If you run a small business in the UK, you have probably heard the phrase Cyber Essentials at some point. Maybe a customer asked whether you hold the certification. Maybe you saw it mentioned on a government contract notice. Maybe someone in your network mentioned it over coffee and you nodded along while making a mental note to look it up later.
This is that article. I'm going to tell you what Cyber Essentials actually is, why it matters for a business like yours, and — most importantly — exactly what my Security Engineering team will do to get you certified, step by step, if you become a client. No jargon. No unnecessary complexity. Just a clear picture of the journey from where you are now to holding a certificate you can be proud of.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme run under the National Cyber Security Centre (NCSC). It was designed to address a straightforward and well-documented problem: the vast majority of successful cyber attacks against businesses exploit a small number of basic, well-understood weaknesses. Fix those weaknesses, and you stop the majority of attacks before they start.
The scheme defines five core technical controls — five areas of your IT environment that, when properly configured, close the door on most opportunistic attacks. We'll go through each of those controls in detail below.
There are two levels of certification:
- Cyber Essentials — You complete a self-assessment questionnaire describing your current controls, which is then verified by an accredited certifying body. Think of it as a structured declaration of your security posture.
- Cyber Essentials Plus — Everything in Cyber Essentials, plus a hands-on technical audit conducted by an assessor who independently tests your environment to verify that your controls are actually working as described.
Cyber Essentials Plus is the more rigorous of the two, and it carries significantly more weight with customers, insurers, and government procurement teams. My strong recommendation for most of my clients is to aim straight for Plus — and I'll explain how we get you there.
Why Should Your Business Care?
There are three straightforward reasons.
First, if you want to bid for UK government contracts that involve handling sensitive data or providing certain IT services, Cyber Essentials certification is now a mandatory requirement. Without it, you cannot be considered regardless of how good your proposal is.
Second, an increasing number of larger private-sector businesses are requiring Cyber Essentials from their supply chain. If your customers are large organisations, this question is either already on your table or it will be soon. Getting certified proactively puts you in a stronger position than scrambling to comply when a client asks.
Third — and this is the one I find most compelling — it genuinely improves your security. The five controls aren't bureaucratic boxes to tick. They represent the baseline hygiene measures that would prevent the majority of the attacks I see targeting businesses of your size every week. Getting certified isn't just about the piece of paper. It's about actually being safer.
The Five Controls: What They Mean in Plain English
Cyber Essentials is built around five technical areas. Here's what each one means for your business, without the technical noise.
1. Firewalls
A firewall sits between your internal network and the internet, controlling what traffic is allowed in and out. For Cyber Essentials, every device that connects to the internet — including your office router, cloud services, and staff laptops — needs to have a properly configured firewall in place. The key word is configured: a firewall that's switched on but set to its factory defaults is not doing its job.
2. Secure Configuration
Devices and software come with default settings that prioritise ease of use over security. Default administrator passwords. Unnecessary services running in the background. Features enabled that nobody uses. Secure configuration means stripping all of that away — hardening your devices and software to the minimum necessary to do what you actually need them to do, and nothing more.
3. User Access Control
Not everyone in your business needs access to everything. User access control means ensuring that each person — and each device — has only the permissions they genuinely need to do their job. It also means that administrator-level accounts, which have the power to make system-wide changes, are used only when absolutely necessary and are protected with multi-factor authentication (MFA).
4. Malware Protection
Malware — malicious software — is one of the most common attack vectors against small businesses. Cyber Essentials requires that you have appropriate, up-to-date protection in place on all devices. This includes anti-malware software and, increasingly, controls that restrict what software can run on your systems in the first place.
5. Patch Management
Software vulnerabilities are discovered constantly, and manufacturers release patches to fix them. Cyber Essentials requires that you apply security patches within 14 days of release for high and critical severity vulnerabilities, and that software which is no longer supported by its manufacturer is either updated or removed. Unpatched software is one of the single most exploited weaknesses I encounter in small business environments.
Our Engagement: How We Get You Certified
When you engage my Security Engineering team for Cyber Essentials certification, we follow a structured five-phase process. Here is exactly what that looks like.
Phase 1: Gap Assessment
Before we can map a route to certification, we need to understand where you currently stand. My engineers will conduct a thorough review of your environment against all five Cyber Essentials controls. We look at your firewall configurations, your device inventory, your patching cadence, your access control structure, and your malware protection in place across your estate.
The output of this phase is a plain-language gap report — a clear document that tells you, for each control area, what you have in place that already meets the standard, what needs to change, and how significant those changes are. We also give you a realistic view of your readiness timeline so you know what you're signing up for before we go any further.
There are no surprises with my team. If your environment needs significant work, I'll tell you that upfront, with a clear explanation of what's involved. If you're closer to certification than you think, I'll tell you that too.
Phase 2: Remediation
This is the hands-on phase, and typically where most of the work lives. Working through the findings from the gap assessment, my engineers will address each control area in turn.
For firewalls, we review every device boundary in scope — your perimeter firewall, any device-level firewalls on laptops and servers — and reconfigure them to restrict inbound access to only what is explicitly required. We remove default rules, close unnecessary ports, and verify that outbound traffic is appropriately controlled.
For secure configuration, we work through your device estate — servers, workstations, laptops, mobile devices — removing unnecessary software and services, changing default credentials, disabling unused features, and applying vendor-recommended security baselines. If you use cloud services such as Microsoft 365 or Google Workspace, we apply the same discipline to your cloud configuration.
For user access control, we audit your user accounts and permissions. We identify and remove accounts that are no longer active. We review administrator privileges and reduce them to the minimum necessary. We ensure that MFA is enforced on all internet-facing services and administrator accounts. If your business doesn't currently use a password manager or identity management tool, we'll advise on appropriate options.
For malware protection, we verify that all in-scope devices have appropriate, actively managed endpoint protection in place. If you're running legacy antivirus tools that aren't receiving updates, we'll recommend and assist with migration to a modern endpoint detection solution. Where appropriate, we also implement application allowlisting — the control that prevents any software not on an approved list from running on your devices.
For patch management, we audit the current patch status of all in-scope devices and software, identify and remediate outstanding critical and high-severity vulnerabilities, and put in place a documented patching process to ensure you stay compliant on an ongoing basis. We also identify any software in your environment that has reached end-of-life and needs to be replaced or removed before the assessment.
Phase 3: Pre-Assessment Verification
Before we submit your Cyber Essentials questionnaire or book your Plus assessment, my team runs its own internal verification — essentially, we assess you before the assessor does.
We run external vulnerability scans against your internet-facing perimeter to check that nothing unexpected is exposed to the public internet. We run internal vulnerability scans across your device estate to identify any residual weaknesses that remediation may have missed. We verify MFA enforcement across your accounts, test that your malware protection is functioning correctly, and confirm that your patching is current.
If we find anything during this phase, we fix it before proceeding. You only go to assessment when I'm confident you're ready. Failed assessments waste time and money — that's something I avoid for my clients wherever possible.
Phase 4: Cyber Essentials Submission
With remediation complete and pre-assessment verification passed, we move to submission. My team will work with you to complete the self-assessment questionnaire accurately and thoroughly, drawing directly on the configuration documentation we've built throughout the engagement. We submit this to an accredited certifying body on your behalf and manage any queries that arise during the review process.
Once your questionnaire is approved, you receive your Cyber Essentials certificate. You can display it, share it with customers, and use it in tender responses — it's valid for twelve months from the date of issue.
Phase 5: Cyber Essentials Plus
If you're going for Cyber Essentials Plus — which I recommend — there is an additional phase involving a hands-on technical assessment conducted by an accredited assessor. This is not something to be nervous about: by the time we reach this stage, my team has already validated everything the assessor will look at.
The Plus assessment involves the assessor independently testing a sample of your devices and systems to verify that the controls described in your questionnaire are genuinely in place and working. This includes scanning your external perimeter, scanning a sample of internal devices, testing malware protection, and verifying MFA enforcement on a selection of accounts.
My engineers support you throughout this assessment. We liaise with the assessor, provide any technical documentation they request, and are on hand to address any queries or minor findings in real time. Our objective is to make this a smooth, well-managed process rather than a stressful one.
What Happens After Certification?
Certification is valid for twelve months. To maintain it, you'll need to recertify annually — and your environment will need to continue meeting the five controls throughout that period, not just at the point of assessment.
As a managed security client, this is handled as part of your ongoing service. My team maintains visibility of your environment, monitors for configuration drift, and flags any issues that could affect your compliance posture well before your renewal window opens. Annual recertification becomes a routine exercise rather than a scramble.
Is Cyber Essentials Enough?
It's a fair question, and I want to answer it honestly. Cyber Essentials is a strong baseline. It addresses the controls that would prevent the majority of the cyber attacks that target small businesses in the UK. If you currently have little or no formal security programme in place, achieving Cyber Essentials Plus represents a significant and meaningful improvement to your risk posture.
But it is a baseline. It does not cover areas such as security monitoring, incident response planning, employee awareness training, or supply chain risk management. For businesses handling sensitive data, operating in regulated sectors, or carrying a higher risk profile, Cyber Essentials is the foundation, not the ceiling.
My team can advise on what the right next step looks like for your specific circumstances. That conversation is always free, and it's never a sales pitch — just an honest assessment of what would actually make a difference for you.
If you're ready to start the Cyber Essentials journey, or if you simply want to understand how far you currently are from certification, get in touch. The gap assessment is the natural starting point, and it will give you a clear picture of exactly where you stand.
— Peter Bassill, Chief Cyber Defender, UK Cyber Defence
Ready to get Cyber Essentials certified?
Our Security Engineering team will take you from gap assessment to certificate — with no jargon, no surprises, and no failed assessments. Get in touch to start the conversation.
Speak to our team