Independent, plain-English guidance on UK Cyber Essentials certification — what it covers, what it costs, why it matters, and how to pass first time. No certification body. No sales pitch. Just straight advice.
Cyber Essentials is a UK Government-backed certification scheme developed by the National Cyber Security Centre (NCSC). It sets out five technical controls that, when properly in place, protect against the vast majority of common internet-based attacks targeting UK businesses.
It is not a full security audit. It is a verified baseline — a way of demonstrating that the most commonly exploited vulnerabilities in your business have been closed. Think of it as the MOT of cybersecurity: it does not guarantee nothing will ever go wrong, but it confirms the fundamentals are in order.
First launched in 2014, the scheme is administered by the IASME Consortium on behalf of the NCSC. Certification is renewed annually.
That five fundamental security controls are in place and verified — firewalls, secure configuration, access control, malware protection, and patch management.
A guarantee of complete security, a penetration test, or an ISO 27001 equivalent. It is a baseline — the starting point, not the ceiling.
IASME Consortium, appointed by the NCSC as the delivery partner. Certification bodies are IASME-accredited assessors — not NCSC directly.
Annually. The cyber threat landscape changes constantly — annual renewal ensures the controls remain current and the certification remains meaningful.
Cyber Essentials requires five technical controls to be verifiably in place. These are not complex enterprise measures — they are the fundamentals that most attacks exploit when absent. Under the current v3.3 standard, the bar has been raised in several areas, particularly around MFA and patch management.
A boundary firewall must sit between your internet connection and your devices — including routers and any software firewall on devices that connect directly to the internet. Default configurations that expose unnecessary services are a fail. Home routers used for business must also meet the standard.
Devices and software must be configured securely from the outset — default passwords changed, unnecessary software removed, and only the services you actually need left running. Factory default router passwords are one of the most common failure points on first submission.
User accounts should only have the access they genuinely need. Admin rights restricted to those who require them. Under v3.3, Multi-Factor Authentication (MFA) is mandatory on all cloud services — Microsoft 365, Google Workspace, cloud storage, everything. Partial rollout does not satisfy the requirement.
Protection against malicious software must be in place on all in-scope devices. This can be achieved through application allowlisting, sandboxing, or signature-based malware scanning — the approach must be appropriate for the device type and kept up to date.
Software and operating systems must be kept up to date. Critical and high-severity patches must be applied within 14 days of release. Any software no longer supported by its vendor — including Windows 10 after October 2025 — must be removed from scope or updated. This is the most commonly failed control.
There are two levels. Which one you need depends on what you are trying to achieve and who is asking for it.
A verified self-assessment. You complete a questionnaire about your controls, which is reviewed and verified by a certification body. No independent technical testing of your systems.
Everything in CE, plus an independent technical audit of your actual systems — verifying that the controls are genuinely in place and working, not just described.
The free insurance benefit. UK organisations with annual turnover under £20 million that achieve
Cyber Essentials certification for their whole organisation automatically receive £25,000 of cyber liability
insurance — including access to a 24-hour incident response helpline. For many SMEs, this alone offsets a
significant portion of the certification cost.
Source: IASME Consortium
Until recently, CE was largely seen as relevant only to government suppliers. That picture has changed significantly — particularly since April 2025.
Mandatory for all public sector contracts involving personal data or IT services. Required for all contracts over £5 million since April 2025.
NHS Supply Chain requires CE Plus from suppliers handling NHS data or providing digital services. This cascades to subcontractors.
The Defence Cyber Certification scheme, in force since December 2025, requires CE as the baseline across all four certification levels.
Large organisations are now required to audit CE coverage across their supplier base. If you supply a larger business, expect to be asked.
Cyber insurers use CE as a benchmark. Certified businesses receive better rates, fewer exclusions, and stronger cover — some policies now require it.
Even without a contractual requirement, the five controls address the vulnerabilities behind the majority of successful attacks on UK SMEs.
A failed submission delays certification by weeks and incurs re-assessment costs. These are the most common reasons — almost all of them avoidable with a proper gap analysis beforehand.
Running Windows 10 after its October 2025 end-of-support date, or any application that no longer receives security patches, is an automatic fail. Check every device in scope before submitting.
Partial rollout — where some cloud accounts have MFA and others don't — does not satisfy the v3.3 requirement. MFA must be active on all cloud services used by all staff. No exceptions.
Router, firewall, and network equipment factory passwords that have never been changed are a straightforward fail. This includes home routers used for business purposes.
Staff browsing the web, reading email, and running standard applications with full administrator privileges is a control failure under the access control requirement.
The assessment covers what is in place right now — not what you plan to implement. Answering questions about future state rather than current state is one of the most common causes of rejection on review.
Attempting to exclude devices or cloud services from scope without proper justification raises immediate flags. Everything that handles business data or connects to the internet needs to be justified in or out of scope with clear reasoning.
A pre-assessment gap analysis prevents almost all of these. Working through each control against your actual current setup before spending money on the formal assessment gives you a clear list of what needs fixing — and avoids the cost and delay of a failed submission. For most SMEs, this takes a few hours with someone who knows the standard well.
GET-IT Cyber Division supports UK SMEs through the full Cyber Essentials process — from initial gap analysis and remediation through to submission and certification, with a first-time pass guarantee. A free 30-minute readiness call costs nothing and tells you exactly where you stand.
[ Remote · First-time pass guarantee · No jargon · UK-based ]