Preparing for Cyber Essentials Certification — A Step-by-Step Guide

Cyber Essentials certification costs £300–£600 annually and takes 1–3 months from start to certification. It signals to customers, partners, and insurers that you’ve implemented baseline security controls and are serious about protecting data.

This guide walks you through the entire process: understanding the five controls, implementing them, choosing an assessor, completing the assessment, and maintaining your certification.

Before You Start

Cyber Essentials isn’t mandatory for most SMEs, but it becomes compulsory if you:

• Bid for government contracts involving personal data or classified information
• Supply to large enterprises that require it from their supply chain
• Have cyber insurance that requires it as a condition of coverage

Even if it’s not mandatory for your business, certification demonstrates security investment and is increasingly expected. Only 3% of UK businesses hold it, which makes it a market differentiator.

The Five Controls You Need to Implement

Cyber Essentials certification requires demonstrating you meet five controls. Here’s what each means and what you need to do.

1. Firewalls and Internet Gateways

Your firewall (usually your internet router or a dedicated firewall appliance) controls what traffic enters and exits your network.

What you need to do:

• Change default firewall password from manufacturer default to a strong password
• Disable unused internet-facing services (UPnP, WPS, remote management)
• Configure firewall to block incoming traffic on ports you don’t use
• Enable logging of firewall activity
• Enable automatic security updates for firewall firmware
• If you have a web server, ensure only ports 80 (HTTP) and 443 (HTTPS) are open to public
• If you have email, ensure only ports for email services (25, 587, 993) are open as needed

How to check it worked:

Run an external port scan from a service like nmap or online tools (Shodan, nmap.org) from outside your network. Only the ports you intentionally opened should respond.

Effort: 30–60 minutes for most SMEs.

2. Secure Configuration

Systems (servers, workstations, applications) should be hardened against default vulnerabilities. Default configuration is almost always insecure.

What you need to do:

• Operating systems: Disable unnecessary services (Windows: disable NetBIOS, LLMNR; Linux: disable unused daemons). Enable Windows Defender or equivalent antivirus. Install and configure a host firewall (Windows Firewall, iptables for Linux).
• User accounts: Set strong password policy (minimum 12 characters, complexity, no reuse). Disable Guest account. Remove unnecessary admin accounts.
• Applications: Change default admin passwords (immediately after installation). Disable debug modes and verbose error logging. Update to current version.
• Web servers: Disable directory listing. Remove sample files and documentation. Disable unnecessary modules (PHP, CGI if not needed).
• CMS platforms (WordPress, Joomla): Remove sample files and plugins. Change admin username from “admin” to something unique. Configure file permissions correctly.

How to check it worked:

For Windows: secpol.msc (Security Policy) should show strong password policy configured. For web servers: attempt to access common paths like /admin, /wp-admin, /config.php — they should be blocked or require authentication.

Effort: 4–8 hours depending on your environment complexity.

3. User Access Control

Each person gets a unique account and password. Admin access is restricted. Accounts are disabled when people leave.

What you need to do:

• Create unique accounts: Every user gets their own username and password (no shared accounts).
• Passwords: Minimum 12 characters, complexity requirements (uppercase, lowercase, numbers, symbols). No password reuse. Use a password manager so users don’t write down passwords.
• Admin access: Restricted to users who actually need it (typically one or two people). Create separate admin accounts for those users (they use regular user account for daily work, switch to admin account for privileged tasks).
• Multi-factor authentication: Enable MFA on email, cloud services (Microsoft 365, Google Workspace), admin panels, hosting control panels, financial systems. MFA means after entering password, user confirms with a second factor (authenticator app, SMS, hardware token).
• Access review: Annually, review who has access to what. Disable accounts for users who no longer need access.
• Former employees: Disable accounts immediately on departure (don’t just reset passwords — disable entirely). Remove from team access, email groups, cloud storage access.

How to check it worked:

For each critical system, verify: every user has a unique account, MFA is enabled, admin access is restricted to authorised users only, the access control system logs access (for audit).

Effort: 4–8 hours initially, then 30 minutes annually for access review.

4. Malware Protection

All devices have antivirus or equivalent installed and kept updated.

What you need to do:

• Windows devices: Windows Defender (built-in) is sufficient. Ensure it’s enabled and updates automatically. Or install third-party antivirus (Kaspersky, Sophos, etc.) if preferred.
• macOS devices: macOS has built-in XProtect and Gatekeeper. Keep OS updated. Optional: third-party antivirus for additional protection.
• Linux servers: Linux is generally less targeted by malware than Windows, but ClamAV or equivalent can be installed if desired.
• Configure scanning: Set antivirus to scan on access (real-time protection) and on schedule (weekly or daily).
• Keep updated: Antivirus definitions update automatically (daily is standard).

How to check it worked:

For Windows: open Windows Defender settings and verify real-time protection is enabled and updates are recent. For macOS: System Settings > Privacy & Security should show Gatekeeper is enabled.

Effort: 30–60 minutes (mostly just verification — most devices have antivirus by default).

5. Security Update Management

Operating systems, applications, and server software are patched regularly. Monthly patching is the baseline.

What you need to do:

• Operating systems: Enable automatic updates (Windows Update, macOS updates, Linux package manager). If automatic updates aren’t feasible (because they would disrupt critical systems), establish a monthly patching schedule and execute it.
• CMS platforms (WordPress, Joomla, Drupal): Enable automatic updates for security patches. Test on a non-production environment first if you’re concerned about breaking changes, but deploy security patches immediately.
• Plugins and extensions: Keep all plugins updated. Remove abandoned plugins (not updated by their developer).
• Third-party software: Check quarterly for updates. For business-critical applications, set a monthly reminder to check for updates.
• Server software: For web servers, database servers, and other infrastructure, apply security patches monthly. Your hosting provider may apply patches automatically — verify.

How to check it worked:

Check the version of your CMS, server software, and key applications. Compare against the current version. If more than one month behind, your patching process isn’t working.

Effort: 2 hours per month (mostly routine).

Step 1: Document Your Current Controls (Assessment)

Before you implement, understand where you stand.

What to do:

1. Go through each of the five controls above. For each, answer: Do we have this in place? Is it documented? Is it tested?
2. Identify gaps. List what you need to implement.
3. Prioritise. Which gaps are easiest to fix first? (Usually: firewalls, then MFA, then access control, then patching, then antivirus.)
4. Estimate effort. How long will each fix take? Who will do it (internal IT, contractor, cloud provider)?

Output: A gap assessment document showing current state vs required state.

Effort: 2–4 hours.

Step 2: Implement the Controls (4–8 Weeks)

Start with the easiest fixes and build from there.

Week 1–2: Firewalls and Basic Hardening

• Change default firewall password
• Disable unnecessary services
• Run external port scan to verify only intended ports are open
• Enable firewall logging

Week 2–3: User Access Control and MFA

• Enable MFA on email accounts (Microsoft 365, Google Workspace, or equivalent)
• Enable MFA on admin panels (WordPress, Joomla, hosting control panels, financial systems)
• Review user accounts and disable inactive ones
• Create separate admin accounts for users who need elevated access
• Implement password policy (minimum 12 characters)

Week 3–4: Antivirus and Updates

• Verify antivirus is running on all devices
• Enable automatic updates on operating systems
• Enable automatic updates on CMS platforms
• Set up monthly patching schedule for applications that don’t auto-update
• Run an external vulnerability scan to identify outdated software

Week 4–8: Secure Configuration

• Harden operating systems (disable unnecessary services, enable firewalls, set password policy)
• Harden applications (change default credentials, disable debug modes, remove sample files)
• Configure CMS hardening (remove sample plugins, set correct file permissions, secure admin panel)
• Document your security configuration (for the assessment)

Parallel: Document everything. The assessor will ask for evidence that controls are in place. Keep screenshots, policy documents, configuration lists.

Step 3: Find an Assessor

Search the NCSC’s approved assessor list at www.ncsc.gov.uk. Filter by location and contact 2–3 assessors.

What to ask:

• Cost and payment terms
• Timeline (how long until certification)
• Do they offer support during implementation or just assessment
• What format is the assessment (questionnaire, on-site for Plus, remote)
• What happens if you fail — can you remediate and resubmit
• Annual renewal process and cost

Choose: An assessor that fits your budget and timeline.

Step 4: Prepare for Assessment (2–4 Weeks Before)

Once you’ve implemented controls and chosen an assessor, prepare for the formal assessment.

For Standard Assessment (Self-Assessment Questionnaire):

1. Complete the questionnaire honestly. It’s 15–30 questions covering the five controls.
2. Gather evidence for each answer. If the questionnaire asks “Do you patch monthly,” your evidence is: a list of recent patches applied with dates, or a screenshot of automatic update settings enabled.
3. Submit questionnaire and evidence to the assessor.
4. The assessor reviews and either approves (certificate issued) or identifies gaps that need remediation.

For Plus Assessment (Independent Verification):

1. Schedule the assessment (typically 1–2 days on-site or remote).
2. The assessor will: scan your infrastructure for vulnerabilities, review your policies and documentation, interview your staff, verify controls are actually working.
3. After assessment, you’ll get a report identifying any gaps.
4. Remediate gaps (usually 1–2 weeks).
5. Submit remediation evidence.
6. Once approved, certificate is issued.

Step 5: Certification and Maintenance

Once approved, you receive a Cyber Essentials certificate valid for one year.

What to do:

• Display the certificate (on your website, proposals, marketing materials)
• Update your vendor forms and RFPs to claim Cyber Essentials certified
• Inform cyber insurance provider (may reduce premiums)
• Set a renewal reminder (annual recertification is required to maintain certification)

Annual renewal:

• For Standard: Submit a new questionnaire, provide updated evidence.
• For Plus: The assessor conducts a new assessment (similar to initial).

How to Check It Worked

Before assessment:

• External port scan shows only intended ports are open
• Firewall is configured with strong password, auto-updates enabled
• Email accounts and admin panels require MFA
• Password policy is enforced (minimum 12 characters)
• Antivirus is running on all devices
• Patching process is documented and being followed
• User access is reviewed and documented

During assessment:

• Assessor finds no major gaps
• Controls can be demonstrated (not just claimed)
• Evidence is documented and consistent

After certification:

• Certificate is issued within 2–4 weeks
• You can claim “Cyber Essentials Certified” in marketing and proposals

Timeline

For many SMEs, the biggest time investment is implementation (weeks 1–8), not the formal assessment.

Cost

Tip: Many assessors offer fixed-fee packages combining assessment + limited implementation support. This can be good value if you need guidance.

Common Questions

Q: What if we fail the assessment?

A: Most failures are gaps you can remediate. The assessor will identify what needs fixing. You remediate and resubmit evidence. Reassessment is usually £200–£400.

Q: How long is certification valid?

A: One year. You renew annually to maintain the credential.

Q: Can we outsource implementation?

A: Yes. If you don’t have internal IT capacity, contract a managed IT provider or consultant to implement the controls. Cost is typically £2,000–£5,000 depending on complexity.

Q: What if we already have some controls in place?

A: The assessor will verify what’s actually in place and identify gaps. You’ll only need to implement what’s missing.

Q: Is Cyber Essentials Plus worth the extra cost?

A: If you need a strong credential for government contracts or large customers, Plus is worth it. If it’s mainly for insurance purposes, Standard is usually sufficient. Check with your insurance provider.

Next Steps

1. Assess your current controls using our cybersecurity checklist.
2. Implement gaps using our step-by-step guide to cybersecurity readiness.
3. Find an assessor via the NCSC’s approved assessor list.
4. Complete assessment and get certified.

If you want professional help with implementation, Bartram Cyber can conduct an initial assessment identifying gaps, then provide a prioritised remediation plan. We don’t do certification ourselves (an accredited assessor does), but we can prepare you for it.

Cyber Essentials is achievable for most SMEs in 8–16 weeks. The controls aren’t expensive or complex — they’re documented, tested baselines. Getting certified is the logical next step after you’ve implemented them.