If you've ever applied for a government contract or spoken to a cyber insurer, you've probably heard the words "Cyber Essentials." But what actually is it, and does your business need to worry about it?
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme developed by the National Cyber Security Centre (NCSC). It was introduced in 2014 to help organisations of all sizes protect themselves against the most common forms of cyber attack. Despite what the name might suggest, it doesn't require an enterprise security team — it's designed to be achievable by small businesses with modest IT setups.
The scheme is recognised across UK government, supply chains, and the insurance industry as a credible baseline standard for cyber security.
The 5 Technical Controls
Cyber Essentials is built around five key technical areas that, together, protect against the vast majority of opportunistic, low-sophistication attacks:
- Firewalls — Ensuring your internet-facing systems are protected by a properly configured firewall that blocks unauthorised traffic from reaching your devices and network.
- Secure configuration — Devices and software should be set up securely from the start. Default passwords changed, unnecessary features disabled, and services locked down to what's actually needed.
- User access control — Only the right people should have access to the right systems. Admin rights should be limited, carefully managed, and reviewed regularly.
- Malware protection — Appropriate anti-malware software should be in place across all devices, kept up to date, and actively monitored.
- Patch management — Software and operating systems need to be updated regularly to close known vulnerabilities. This includes phones and tablets, not just desktops and servers.
These five controls won't stop every attack — but research consistently shows they'd prevent the vast majority of common threats that target small businesses every day.
Cyber Essentials vs Cyber Essentials Plus
There are two levels of the certification, and choosing between them depends on your situation:
Cyber Essentials is a self-assessed questionnaire, reviewed and verified by an external certifying body. You answer questions about your technical controls, a certifier checks your responses, and if you meet the standard, you receive the certification. It's the starting point for most organisations and costs roughly £300 in certification fees.
Cyber Essentials Plus includes everything in the self-assessed version, plus hands-on technical testing by an accredited assessor who verifies that your controls actually work as you've claimed. It's more rigorous, takes longer, and costs more — typically £1,500–£3,000 depending on your organisation's size and complexity.
For most small businesses, Cyber Essentials (self-assessed) is the right starting point. Plus is worth pursuing if your clients require it, or if you want stronger assurance for your own peace of mind.
Who Actually Needs It?
You should seriously consider Cyber Essentials if any of the following apply:
- You want to bid for UK central government contracts that involve handling sensitive information — it's a mandatory requirement for many of them.
- Your supply chain or key enterprise clients require it as part of their vendor due diligence process.
- You're applying for cyber liability insurance — some insurers now require it as a condition of cover, and many offer meaningful discounts to certified businesses.
- You want credible, third-party evidence that your business meets a recognised security baseline.
Even outside these specific requirements, certification signals to clients, partners, and prospects that your organisation takes security seriously — and that you've done something about it, not just talked about it.
How Much Does It Cost?
The self-assessment route costs around £300 for the certification fee, depending on your chosen certifying body. If you need guidance to prepare — identifying gaps, remediating issues, and completing the submission correctly — consulting support adds to that cost, but it typically saves you the time and frustration of a failed first submission and an expensive re-assessment.
Is It Worth It?
For most UK businesses: yes. It's affordable, achievable, and increasingly expected. More importantly, going through the process forces you to look honestly at your technical controls — and fixing what you find is worth far more than the badge itself. Businesses that complete Cyber Essentials genuinely end up more secure. That's the point.