls actually work. Plus carries more weight; standard certification is the usual starting point.

Is Cyber Essentials a legal requirement?

Not generally, but it is increasingly required to win work - many public-sector contracts and a growing number of private tenders make it a condition of bidding. So while the law rarely forces it, the market often does, which is why so many businesses pursue it.

How much does Cyber Essentials cost?

The basic certification carries a modest fee that scales by organisation size, making it accessible even to very small firms. Cyber Essentials Plus costs more because of the technical audit involved. For most small businesses, the certification fee is small relative to the contracts and insurance benefits it unlocks.

Achieving it

How long does it take to get certified?

For a well-run small business, often just a few weeks. The five controls are things you should largely be doing already, so much of the effort is confirming and tidying rather than building from scratch. Allow longer if you discover unsupported software or unpatched systems that need fixing first.

What usually stops a business from passing?

The common stumbling blocks are mundane and fixable: unpatched or out-of-date devices, leftover admin accounts, unchanged default passwords, and unsupported software still in use. A short readiness review against the five controls usually surfaces these quickly so they can be addressed before assessment.

Cyber Essentials certification →Cyber Essentials Plus guide →What is patch management? →Cyber insurance and CE Plus discounts →

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →