Cyber Essentials Certification

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme, managed by IASME on behalf of the National Cyber Security Centre (NCSC). It defines five technical controls that, when implemented correctly, protect organisations against the most common internet-based threats.

The scheme is designed to be accessible to businesses of every size — from sole traders to large enterprises. For small businesses in particular, Cyber Essentials provides a clear, affordable baseline that demonstrates due diligence to customers, suppliers, and insurers.

Who Needs Cyber Essentials?

Cyber Essentials is relevant to every UK organisation, but it is mandatory for suppliers bidding on central government contracts that involve handling sensitive or personal information. Beyond government work, Cyber Essentials is increasingly required by:

• NHS and healthcare supply chains — NHS Digital recommends Cyber Essentials for all suppliers.
• Legal and financial services — the SRA and FCA expect demonstrable baseline security controls.
• Education — the ESFA requires colleges to achieve Cyber Essentials during the current funding year.
• Defence and engineering contractors — Tier-1 primes increasingly mandate it throughout the supply chain.
• Any business seeking cyber insurance — many insurers require certification before issuing cover.

Cyber Essentials Requirements in 2026

The current Cyber Essentials requirements are defined in Requirements for IT Infrastructure v3.2, published by the NCSC. Key updates for 2026 include strengthened guidance on cloud services, home and remote working, and zero trust architecture principles. The 14-day patching window for critical and high-severity vulnerabilities (CVSS v3 score of 7 or above) remains unchanged.

The Five Technical Controls

Cyber Essentials is built around five controls that address the most common attack vectors:

• Firewalls — boundary firewalls and internet gateways must be configured to restrict inbound and outbound traffic to only what is needed.
• Secure Configuration — computers and network devices must be configured to reduce vulnerabilities, including removing unnecessary software and changing default passwords.
• User Access Control — user accounts must follow least-privilege principles, with admin access limited to those who genuinely need it.
• Malware Protection — anti-malware software must be installed and kept up to date, or application whitelisting must be in place.
• Patch Management — software and operating systems must be kept up to date, with critical and high-severity patches applied within 14 days of release.

Cyber Essentials vs Cyber Essentials Plus

Many small businesses start with Cyber Essentials and progress to Plus when clients, supply-chain requirements, or insurance conditions demand the higher assurance level. SOC in a Box supports both levels.

Cyber Essentials and Insurance Benefits

Holding Cyber Essentials certification can directly reduce the cost of cyber liability insurance — and in some cases is a prerequisite for obtaining cover. UK insurers increasingly require evidence that baseline controls are in place before they will issue or renew a policy.

• Lower premiums — insurers recognise that certified organisations have a smaller attack surface and are less likely to suffer a breach.
• Easier underwriting — the certificate provides third-party verification that fundamental controls are in place, streamlining the application process.
• NCSC-backed insurance offer — some insurers offer free cyber liability cover (up to £25,000) to organisations that achieve Cyber Essentials certification, in partnership with the NCSC.

SOC in a Box goes further by providing 24/7 monitoring, incident response, and a named analyst — giving insurers additional confidence in your security posture. Read our guide on what UK insurers actually want to see.

Is Cyber Essentials Enough for a Small Business?

Cyber Essentials is an excellent starting point. The five controls address around 80% of the most common attacks, and certification demonstrates to customers, partners, and regulators that you take security seriously.

However, Cyber Essentials is a point-in-time assessment — it confirms your controls were in place on the day you were assessed. It does not provide:

• Continuous monitoring of your network and endpoints
• Detection of advanced or targeted threats
• Incident response when something goes wrong
• Dark web monitoring for leaked credentials
• Data loss prevention controls

For genuine, ongoing protection, small businesses need to pair Cyber Essentials with continuous security monitoring. That is exactly what SOC in a Box delivers — 24/7 analyst coverage, AI-augmented detection with EmilyAI, deception technology via DecoyPulse, and full Cyber Essentials support, all from £335/month.

How SOC in a Box Helps You Get Certified

Cyber Essentials support is built into every SOC in a Box tier. Here is what that means in practice:

• Gap analysis — your named analyst reviews your current environment against the five controls and identifies what needs to change.
• Remediation guidance — practical, prioritised advice to close any gaps before you submit your self-assessment.
• Questionnaire support — help with completing the IASME self-assessment accurately and completely.
• Ongoing compliance — continuous monitoring ensures your controls stay in place year-round, not just on assessment day.
• Recertification — annual support to maintain your certification without starting from scratch.

Frequently Asked Questions