What it is, what’s changing, and how to prepare your business for certification.
If you run a business in the UK and you deal with other organisations, particularly in the public sector, you’ve probably been asked about Cyber Essentials. Maybe it was a line in a tender document. Maybe your insurer mentioned it. Maybe a client asked for your certificate and you didn’t have one.
Cyber Essentials is the UK government-backed certification scheme that demonstrates an organisation has implemented a baseline set of cyber security controls. It was introduced in 2014 by the National Cyber Security Centre (NCSC), and since then it’s become the de facto minimum standard for organisations that take security seriously, or need to prove that they do.
The scheme isn’t about reaching perfection. It’s about getting the fundamentals right. And the data backs this up: the NCSC estimates that implementing these controls would prevent around 80% of cyber attacks. For a scheme that costs a few hundred pounds and takes most well-prepared organisations a few weeks, that’s a significant return on investment.
Two levels of certification
The scheme offers two tiers. Which one you need depends on the nature of your work, the sensitivity of the data you handle, and what your clients or contracts require.
Cyber Essentials
You complete a self-assessment questionnaire covering the five technical controls. An external certification body reviews your answers and either awards the certificate or identifies areas that need attention. The process typically takes one to two weeks once you’re prepared.
Suitable for: Most SMEs, public sector supply chains, baseline compliance
Cyber Essentials Plus
Everything in standard CE, plus a hands-on technical audit. A qualified assessor tests your controls directly: vulnerability scanning of internet-facing services, configuration checks on a sample of devices, and a simulated phishing exercise. This provides genuine assurance, not just that you said the right things, but that your environment actually reflects them.
Suitable for: Sensitive data handlers, government contracts, higher assurance needs
The five technical controls
Cyber Essentials is built around five controls. They’re not revolutionary, and most IT professionals would recognise them as basic hygiene. But ‘basic’ doesn’t mean ‘easy’. The gap between knowing what good looks like and actually implementing it across a real organisation, with real constraints, is where most businesses struggle.
Firewalls
Every device that connects to the internet needs a firewall, whether hardware or software. For most SMEs using cloud services and laptops, this means ensuring the built-in OS firewall is enabled and configured on every machine. If you have an office network, your router or UTM appliance acts as the boundary firewall. The assessor will want to see that default admin passwords have been changed, that unnecessary ports are closed, and that rules are documented.
Secure Configuration
This is about reducing the attack surface. Remove software you don’t use. Disable features you don’t need. Change default passwords on everything, including routers, printers, and SaaS admin accounts. The assessor is looking for evidence that devices aren’t running in their out-of-the-box state. In practice, this is where Intune or a similar MDM platform earns its keep: you can enforce configuration baselines across your entire fleet and prove it.
User Access Control
The principle is simple: people should only have access to what they need. In practice, this means separating admin accounts from daily-use accounts, enforcing MFA on everything, and having a documented process for granting and revoking access. The most common failure here is ‘privilege creep’, where staff accumulate permissions over time as they change roles and nobody audits it. If your finance director is also a global admin on Microsoft 365, that’s a problem.
Malware Protection
You need active protection against malicious software on every device. For most organisations, this means a managed endpoint protection platform, something beyond the default Windows Defender, ideally with centralised reporting so you can prove it’s working. The scheme also accepts application allow-listing or sandboxing as alternative approaches, but in practice, most SMEs will use an EDR/antivirus solution. The key is that it’s centrally managed, kept updated, and configured to scan automatically.
Patch Management
All software must be kept up to date. Critical and high-risk patches must be applied within 14 days of release. Unsupported software, meaning anything that no longer receives security updates, must be removed or isolated. This is where organisations most commonly fail. That old version of Adobe Reader, the legacy line-of-business app that only runs on Windows 10, the printer firmware nobody has ever updated. These all need addressing before assessment.
“The controls themselves are straightforward. The challenge is proving that they’re consistently applied across every device, every account, and every service in your organisation. Not just the ones you remembered to check.”
What’s changing in 2026
The Cyber Essentials scheme is maintained by the NCSC and IASME (the scheme’s governance body). It’s updated regularly to reflect the way organisations actually work, which looks very different in 2026 than it did when the scheme launched.
The most significant shift is the recognition that the traditional office perimeter no longer exists. Staff work from home, from client sites, from coffee shops. Data lives in cloud platforms, not on-premise servers. The 2026 requirements reflect this reality.
Cloud services scope
The shared responsibility model is now a formal part of the assessment. If you use Microsoft 365, Google Workspace, or any SaaS platform, you need to understand which security controls are your responsibility and which are the provider’s. The assessor will ask you to demonstrate that you’ve configured your cloud tenants securely, not just assumed the provider handles everything.
Home and remote working
Home routers are now explicitly in scope if staff connect work devices through them. You don’t need to manage the router itself, but you do need to ensure devices are protected regardless of what network they’re on. This effectively means device-level security (endpoint protection, software firewall, VPN or ZTNA) becomes the primary control for remote workers.
Password and authentication
The emphasis has shifted from complex password rules to multi-factor authentication as the primary control. Where MFA is in place, simpler password policies are acceptable. Where MFA isn’t possible, passwords must be at least 12 characters. This reflects the reality that password complexity rules don’t work. People just write them down or use predictable patterns.
Asset management
You now need a clear, documented inventory of every device and cloud service in scope. This sounds obvious, but it’s the single most common gap we see in pre-assessment reviews. You can’t protect what you don’t know about, and you can’t certify what you haven’t scoped. Shadow IT, such as SaaS tools signed up to on company credit cards without IT involvement, is a particular risk area.
How to prepare
Most organisations that fail do so because they underestimated the preparation needed. The assessment itself is relatively quick, but it’s the groundwork that takes time. Here’s a practical, step-by-step approach based on what we’ve seen work across hundreds of SME certifications.
Understand your scope
Start by listing every device that accesses organisational data: laptops, desktops, phones, tablets. Then list every cloud service: Microsoft 365, accounting software, CRM, project management tools, file sharing platforms. Don’t forget shared devices, conference room equipment, or that spare laptop the intern uses. If it touches company data, it’s in scope. This exercise alone typically surfaces three or four things organisations didn’t realise needed securing.
Run a gap analysis
Work through each of the five controls against your scoped assets. Be honest about where you stand. Common gaps include: MFA not enforced on all accounts (especially service accounts and admin accounts), outdated firmware on network equipment, unsupported operating systems still in production, and a lack of documented configuration baselines. Write down every gap. You’ll need this list to plan remediation.
Remediate and document
Some fixes take five minutes: enabling a firewall, changing a default password, removing unused software. Others are projects in their own right: migrating off an unsupported OS, deploying an MDM platform, or implementing conditional access policies. Prioritise by risk and complexity. Quick wins first, then tackle the larger items with a realistic timeline. Document everything you do. The assessor needs evidence, not just assurances.
Test your own controls
Before you submit for assessment, run through the questionnaire yourself as though you were the assessor. Can you prove that every device has endpoint protection? Can you show that MFA is enforced on every account? Can you demonstrate that patches are applied within 14 days? If you can’t answer confidently, you’re not ready. A mock assessment, whether internal or with an external partner, saves time and money.
Choose CE or CE Plus
Standard Cyber Essentials is a self-assessment questionnaire verified by a certification body. It’s sufficient for most SME requirements and many public sector contracts. Cyber Essentials Plus adds a hands-on technical audit where an assessor tests your controls directly, including vulnerability scanning, phishing simulation, and configuration checks. If you handle sensitive data, work with government agencies, or want the highest assurance level, Plus is worth the additional investment.
Common mistakes to avoid
We’ve helped dozens of organisations through Cyber Essentials certification. These are the issues that come up again and again, and almost all of them are avoidable with proper preparation.
Underestimating scope
The most common failure. Organisations list their office desktops and forget about the MD’s personal iPad that accesses company email, the marketing team’s phones with Slack installed, the server in the cupboard running Windows Server 2012, and the NAS drive that backs up everything to an unsecured share. Every device that accesses organisational data is in scope. Every one.
MFA gaps
Having MFA on most accounts isn’t good enough. The assessment requires MFA on all accounts where it’s available. The gaps are usually admin accounts (‘we only use it for emergencies’), service accounts (‘it’s not a real user’), and legacy applications that don’t support modern authentication. Every one of these is a fail. Audit your entire tenant before you apply.
Unsupported software
If it doesn’t receive security updates, it fails. This catches more organisations than you’d expect. Windows 10 reaches end of support in October 2025. Older versions of PHP, Java, or .NET on web servers. That copy of Office 2016 the accounts team refuses to give up. Legacy line-of-business applications that require an old browser. All of these need replacing, upgrading, or isolating before assessment.
Rushing the timeline
Certification bodies are busy. Remediation takes longer than you think. If you need certification for a contract deadline, start the process at least three months before you need the certificate in hand. A failed assessment means paying again and waiting for reassessment. We’ve seen organisations lose contract opportunities because they assumed they could certify in two weeks. They couldn’t.
What happens after certification
Cyber Essentials certificates are valid for 12 months. Recertification isn’t automatic. You need to go through the assessment again each year. This is by design: the scheme is meant to be a living process, not a one-off checkbox.
Between certifications, your responsibility is to maintain the controls. That means continuing to patch within 14 days, keeping your asset inventory current, onboarding new staff with the right security configurations, and offboarding leavers promptly. If you let things drift, recertification becomes a scramble rather than a formality.
Some organisations use their Cyber Essentials journey as a stepping stone to more comprehensive frameworks like ISO 27001 or SOC 2. The controls overlap significantly, so if you’ve built good habits with Cyber Essentials, you’re already partway there.
Why it matters
Cyber Essentials isn’t just about compliance. For most SMEs, the real value is the process itself: the discipline of understanding your environment, closing gaps, and building security into how you operate. The certificate is proof that you’ve done the work.
of common cyber attacks are prevented by Cyber Essentials controls
for UK government contracts involving sensitive or personal data
certificate validity. Annual recertification maintains your status
Need help with Cyber Essentials?
We help UK businesses prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification. That includes scoping, gap analysis, remediation support, and guiding you through the assessment process.
If you’re not sure where you stand, a readiness review takes around an hour and will tell you exactly what needs addressing before you apply.