Get started

Cyber Essentials Explained — What It Is, Why It Matters, and Who Needs It

explainer 8 min read Updated 2026-03-23

Cyber Essentials Explained — What It Is, Why It Matters, and Who Needs It

Cyber Essentials is the UK government’s baseline cybersecurity certification scheme. It defines five technical controls that prevent the most common cyberattacks. Only 3% of UK businesses hold it, despite 43% experiencing a cyber breach in 2025.

Here’s what you need to know: what the five controls are, who’s in scope, what it costs, why insurers expect it, and whether you should pursue certification.

What It Is

Cyber Essentials is a voluntary certification scheme operated by the National Cyber Security Centre (NCSC), part of GCHQ. It’s not a legal requirement for most SMEs, but it’s increasingly a baseline expectation: government contracts require it, large organisations expect it from their supply chain, cyber insurance premiums depend on it, and it’s becoming a market differentiator.

The scheme is built on five technical controls that address the vectors of the most common cyberattacks:

  1. Firewalls and internet gateways: Controls on what traffic enters and exits your network. Prevents unauthorised access, blocks known malicious sites, filters traffic by port and protocol. For SMEs, this typically means your router/firewall is configured correctly, not left at factory defaults, and updated.

  2. Secure configuration: Systems (servers, workstations, applications) are hardened against default vulnerabilities. Unnecessary services are disabled, default passwords are changed, access controls are configured to the principle of least privilege (users have only the permissions they need). Out-of-the-box configuration is almost always insecure; hardening takes it from exploitable to resilient.

  3. User access control: Every user has their own account and password. Admin access is restricted to users who need it. Accounts are disabled for former employees immediately. Passwords are strong (minimum 12 characters, no reuse). Multi-factor authentication is enabled on critical systems. Access is reviewed regularly and permissions adjusted as roles change.

  4. Malware protection: Antivirus or equivalent endpoint detection software is installed on all devices, configured to scan on access and on schedule, and updated automatically. This prevents execution of malicious code once it’s on a device (though it doesn’t prevent initial infection — that’s what email security is for).

  5. Security update management: Operating systems, applications, and third-party software are patched and updated regularly. Monthly patching is the baseline. Internet-facing systems (websites, email servers, remote access tools) are prioritised. Unpatched software is the single most commonly exploited attack vector.

That’s it. Not revolutionary, not expensive to implement, not mystical. These five controls address the attack vectors responsible for 80% of successful cyberattacks against SMEs.

Who’s in Scope

Voluntary: For most SMEs. Technically optional, but increasingly expected. If you’re selling to government, large enterprises, or regulated sectors, it’s often a requirement. If you use cyber insurance, it may be required by the insurer.

Mandatory for government contracts: Any government contract involving personal data, or data classified OFFICIAL or above, typically requires Cyber Essentials. Central government procurement rules mandate it. Local government procurement increasingly requires it.

Increasingly expected by supply chain partners: Large organisations now expect their suppliers to hold Cyber Essentials. If you supply to major customers, ask whether they require it — many do.

Practical reality: Even if it’s not formally required for your business, the certification has become a baseline compliance credential. It signals to customers, partners, and insurers that you’ve thought about security and are taking reasonable steps to protect their data.

How It Works

There are two versions.

Cyber Essentials (Standard): You complete a self-assessment questionnaire confirming you meet the five controls. No independent verification. Cost: typically £300–£400 per year (pricing varies by assessor). Time to certification: 1–2 months from application to certificate.

Cyber Essentials Plus: An accredited assessor conducts an on-site technical verification of the controls. They connect to your systems, scan your infrastructure, interview your staff, verify your access controls, confirm your patching process. More thorough, higher cost (£600–£1,200), but stronger credential — insurers and government buyers often prefer Plus over standard.

The Five Controls in Practice

Let’s translate the abstract into what it actually means for a typical SME.

Firewalls: Your router/firewall should be configured to block incoming traffic on ports you don’t use. For a typical small business with a website and email, you’re opening ports 80 (HTTP), 443 (HTTPS), and 25/587 (email). Everything else is blocked. Your firewall should also have anti-malware scanning enabled and should block known malicious sites.

Default firewall configuration leaves many ports open — you must explicitly close them. If you’re not sure whether your firewall is configured correctly, ask your IT provider or hosting company.

Secure configuration: Windows and macOS come with factory defaults that prioritise ease-of-use over security. Hardening means: disable unnecessary services, set strong password policies, enable encryption on laptops and servers, restrict access to sensitive directories. For hosted services (Microsoft 365, Google Workspace, Shopify), it means configuring access controls, enabling MFA, setting data retention policies, and removing unnecessary third-party integrations.

User access control: Shared passwords are out. Every person gets their own account. Admin access is restricted. If you have IT staff, they get two accounts — one for daily work (regular user), one for admin tasks (locked away, used sparingly). Passwords are minimum 12 characters. If you use a password manager, users don’t have to remember them. Multi-factor authentication is enabled on email, admin panels, and financial systems.

Malware protection: All devices (laptops, desktops, servers) run antivirus or equivalent. Windows Defender (built into Windows 10/11) is sufficient for basic protection. macOS has built-in Gatekeeper and XProtect. Servers may need third-party endpoint detection and response (EDR) depending on your setup. All devices are kept updated automatically.

Security updates: Monthly patching schedule. First Tuesday of the month is common (Patch Tuesday). You review available patches, prioritise critical and security patches, test on a non-production system if necessary, then deploy. Automatic updates are the simplest approach — enable them and let your OS and applications patch themselves.

Cyber Essentials Plus: What’s Different

The main difference is technical verification. An accredited assessor visits your site (or connects remotely), conducts security scans, reviews your systems and policies, and verifies the controls are actually implemented and working.

This is valuable because self-assessment is inherently optimistic. A business completing the standard questionnaire might believe they’ve disabled unnecessary services — until an assessor’s scan finds they’re still running. An organisation might claim they’re enforcing password policies — until the assessor discovers shared credentials.

Plus certification costs more and takes longer (typically 2–3 months), but it’s more defensible. If a breach occurs, you can demonstrate that an independent third party verified your controls were in place.

Cost and Timeline

Standard (self-assessment):

  • Assessment fee: £300–£400 per year (varies by assessor)
  • Time to certification: 1–2 months
  • Timeline: Complete questionnaire → Submit → Assessor reviews → Certificate issued
  • Effort: 10–20 hours of your time (depending on current documentation)

Plus (independent verification):

  • Assessment fee: £600–£1,200 per year
  • Time to certification: 2–3 months
  • Timeline: Application → Technical assessment (1–2 days on-site or remote) → Report → Certificate
  • Effort: 20–40 hours of your time (implementing controls) + assessor time

Prices vary by assessor. Search the NCSC’s list of approved assessors for current pricing.

Why This Matters

Insurance: Cyber insurance premiums depend on your security posture. Insurers increasingly require Cyber Essentials (or equivalent) as a condition of coverage. A business without the certification may find premiums much higher or coverage restricted.

Government contracts: Central government procurement requires Cyber Essentials for contracts involving personal data. Many local councils and public-sector organisations also require it.

Supply chain: Large enterprises now ask their suppliers for Cyber Essentials. If you supply to major customers, you may be asked to hold it.

Breach resilience: NCSC data shows that Cyber Essentials-certified organisations are significantly less likely to suffer a breach. The controls work — they prevent the most common attacks.

Reputational: Certification is a market signal. Listing “Cyber Essentials certified” on your website, proposals, and marketing materials demonstrates you take security seriously.

Who Doesn’t Need It (But Maybe Should)

Sole traders without employees or customers don’t have a regulatory requirement. But if you process customer data, employ people, or have sensitive business information, the controls are still relevant — you’re just not pursuing formal certification.

Organisations in certain heavily regulated sectors (finance, healthcare, utilities) may have sector-specific cybersecurity requirements that go beyond Cyber Essentials. They should pursue Cyber Essentials as a foundation, then add sector-specific controls.

What Cyber Essentials Doesn’t Cover

Cyber Essentials is baseline security, not comprehensive security. It doesn’t include:

  • Penetration testing (active attack simulation)
  • Vulnerability assessment (detailed technical scanning)
  • Incident response planning (though your incident response readiness is part of the assessment)
  • Staff training and awareness (though basic training is expected)
  • Advanced threats like zero-day vulnerabilities or targeted attacks
  • Compliance with broader regulations (GDPR, data subject rights, etc.)

If you need more comprehensive security assessment, you’d pursue penetration testing or a full security audit. But for most SMEs, Cyber Essentials is the right baseline.

Getting Certified

Step 1: Find an assessor. Search the NCSC’s website for approved assessors in your region. Contact 2–3 assessors and ask about pricing, timeline, and support they provide during implementation.

Step 2: Implement the controls. Before applying, ensure you meet the five controls. This takes 2–4 weeks for most SMEs starting from a baseline. Our guide to preparing for Cyber Essentials walks through this.

Step 3: Complete the assessment. For standard, complete the self-assessment questionnaire. For Plus, the assessor conducts the technical assessment.

Step 4: Certification. Once approved, you receive a certificate valid for one year. You renew annually to maintain certification.

What About the Cyber Security and Resilience Bill

The Cyber Security and Resilience Bill, expected to pass in 2026, will expand cybersecurity regulation beyond Cyber Essentials. It’s likely to introduce mandatory requirements for wider organisations (moving beyond the current NIS scope) and new incident reporting obligations. But Cyber Essentials will likely remain the baseline voluntary standard.

If you’re in digital services, managed services, or critical sectors, start tracking the Bill’s progress.

Next Steps

If you’re starting from scratch: Read our guide to where to start. Implement the five controls, then pursue certification.

If you want to understand what’s in your way: Bartram Cyber combines external scanning with a questionnaire assessment and gives you a detailed readiness report.

If you’re ready for certification: Use our step-by-step guide to preparing for Cyber Essentials and engage an accredited assessor.

And remember: Cyber Essentials isn’t a box-tick exercise. It’s a baseline security standard that actually reduces your breach risk. Organizations with Cyber Essentials are significantly less likely to suffer cyberattacks than those without it.

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your cybersecurity →

More from this hub

UK Cyber Security and Resilience Bill — What Businesses Need to Prepare For

The Cyber Security and Resilience Bill is expected to pass in 2026. Here's what's changing, who's affected, and what to prepare for now.

Read article →

Preparing for Cyber Essentials Certification — A Step-by-Step Guide

How to prepare for Cyber Essentials certification: implement controls, choose an assessor, complete the assessment, get certified.

Read article →

Cybersecurity Compliance for UK SMEs — Where to Start

Where to start with cybersecurity compliance: assess, implement MFA, patch, secure email, control access, test backups, and plan incident response.

Read article →