Get Cyber Essentials certified

Cyber Essentials is the UK government's baseline cyber security certification scheme. It helps you protect your organisation against approximately 80% of common cyber attacks and demonstrates to customers, suppliers, and insurers that you take security seriously.

Getting certified is straightforward for most businesses. The basic level involves a self-assessment questionnaire that you can complete in a few hours if your systems are already reasonably secure. The Plus level adds an independent technical verification.

Why get certified

Certification provides several benefits:

• Government contracts - Cyber Essentials is mandatory for suppliers bidding on certain public sector contracts, particularly those involving personal data or ICT services
• Customer confidence - Demonstrates you take cyber security seriously
• Insurance benefits - Many cyber insurance policies require certification or offer premium discounts (organisations with Cyber Essentials see a 92% reduction in insurance claims)
• Reduced risk - Implementing the five controls significantly reduces your vulnerability to common attacks
• Structured approach - Provides a clear framework for basic cyber hygiene

Certification levels and costs

There are two levels of Cyber Essentials certification. Choose based on your risk profile, contract requirements, and the sensitivity of data you handle.

Which level is right for your business?

Choose basic Cyber Essentials if you:

• Need to meet government contract requirements for lower-risk contracts
• Want to demonstrate baseline security to customers
• Are starting your cyber security journey and need an affordable entry point
• Handle limited amounts of personal or sensitive data

Choose Cyber Essentials Plus if you:

• Bid on higher-risk government contracts involving sensitive data or ICT delivery
• Handle significant amounts of personal, financial, or health data
• Want independent verification that your controls actually work
• Need to demonstrate security to enterprise customers or regulators
• Work in sectors with heightened security expectations (finance, healthcare, legal)

Note: You must achieve basic Cyber Essentials before you can apply for Cyber Essentials Plus.

The five technical controls

Cyber Essentials certification requires you to implement five core technical controls. These address the most common attack vectors and provide a solid foundation for cyber security.

Common areas where businesses fail

The most frequent reasons for assessment failure are:

• Missing multi-factor authentication - MFA is now mandatory for administrator accounts, remote access, and cloud services handling sensitive data
• Outdated software - Security updates must be applied within 14 days for high-risk vulnerabilities
• Default passwords - Router, firewall, and network equipment passwords must be changed from factory defaults
• Unprotected devices - All devices need malware protection, including Macs and mobile devices
• No screen lock policy - Devices must lock automatically after a maximum of 10 minutes of inactivity

Review these areas before starting your assessment to avoid delays and additional costs.

How to get certified

The certification process is managed through IASME-accredited Certification Bodies. There are over 350 Certification Bodies across the UK.

Government contract requirements

Cyber Essentials certification is mandatory for suppliers bidding on certain government contracts. The requirement applies to contracts that involve:

• Handling personal information of UK citizens
• Providing ICT products or services
• Handling sensitive government data

Which level is required?

• Basic Cyber Essentials - Required for most government contracts involving personal data or ICT
• Cyber Essentials Plus - May be required for higher-risk contracts, particularly those involving sensitive data or critical systems

Contract specifications state which level is required. If in doubt, check with the contracting authority before bidding.

Supply chain implications: If you are a subcontractor on a government contract, you may also need certification. Prime contractors increasingly require Cyber Essentials from their supply chain.

Maintaining certification

Cyber Essentials certificates are valid for 12 months. You must renew annually to maintain your certified status.

Annual renewal process:

• Complete a fresh self-assessment (your IT environment may have changed)
• Update answers to reflect the new question set (requirements evolve annually)
• For Plus, undergo another technical audit

What changes each year:

The Cyber Essentials requirements are updated periodically to address evolving threats. The April 2025 "Willow Question Set" introduced strengthened requirements for multi-factor authentication and faster patching timescales. Review the current requirements before each renewal.

If your certificate expires:

• You must remove the Cyber Essentials badge from your website and materials
• You are no longer listed on the public register
• You cannot bid on contracts requiring certification until you recertify

Costs and time investment

Direct costs:

• Basic Cyber Essentials: typically £320-£600 + VAT depending on organisation size
• Cyber Essentials Plus: typically £1,500-£3,000 + VAT depending on complexity

Time investment:

• Preparation: 2-10 hours reviewing controls and addressing gaps
• Questionnaire completion: 1-3 hours for straightforward setups
• Plus technical audit: typically half a day on-site or remote

Hidden costs to consider:

• Upgrading software or systems to meet requirements
• Implementing MFA across your organisation
• IT support time to verify configurations
• Staff time for training and policy updates

For most small businesses with modern, cloud-based systems, the hidden costs are minimal. Businesses with legacy systems or complex IT environments may need more preparation.