Guide
Get Cyber Essentials certified
How to achieve Cyber Essentials certification for your business. Covers the five technical controls, certification levels and costs, the assessment process, and requirements for government contracts.
Cyber Essentials is the UK government's baseline cyber security certification scheme. It helps you protect your organisation against approximately 80% of common cyber attacks and demonstrates to customers, suppliers, and insurers that you take security seriously.
Getting certified is straightforward for most businesses. The basic level involves a self-assessment questionnaire that you can complete in a few hours if your systems are already reasonably secure. The Plus level adds an independent technical verification.
Why get certified
Certification provides several benefits:
- Government contracts - Cyber Essentials is mandatory for suppliers bidding on certain public sector contracts, particularly those involving personal data or ICT services
- Customer confidence - Demonstrates you take cyber security seriously
- Insurance benefits - Many cyber insurance policies require certification or offer premium discounts (organisations with Cyber Essentials see a 92% reduction in insurance claims)
- Reduced risk - Implementing the five controls significantly reduces your vulnerability to common attacks
- Structured approach - Provides a clear framework for basic cyber hygiene
Certification levels and costs
There are two levels of Cyber Essentials certification. Choose based on your risk profile, contract requirements, and the sensitivity of data you handle.
Which level is right for your business?
Choose basic Cyber Essentials if you:
- Need to meet government contract requirements for lower-risk contracts
- Want to demonstrate baseline security to customers
- Are starting your cyber security journey and need an affordable entry point
- Handle limited amounts of personal or sensitive data
Choose Cyber Essentials Plus if you:
- Bid on higher-risk government contracts involving sensitive data or ICT delivery
- Handle significant amounts of personal, financial, or health data
- Want independent verification that your controls actually work
- Need to demonstrate security to enterprise customers or regulators
- Work in sectors with heightened security expectations (finance, healthcare, legal)
Note: You must achieve basic Cyber Essentials before you can apply for Cyber Essentials Plus.
The five technical controls
Cyber Essentials certification requires you to implement five core technical controls. These address the most common attack vectors and provide a solid foundation for cyber security.
Common areas where businesses fail
The most frequent reasons for assessment failure are:
- Missing multi-factor authentication - MFA is now mandatory for administrator accounts, remote access, and cloud services handling sensitive data
- Outdated software - Security updates must be applied within 14 days for high-risk vulnerabilities
- Default passwords - Router, firewall, and network equipment passwords must be changed from factory defaults
- Unprotected devices - All devices need malware protection, including Macs and mobile devices
- No screen lock policy - Devices must lock automatically after a maximum of 10 minutes of inactivity
Review these areas before starting your assessment to avoid delays and additional costs.
How to get certified
The certification process is managed through IASME-accredited Certification Bodies. There are over 350 Certification Bodies across the UK.
-
Step 1: Check your readiness
Review the five technical controls against your current setup. Identify any gaps before starting the formal process. The NCSC provides free guidance on each control area to help you prepare.
-
Step 2: Choose a Certification Body
Select an IASME-accredited Certification Body to conduct your assessment. Compare prices and turnaround times - costs vary between providers. Check they are listed on the official IASME directory.
-
Step 3: Complete the self-assessment questionnaire
For basic Cyber Essentials, you complete an online questionnaire about your IT systems and security controls. Answer honestly - providing false information invalidates your certificate and could have legal consequences for government contracts.
-
Step 4: Submit for review
Your Certification Body reviews your answers. They may ask clarifying questions. For straightforward applications, expect a decision within 1-3 business days. Complex IT environments may take longer.
-
Step 5: Receive your certificate
If successful, you receive your Cyber Essentials certificate, valid for 12 months. You can display the Cyber Essentials badge on your website and marketing materials. Your certification is listed on a public register.
-
Step 6: For Plus level - schedule technical audit
If pursuing Cyber Essentials Plus, the Certification Body schedules an independent technical audit including authenticated vulnerability scanning and verification that controls are working as described.
Government contract requirements
Cyber Essentials certification is mandatory for suppliers bidding on certain government contracts. The requirement applies to contracts that involve:
- Handling personal information of UK citizens
- Providing ICT products or services
- Handling sensitive government data
Which level is required?
- Basic Cyber Essentials - Required for most government contracts involving personal data or ICT
- Cyber Essentials Plus - May be required for higher-risk contracts, particularly those involving sensitive data or critical systems
Contract specifications state which level is required. If in doubt, check with the contracting authority before bidding.
Supply chain implications: If you are a subcontractor on a government contract, you may also need certification. Prime contractors increasingly require Cyber Essentials from their supply chain.
Maintaining certification
Cyber Essentials certificates are valid for 12 months. You must renew annually to maintain your certified status.
Annual renewal process:
- Complete a fresh self-assessment (your IT environment may have changed)
- Update answers to reflect the new question set (requirements evolve annually)
- For Plus, undergo another technical audit
What changes each year:
The Cyber Essentials requirements are updated periodically to address evolving threats. The April 2025 "Willow Question Set" introduced strengthened requirements for multi-factor authentication and faster patching timescales. Review the current requirements before each renewal.
If your certificate expires:
- You must remove the Cyber Essentials badge from your website and materials
- You are no longer listed on the public register
- You cannot bid on contracts requiring certification until you recertify
Costs and time investment
Direct costs:
- Basic Cyber Essentials: typically £320-£600 + VAT depending on organisation size
- Cyber Essentials Plus: typically £1,500-£3,000 + VAT depending on complexity
Time investment:
- Preparation: 2-10 hours reviewing controls and addressing gaps
- Questionnaire completion: 1-3 hours for straightforward setups
- Plus technical audit: typically half a day on-site or remote
Hidden costs to consider:
- Upgrading software or systems to meet requirements
- Implementing MFA across your organisation
- IT support time to verify configurations
- Staff time for training and policy updates
For most small businesses with modern, cloud-based systems, the hidden costs are minimal. Businesses with legacy systems or complex IT environments may need more preparation.