What Cyber Essentials actually is

Cyber Essentials is a certification scheme developed by the UK government's National Cyber Security Centre (NCSC) and managed through IASME, an accreditation body. It was designed to give businesses a practical baseline for cyber security: a set of controls that, if implemented correctly, protect against the majority of common internet-based attacks.

The scheme isn't designed to address sophisticated targeted attacks. It's designed to close the gaps that allow opportunistic attackers to get in through vulnerabilities that should have been addressed. Most successful cyber attacks don't require advanced techniques — they exploit weak configurations, unpatched software, and poor access controls. Cyber Essentials addresses exactly those gaps.

The five technical controls

Cyber Essentials certification is built around five controls. To certify, a business must demonstrate that all five are in place and correctly configured:

  • Firewalls. All internet-connected devices and networks must be protected by a correctly configured firewall. This includes both network-level firewalls and device-level firewalls on laptops and workstations.
  • Secure configuration. Devices and software must be configured securely — default passwords changed, unnecessary services disabled, and unnecessary software removed. This is one of the controls businesses most often fail on in initial assessments.
  • User access control. User accounts must have only the level of access they need. Standard users should not have administrator rights. Admin accounts should be separate from day-to-day accounts, and access should be removed promptly when staff leave.
  • Malware protection. Appropriate malware protection must be in place on all devices — typically a combination of up-to-date antivirus software and controls that prevent the execution of unknown or malicious files.
  • Security update management. Software and operating systems must be kept up to date. High-risk updates must be applied within 14 days of release. End-of-life software — software that no longer receives security updates — must be removed or isolated.

These five controls are not exotic or especially complex. Most well-managed IT environments already have them largely in place. Where businesses fail, it's usually on secure configuration (default settings left unchanged), access control (too many admin accounts, leavers not removed promptly), or patching (updates deferred, end-of-life software still in use).

Cyber Essentials vs Cyber Essentials Plus

There are two levels of the certification:

  • Cyber Essentials is a self-assessment. A business answers a set of questions about its IT environment and controls, which is then reviewed by an assessor. If the answers meet the requirements, the certification is awarded. The process is relatively quick and the cost is modest.
  • Cyber Essentials Plus is the same five controls, but assessed through independent technical verification — an assessor actually tests the systems rather than relying on a self-assessment questionnaire. It carries more weight and is required for some higher-value government contracts.

For most small businesses, Cyber Essentials (self-assessment) is the appropriate starting point. Cyber Essentials Plus makes sense if there's a specific procurement requirement for it, or if the business handles particularly sensitive data and wants independent verification of its security controls.

Who should consider it and why

The practical reasons to pursue Cyber Essentials vary by business type:

  • Businesses working with the public sector or bidding for government contracts are increasingly required to hold Cyber Essentials. For some contracts — particularly those involving personal data or sensitive government information — it's mandatory.
  • Businesses that handle client data will find that larger clients are starting to ask about cyber security posture as part of supplier due diligence. A current Cyber Essentials certificate is a concrete answer to that question.
  • Businesses seeking cyber insurance may find that holding the certification affects their premiums or the terms of cover available. Insurers are increasingly factoring in security posture when underwriting cyber policies.
  • Any business that hasn't reviewed its security baseline recently will find the assessment process useful regardless of whether they ultimately certify — it surfaces gaps that often go unnoticed.

No security measure guarantees you won't be attacked. The goal is always to make an attack less likely, and to reduce the damage if one does succeed. Cyber Essentials closes the doors that most opportunistic attackers are trying to walk through.

What the assessment process involves

The Cyber Essentials self-assessment is completed through an online questionnaire covering each of the five control areas. The questions ask about the scope of the assessment (which systems are included), how each control is implemented, and whether any exceptions apply.

The assessment covers devices, software, networks, and user accounts in scope. Cloud services used by the business are included in scope if they process business data — which means Microsoft 365, Google Workspace, and similar platforms are typically part of the picture.

For most businesses, the realistic preparation time is a few days of reviewing current configurations, addressing any gaps, and completing the questionnaire. The most common issues found during preparation are software that hasn't been updated, admin accounts that are more widely distributed than they should be, and firewall configurations that haven't been reviewed since initial setup.

What Cyber Essentials doesn't cover

It's worth being clear about what the certification doesn't address, so businesses have realistic expectations:

  • It doesn't cover physical security — protecting premises, hardware, or access to server rooms.
  • It doesn't cover staff awareness training or social engineering prevention beyond the technical controls.
  • It doesn't address business continuity or recovery — what happens if an attack succeeds.
  • It doesn't cover network monitoring, incident detection, or forensic capability.
  • It doesn't specifically address supply chain risk — the security practices of third-party suppliers.

For businesses that want to go further, the NCSC's Cyber Essentials framework is a starting point, not a ceiling. Many businesses that certify then go on to implement staff awareness training, improve their backup and recovery capability, and look at broader security monitoring. Cyber Essentials gets the baseline right. What comes after depends on the business's risk profile and appetite.

A baseline, not a guarantee

The value of Cyber Essentials is that it gives businesses — and the organisations they work with — a consistent, independently verified picture of their basic security posture. It doesn't mean the work is done, and no amount of security work removes risk entirely. But it does mean the most common and preventable entry points have been addressed, making an attack significantly less likely and limiting the routes available to an attacker if they do try.

For businesses that have never formally reviewed their security baseline, the certification process is often useful regardless of outcome — it identifies gaps, creates a record of what's in place, and establishes a point from which the business can build.