Cyber Essentials Certification: What It Is & How to Get Certified

If you run a small business in the UK, you have almost certainly heard the term Cyber Essentials Certification mentioned in passing — on a tender document, in an insurance renewal, or from your IT provider. But what exactly is it, what does it involve, and is it worth the time and money?

This guide cuts through the jargon. We will explain what Cyber Essentials Certification is, walk you through the five technical controls at its heart, break down the costs, cover the important changes arriving in April 2026, and give you a clear, step-by-step route to getting certified.

What Is Cyber Essentials Certification?

Cyber Essentials is a UK Government-backed certification scheme, developed by the National Cyber Security Centre (NCSC) and managed by IASME, the scheme's official delivery partner. It sets a minimum baseline standard for cyber security that applies to organisations of every size — from sole traders to multinational corporations.

The scheme focuses on five technical controls that, when properly implemented, protect against the vast majority of common internet-based cyber attacks. Think of it as the digital equivalent of locking your doors, closing your windows, and fitting a decent alarm. It will not stop a determined, state-sponsored adversary, but it will stop the opportunistic attacks that account for the overwhelming majority of breaches affecting small businesses.

There are two levels of certification:

• Cyber Essentials — A verified self-assessment. You answer a set of questions about your IT setup, a senior person in your organisation signs off on the accuracy, and a qualified assessor reviews your submission.
• Cyber Essentials Plus — Everything in the standard certification, plus an independent technical audit of your systems. An assessor runs vulnerability scans and checks a sample of your devices to verify the controls are genuinely in place.

Both certificates are valid for 12 months and must be renewed annually.

Why Should Your Business Care?

For many small business owners, cyber security feels like something that only matters to large enterprises. The reality is quite different. Small businesses are frequent targets precisely because attackers know their defences tend to be weaker. Cyber Essentials Certification addresses this head-on, and it brings several tangible benefits beyond just security.

Government Contracts

If you bid for UK Government contracts that involve handling personal data, financial information, or sensitive material, Cyber Essentials Certification is mandatory. Without it, your bid will not be considered. Many larger private-sector organisations are now following suit, requiring certification from suppliers in their procurement processes.

Free Cyber Liability Insurance

Any UK organisation with a turnover under £20 million that achieves Cyber Essentials Certification covering their whole organisation automatically receives cyber liability insurance, arranged by IASME. This includes a 24-hour incident response helpline with technical, legal, and crisis management support, up to a total liability limit of £25,000. For a small business, that alone can justify the certification fee.

Customer Confidence

Displaying the Cyber Essentials badge on your website, proposals, and email signatures signals to clients and partners that you take data protection seriously. In competitive markets — particularly professional services, finance, and technology — this can be the difference between winning and losing a contract.

Measurable Risk Reduction

This is not just a paper exercise. Certified organisations are significantly less likely to suffer a successful cyber attack compared to those without certification. When the controls are properly implemented, they genuinely work.

The Five Technical Controls

The entire Cyber Essentials framework is built around five technical controls. Each one targets a specific and common attack vector. None of them require expensive specialist equipment or deep technical expertise to implement.

1. Firewalls and Internet Gateways

Every device that connects to the internet needs a security barrier between it and the outside world. For most small businesses, this means ensuring your broadband router's firewall is properly configured and that any software firewalls on individual devices are switched on. The goal is to create a controlled boundary so that only the traffic you have explicitly permitted can pass through.

2. Secure Configuration

Computers, phones, and cloud services often ship with default settings that prioritise convenience over security. Secure configuration means removing unnecessary software, changing default passwords, disabling features you do not use, and ensuring devices are set up to minimise the ways an attacker could find a way in. Do not assume the defaults are secure enough — they rarely are.

3. User Access Control

This control is about ensuring people only have access to the data and services they genuinely need for their role — and no more. It means using unique accounts for every user, removing access when someone leaves or changes role, and strictly limiting who has administrator privileges. If everyone in your office is using a shared admin account, this is the control that will catch you out.

4. Malware Protection

Your devices need active protection against malicious software. This can be traditional antivirus, endpoint detection and response (EDR) tools, or application allow-listing. The key requirements are that it must be active, kept up to date, and configured to scan files automatically. For most small businesses running Windows, Microsoft Defender meets the basic requirements when properly configured.

5. Security Update Management

Software vulnerabilities are discovered constantly, and vendors release patches to fix them. This control requires you to keep your operating systems, applications, and firmware up to date. High-risk or critical security updates must be applied within 14 days of release. Unsupported software — anything that no longer receives security updates from the vendor — must be removed or isolated from your network.

How Much Does Cyber Essentials Certification Cost?

The good news is that Cyber Essentials is one of the most affordable certifications available. The fees are set by IASME and based on the size of your organisation:

• Micro (0–9 employees): from £320 + VAT
• Small (10–49 employees): from £400 + VAT
• Medium (50–249 employees): from £450 + VAT
• Large (250+ employees): from £500 + VAT

These are the certification assessment fees only. If your systems need remediation work before you can pass — fixing outdated software, tightening access controls, enabling multi-factor authentication — there will be additional costs depending on the state of your current setup. Some businesses pass with minimal preparation; others need a few days of work to get things in order.

Cyber Essentials Plus costs more because it involves an independent technical audit. Prices vary depending on the size and complexity of your network, but typical costs for a small business range from around £1,500 to £2,500 + VAT. You must pass standard Cyber Essentials first before progressing to Plus.

What Is Changing in April 2026?

On 27 April 2026, IASME is introducing version 3.3 of the Cyber Essentials requirements — known as the Danzell question set. Any assessment account created on or after that date will be judged against these updated standards. The five core controls remain the same, but several requirements are becoming significantly stricter.

MFA Becomes Mandatory — No Exceptions

Multi-factor authentication (MFA) has been part of Cyber Essentials for some time, but under the current rules, failing to enable it where available results in a warning rather than a failure. From April 2026, this changes to an automatic fail. If any cloud service you use offers MFA — whether free, bundled, or available as a paid add-on — and you have not switched it on for all users, you will not pass. This applies to every user account, not just administrators.

Expanded Cloud Scope

Cloud platforms such as Microsoft 365, Google Workspace, AWS, and CRM tools are now always included in scope. If a service stores or processes your organisational data, it must be assessed. You cannot exclude cloud services without proper justification.

Stricter Patching Requirements

Any high-risk or critical security update — those with a CVSSv3.0 score of 7.0 or higher — must be applied within 14 days of release. This applies to operating systems, firmware, and applications equally.

Stronger Board-Level Accountability

Board-level sign-off will now include a formal commitment to maintain Cyber Essentials controls throughout the certification period. Certification is no longer treated as a point-in-time exercise — it becomes an ongoing security obligation.

Enhanced Backup Guidance

Backup requirements have been given greater prominence. You will need regular automated backups, stored separately from your main systems, and — critically — evidence that they have been tested and can actually be restored.

How to Get Cyber Essentials Certified: Step by Step

The process is more straightforward than many business owners expect. Here is how it works:

1. Understand your scope. Work out which devices, users, and cloud services fall within the scope of your assessment. Under the 2026 rules, any device that connects to the internet and any cloud service that stores your data is in scope.
2. Prepare your answers. Download the Cyber Essentials assessment questions and the Requirements for IT Infrastructure document from the IASME website — both are free. The NCSC also offers a free Readiness Tool that walks you through the questions and produces a tailored action plan.
3. Register and pay. Purchase your assessment through IASME based on your organisation size. You will receive login details for the secure assessment platform. You have up to six months to complete your submission.
4. Complete the self-assessment. Answer the questions in the online platform, saving your progress as you go. A senior person in your organisation — typically a director or board member — must confirm that the answers are accurate before submission.
5. Assessment and feedback. A qualified assessor from a Certification Body reviews your answers within three working days. If they need clarification or additional information, you can update and resubmit. Each resubmission is also reviewed within three working days.
6. Certification. Once your assessment meets all requirements, your Cyber Essentials certificate is issued. You receive a digital badge to display on your website and marketing materials.

If you do not pass, the assessor provides detailed feedback explaining which areas were non-compliant. You are given two working days to address simple issues and resubmit without additional charges. If you still cannot pass after that window, you will need to reapply and pay the assessment fee again.

Do You Need Help?

If you have a relatively straightforward IT setup — a handful of laptops, Microsoft 365, and a decent broadband router — you can likely handle the self-assessment yourself with the help of the free IASME resources.

If your setup is more complex, or if you simply want confidence that you will pass first time, there are two types of professional support available:

• Cyber Advisors — Assured by the NCSC, these professionals provide practical, hands-on advice to help small and medium-sized businesses implement the five controls and prepare for the assessment.
• Certification Bodies — Licensed by IASME to deliver the assessment and certification process. Many also offer consultancy packages alongside the assessment itself.

Key Takeaways

Cyber Essentials Certification is not a luxury or a nice-to-have. For UK small businesses, it is rapidly becoming a baseline expectation — from clients, from insurers, from supply chain partners, and from government buyers. The good news is that it is affordable, achievable, and genuinely effective at reducing your risk of a cyber attack.

If you have been putting it off, now is the time to act. The April 2026 changes will make the requirements stricter, so getting certified sooner rather than later gives you a smoother path. Start with the free NCSC Readiness Tool, understand what is in scope, and take it one control at a time.