You’ve probably seen the term “Cyber Essentials” appearing more and more. On tender documents. In supply chain questionnaires. In emails from clients asking whether you’re certified. Maybe you’ve been putting it off because it sounds complicated, expensive, or both.
Here’s the good news: it’s neither. Cyber Essentials is a straightforward cybersecurity certification backed by the UK government. It proves that your business has the basic security controls in place to protect against the most common cyber threats.
This guide covers everything you need to know – in plain English – so you can decide whether it’s right for your business and how to get certified as quickly and painlessly as possible.
Cyber Essentials
Cyber Essentials Plus
| Level | What It Involves | Best For |
|---|---|---|
| Cyber Essentials | A self-assessment questionnaire verified by an external assessor | Businesses that need to demonstrate baseline cybersecurity controls |
| Cyber Essentials Plus | Everything above, plus an independent, hands-on technical audit of your systems | Businesses handling sensitive data, government work, or answering supply chain security requirements |
Every one of these is preventable. With the right IT provider, they should never be an issue in the first place.
Your business has a properly configured boundary between your internal network and the internet. This includes your main internet connection, your office routers, and any remote workers' home networks.
Every device that connects to the internet needs to be behind a firewall. Default passwords must be changed. Unnecessary services must be disabled.
Your computers, servers, and devices are set up securely - with unnecessary software removed, default accounts disabled, and only essential services running.
Every machine should be configured with security in mind, not convenience. Autorun features, guest accounts, and unnecessary software are all removed or disabled.
People can only access the systems and data they need for their role. Admin accounts are tightly controlled and only used when necessary.
Regular users should not have admin rights. Admin accounts should have separate, strong credentials. Access should be reviewed regularly, and leavers should be removed immediately.
Your devices are protected against viruses, ransomware, and other malicious software.
Anti-malware software must be installed on all devices, kept up to date, and configured to scan regularly. The settings should prevent users from running untrusted applications or disabling the protection.
All software and operating systems are kept up to date with the latest security patches.
Critical and high-severity patches must be applied within 14 days of release. Unsupported software (anything no longer receiving updates from the manufacturer) must be removed or isolated.
The five Cyber Essentials controls align closely with the SECUR IT Success Framework - particularly the Resist and Control pillars. Certification gives you a verifiable baseline that sits within a broader security strategy.
The certification itself is not expensive. The cost, if there is one, comes from remediation – fixing the gaps that the assessment identifies. For businesses with a good IT provider already in place, most of the controls should already be covered.
Basic certification for small to medium businesses.
Includes a technical audit and verified vulnerability scan.
Expert help to prepare your network and remediate gaps.
The most common reasons are surprisingly simple:
If any device in your organisation is running an operating system or application that's no longer supported, you'll fail.
Security patches that haven't been applied within 14 days of release will cause a failure.
If regular users have admin access on their machines, that's a fail.
If your Microsoft 365 or email accounts don't have multi-factor authentication enabled, you'll fail.
On routers, firewalls, printers, or any network devices.
Every one of these is preventable. With the right IT provider, they should never be an issue in the first place.
We’ve helped dozens of UK businesses achieve Cyber Essentials and Cyber Essentials Plus certification – first time, every time. We’ll handle the preparation, the remediation, and the assessment process.
Start with a free IT Health Check. We’ll assess your current posture against the five Cyber Essentials controls and tell you exactly where you stand – and what needs fixing before you apply.
65-employee engineering firm
Join our next free webinar.
