What is Cyber Essentials?

Key Takeaways

Point	Summary
What it is	UK government-backed certification scheme overseen by NCSC with 5 technical controls
Two levels	Cyber Essentials (self-assessment) and Cyber Essentials Plus (verified by technical audit)
Validity	12 months - annual recertification required
Effectiveness	According to NCSC research, implementing the 5 controls can prevent the majority of common cyber attacks
Key requirement	Mandatory for UK government contracts involving personal/sensitive data

Quick Answer: Cyber Essentials is a UK government cybersecurity certification built around 5 technical controls: Firewalls, Secure Configuration, Security Updates, User Access Control, and Malware Protection. It's required for many UK government contracts and valid for 12 months.

Understanding the scheme

Cyber Essentials is a UK government-backed certification scheme, overseen by the National Cyber Security Centre (NCSC). It provides a clear statement of the basic controls organisations should have in place to protect against common cyber threats.

Aspect	Details
Launched	2014
Oversight	National Cyber Security Centre (NCSC)
Accreditation Body	IASME Consortium
Validity	12 months
Certification Levels	Basic and Plus

The scheme was developed because research showed that implementing basic cyber hygiene could prevent the vast majority of attacks. According to NCSC analysis, when implemented correctly, the five technical controls provide effective protection against the most common cyber threats targeting UK organisations.

Why organisations pursue Cyber Essentials

Business drivers

For many organisations, Cyber Essentials certification is driven by specific business needs:

• Government contracts. If you're bidding on UK government contracts that involve sensitive data, Cyber Essentials is often a requirement—not a nice-to-have.
• Customer confidence. Certification demonstrates to customers and partners that you take security seriously and have implemented foundational controls.
• Competitive positioning. In procurement processes and tenders, certification can differentiate you from competitors who lack this validation.
• Insurance benefits. Eligible organisations receive cyber liability insurance coverage as part of their certification.

Security benefits

Beyond the business case, certification helps organisations establish genuine security improvements:

• Attack prevention. The controls address the most common attack vectors and can significantly reduce your exposure.
• Security baseline. Certification provides a solid foundation that you can build upon as your security programme matures.
• Gap identification. The assessment process often reveals vulnerabilities or gaps that might otherwise go unnoticed.
• Continuous improvement. Annual recertification creates a framework for ongoing security enhancement.

The five technical controls

Cyber Essentials focuses on five fundamental security controls that address the most common attack vectors:

Control	Purpose
Firewalls	Protect network boundaries from unauthorised access
Secure Configuration	Remove unnecessary software and change default settings
Security Update Management	Keep software and devices up to date
User Access Control	Limit access to authorised users only
Malware Protection	Defend against malicious software

These controls were selected because they address the techniques most commonly used by cyber criminals. While they won't protect against every possible threat, they provide meaningful defence against the attacks organisations are most likely to face.

Two certification levels

Cyber Essentials (Basic)

The basic level is a self-assessment certification where you complete an online questionnaire about your security controls.

Aspect	Details
Assessment Type	Self-assessment questionnaire
Questions	Approximately 90 questions
Evidence Required	Not at submission (declaration-based)
Verification	Reviewed by certification body
Cost	From £300 + VAT
Timeline	Varies based on your current readiness

Cyber Essentials Plus

The Plus level adds independent technical verification of your controls, providing stronger assurance.

Aspect	Details
Prerequisite	Valid Cyber Essentials Basic certificate
Assessment Type	Technical audit by independent assessor
Testing	Vulnerability scans + device sampling
Evidence Required	Yes, verified on-site or remotely
Cost	From £1,500+ (varies by organisation size)
Timeline	Typically completed within 2-4 weeks of scheduling

Who should consider certification?

Mandatory for

• UK government contract suppliers (certain contracts)
• Ministry of Defence supply chain (handling defence information)
• Public sector contracts involving sensitive data
• NHS suppliers handling patient data

Worth considering for

Organisation Type	Why Certify
Any UK business	Establishes baseline security assurance
B2B companies	Often a customer or partner requirement
Growing companies	Creates foundation for security maturity
International companies	Enables UK market access
Supply chain participants	May be required by larger clients

What falls within scope

Typically included

Component	Coverage
Internet-connected devices	All devices connecting to external networks
End-user devices	Laptops, desktops, tablets, phones
Servers	Web servers, file servers, application servers
Network equipment	Firewalls, routers, switches
Cloud services	IaaS, PaaS (your responsibility portion)
Software	Operating systems, applications

Typically excluded

Component	Notes
Air-gapped systems	No internet connection
Physical security	Not assessed under this scheme
Personnel security	Not assessed under this scheme
Business continuity	Not assessed under this scheme
Third-party risk	Not directly assessed

How Cyber Essentials compares to other frameworks

Aspect	Cyber Essentials	ISO 27001	SOC 2
Scope	5 technical controls	Comprehensive ISMS	Trust Service Criteria
Assessment	Self-assessment or audit	External audit	External audit
Cost	£300–£5,000+	£10,000–£50,000+	£10,000–£50,000+
Timeline	Varies by readiness	6–12 months typically	4.5–6 months typically
Recognition	UK-focused	International	International (US-focused)
Best suited for	UK baseline requirements	Global enterprises	US/SaaS companies

For organisations just starting their compliance journey, Cyber Essentials often serves as a sensible first step before pursuing more comprehensive frameworks.

The certification journey

Step 1: Preparation

• Understand the five controls and their requirements
• Assess your current security posture
• Implement any necessary changes
• Document your environment and controls

Step 2: Basic certification

• Select a certification body
• Complete the self-assessment questionnaire
• Submit for review
• Receive certificate (if requirements are met)

Step 3: Plus certification (optional)

• Must hold a valid Basic certificate
• Schedule a technical audit
• Undergo vulnerability scans and device testing
• Receive Plus certificate (if requirements are met)

Ongoing: Annual recertification

• Maintain controls throughout the year
• Recertify before your certificate expires
• Update your assessment for any significant changes

Common misconceptions

"Cyber Essentials makes us completely secure"
The reality is that Cyber Essentials establishes a baseline that protects against common attacks—it's not a guarantee against all threats. Think of it as a foundation, not a complete security programme.

"We're too small to need certification"
Cyber criminals often target smaller organisations precisely because they tend to have weaker defences. Size doesn't determine risk.

"Basic certification isn't meaningful"
Basic certification meets most government contract requirements and demonstrates a commitment to security. For many organisations, it's the appropriate level.

"We need Plus for government contracts"
Most contracts accept Basic certification; Plus is typically required only for higher-risk contracts involving particularly sensitive data or systems.

"Once certified, we're finished"
Certification must be renewed annually, and the controls need to be maintained continuously—not just at certification time.

The cyber liability insurance benefit

A unique aspect of Cyber Essentials certification:

Eligibility Criteria	Coverage
UK-based organisation	Required
Whole organisation certified	Required
Annual turnover under £20 million	Required
Coverage	Up to £25,000 cyber liability

This automatic insurance covers certain cyber incident costs, providing additional value beyond the certification itself.

How Bastion can help

Achieving Cyber Essentials certification doesn't need to be complicated, but it does require attention to detail and a clear understanding of the requirements.

Challenge	How We Help
Understanding requirements	We provide clear guidance on what each control requires and how it applies to your environment
Implementation	Our team brings additional hands to handle the technical work, ensuring things are done right the first time
Self-assessment	We help you navigate the questionnaire and avoid common pitfalls
Plus preparation	We prepare your environment for the technical audit so there are no surprises
Annual renewal	We manage the recertification process and remind you before your certificate expires

Working with a managed service partner means you're not learning the process through trial and error. We've helped many organisations through certification, and that experience translates into a smoother, more efficient path for you.

---

Ready to explore Cyber Essentials certification? Talk to our team

---

Sources

• NCSC Cyber Essentials Overview - Official UK National Cyber Security Centre guidance
• Cyber Essentials Requirements - Technical requirements document
• IASME Cyber Essentials - Accreditation body for Cyber Essentials certification