If you are wondering what is Cyber Essentials UK businesses should know about, the simple answer is this: Cyber Essentials is a UK Government-backed certification scheme designed to help organisations protect themselves against common online cyber threats. It gives businesses a practical framework for improving basic cyber security and showing customers, suppliers and public sector buyers that they take cyber risk seriously.

For SME owners, IT managers and operations managers, Cyber Essentials can be a useful starting point. It focuses on five technical controls that reduce exposure to everyday attacks such as phishing-led malware, stolen passwords, unpatched software and unauthorised access. It is not a complete cyber security programme, but it provides a recognised baseline.

Cyber Essentials also supports wider compliance. Under the UK General Data Protection Regulation (UK GDPR), organisations must protect personal data using appropriate technical and organisational measures. Cyber Essentials can help demonstrate that your organisation has taken practical steps to protect systems that hold personal data, although it does not replace UK GDPR compliance.

If your team is new to cyber risk, our cybersecurity awareness training overview explains why employee awareness matters alongside technical controls.

What Is the Cyber Essentials Scheme?

Cyber Essentials is a certification scheme developed by the National Cyber Security Centre (NCSC). It helps organisations protect against common internet-based cyber attacks by applying a set of standard technical controls.

The scheme is suitable for organisations of all sizes and sectors, including small businesses, charities, schools, professional services firms, healthcare providers, financial organisations and public sector suppliers.

The purpose is practical. Many successful cyber attacks do not rely on highly advanced techniques. They exploit common weaknesses, such as weak passwords, unsupported software, unnecessary user privileges, poor configuration or missing security updates. Cyber Essentials helps organisations reduce these risks.

A business that achieves Cyber Essentials certification UK recognition can show that it has assessed its systems against the scheme’s requirements. This can be useful for:

• reassuring customers and clients;
• supporting tender applications;
• improving supplier confidence;
• reducing common cyber risks;
• strengthening internal security discipline;
• supporting cyber insurance discussions;
• demonstrating a baseline commitment to security.

Cyber Essentials is administered through IASME, working with accredited certification bodies. Organisations usually complete a verified self-assessment questionnaire for Cyber Essentials certification. An assessor reviews the answers and, if the organisation meets the requirements, certification is awarded.

Certification lasts for 12 months. Organisations need to renew annually if they want to maintain certified status.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. Both are based on the same five technical controls, but they differ in how assurance is checked.

Cyber Essentials is the basic certification level. It is based on a verified self-assessment questionnaire. The organisation answers questions about its systems, devices, software, users, controls and security practices. A certification body reviews the answers.

Cyber Essentials Plus provides a higher level of assurance. It starts with the Cyber Essentials assessment, but also includes a technical audit of the organisation’s systems. This means an independent assessor tests whether the controls are actually in place.

The choice depends on your organisation’s risk, client expectations and procurement needs.

• Cyber Essentials may be suitable where:
• you want a recognised security baseline;
• you are an SME starting your cyber security journey;
• clients ask for evidence of basic controls;
• you want to reduce common attack risks;
• you need certification for certain contracts.

Cyber Essentials Plus may be more suitable where:

• you handle sensitive data;
• clients require stronger assurance;
• you work in regulated sectors;
• you bid for higher-risk public sector contracts;
• you want independent technical testing;
• you need more confidence that controls work in practice.

Cyber Essentials is not “easy” if your systems are poorly managed, but it is designed to be accessible. Cyber Essentials Plus requires more preparation because technical testing can reveal gaps that a self-assessment may miss.

The 5 Technical Controls in Cyber Essentials

The Cyber Essentials checklist is built around five technical control areas. These controls are designed to reduce exposure to common online threats. They are reviewed and updated regularly, so organisations should always check the current requirements before applying.

Firewalls

Firewalls help protect networks, devices and services from unauthorised access. They act as a barrier between trusted systems and untrusted networks, such as the internet.

In plain English, firewalls help decide what traffic is allowed in and out. A properly configured firewall can block unnecessary access and reduce the chance that attackers can reach exposed systems.

For Cyber Essentials, organisations need to consider firewalls on networks, routers, cloud services and devices. The exact requirement depends on the organisation’s setup.

Good practice includes:

• changing default administrator passwords;
• restricting access to management interfaces;
• allowing only necessary services;
• removing outdated rules;
• reviewing firewall settings regularly.

Secure Configuration

Secure configuration means setting up devices, software and services in a safe way. Many systems come with default settings that are not suitable for business use. Attackers often exploit default passwords, unnecessary accounts, open services and poorly configured cloud platforms.

Secure configuration involves removing or disabling what you do not need and hardening what remains.

Examples include:

• removing unused software;
• disabling unnecessary services;
• changing default passwords;
• limiting administrator access;
• configuring cloud services securely;
• preventing unauthorised software installation;
• applying secure device settings.

For SMEs, this control is especially important because systems may be set up quickly without formal security review. A laptop, router, email account or cloud storage folder that is convenient but insecure can create significant risk.

User Access Control

User access control means making sure people only have access to the systems and data they need for their role. It also means managing administrator privileges carefully.

This control matters because compromised or excessive accounts can cause major damage. If an attacker gains access to an ordinary user account, the impact may be limited. If they gain access to an administrator account, they may be able to change systems, access large volumes of data or disable security controls.

Good access control includes:

• individual user accounts;
• no shared logins where possible;
• strong authentication;
• multi-factor authentication where required;
• limiting administrator accounts;
• removing access when staff leave;
• reviewing access when roles change;
• giving users the minimum access they need.

User access control also supports UK GDPR because it helps prevent unauthorised access to personal data.

Malware Protection

Malware is malicious software designed to damage systems, steal information, encrypt files or give attackers access. Ransomware is one of the most disruptive types of malware because it can lock organisations out of their own systems.

Cyber Essentials requires organisations to use appropriate malware protection. This may include anti-malware tools, application control, approved app stores, or other measures depending on the devices and systems in scope.

Practical steps include:

• using supported anti-malware tools;
• keeping security software updated;
• blocking unauthorised software;
• restricting risky downloads;
• using approved app sources;
• training staff not to open suspicious attachments.

Malware protection is stronger when combined with staff awareness. A technical control may block many threats, but employees still need to recognise suspicious emails, fake download links and unexpected attachments.

Patch Management

Patch management means keeping software and devices updated. Security updates fix known vulnerabilities that attackers may exploit.

Unsupported software is a major risk. If a product no longer receives security updates, new vulnerabilities may remain unpatched. Cyber Essentials requires organisations to keep in-scope software supported and apply security updates within the required timescales.

Patch management should cover:

• operating systems;
• browsers;
• office software;
• mobile devices;
• routers and firewalls;
• cloud applications;
• business software;
• firmware where applicable.

A practical process should identify devices and software, monitor updates, apply patches promptly and remove unsupported products.

After reviewing the five controls, many organisations find that staff behaviour is just as important as technical setup. Our Cyber Essentials awareness training helps employees understand the everyday behaviours that support the scheme, while Introduction to Cybersecurity provides a useful foundation for staff who are new to cyber risk.

Who Should Get Cyber Essentials Certified?

Cyber Essentials is suitable for almost any organisation that uses internet-connected systems. It is particularly useful for SMEs because it provides a clear and recognised starting point.

It may be valuable for:

• small businesses;
• charities;
• professional services firms;
• schools and training providers;
• healthcare and care providers;
• legal practices;
• accountants;
• IT suppliers;
• software providers;
• public sector suppliers;
• organisations handling customer or employee data.

Cyber Essentials for small businesses can be especially useful because smaller organisations may not have a dedicated cyber security team. The scheme provides a practical structure for checking basic controls.

Certification can also support business development. Some customers, partners and suppliers ask whether organisations hold Cyber Essentials as part of due diligence. It may help reassure clients that the business has taken basic steps to reduce cyber risk.

However, certification should not be treated as a one-off badge. Systems change, staff join and leave, software becomes unsupported, and new cloud services are introduced. To remain meaningful, Cyber Essentials should form part of ongoing cyber security management.

Cyber Essentials and Government Contracts

Cyber Essentials can be relevant to public sector procurement. Some UK Government contracts require Cyber Essentials, particularly where suppliers handle sensitive information or provide certain technical products and services.

The exact requirement depends on the contract, procurement route and risk profile. Businesses should read tender documents carefully rather than assuming that certification is always required or never required.

For some contracts, Cyber Essentials may be enough. For higher-risk contracts, Cyber Essentials Plus may be requested. Defence, technology, managed service and data-processing suppliers may face more demanding expectations.

Even where certification is not mandatory, it may still be useful. It gives buyers a simple way to see that a supplier has met a recognised baseline. It can also help SMEs compete more confidently where larger competitors have more mature security programmes.

Cyber Essentials is also relevant to supply chains outside government. Private sector buyers increasingly ask suppliers about cyber security, especially where suppliers access systems, process personal data or support critical services.

If your organisation is preparing for public sector or larger client requirements, Cyber Essentials training UK can help staff understand why the controls matter and how everyday behaviour supports certification.

How Awareness Training Supports Cyber Essentials

Cyber Essentials focuses on technical controls, but people still play a vital role. Staff behaviour can support or undermine the controls.

For example:

• firewalls help, but staff must not bypass secure access routes;
• secure configuration helps, but staff must not install unapproved tools;
• access control helps, but staff must not share passwords;
• malware protection helps, but staff must still avoid suspicious attachments;
• patch management helps, but staff must restart devices and accept updates when required.

Awareness training helps employees understand the “why” behind the controls. It makes policies more meaningful and reduces the chance that staff work around security measures because they seem inconvenient.

Training should cover:

• phishing and social engineering;
• password security;
• multi-factor authentication;
• safe device use;
• secure remote working;
• software updates;
• approved applications;
• reporting suspicious activity;
• malware and ransomware warning signs;
• data protection links;
• incident escalation routes.

Cyber Essentials and UK GDPR also work together. Cyber Essentials can help reduce the risk of cyber incidents affecting personal data. UK GDPR, however, is broader. It also covers lawful basis, transparency, individual rights, retention, data minimisation, processor contracts and breach reporting. Certification does not automatically make an organisation GDPR compliant, but it can support the security element of compliance.

For many SMEs, a sensible approach is to combine technical preparation with employee learning. Cyber Essentials improves the baseline controls; training helps staff use those controls properly.

FAQs

Is Cyber Essentials certification mandatory in the UK?

Cyber Essentials is not mandatory for every UK business. However, it may be required for certain public sector contracts or requested by clients, insurers or supply chain partners.

How much does Cyber Essentials certification cost?

Cyber Essentials pricing is tiered by organisation size. IASME states that prices start at £320 + VAT for micro-organisations and increase on a sliding scale for larger organisations, with additional costs possible if you need technical preparation or remediation.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is based on a verified self-assessment questionnaire. Cyber Essentials Plus uses the same technical requirements but adds an independent technical audit to test whether the controls are in place.

Do I need Cyber Essentials to win government contracts?

Some government contracts require Cyber Essentials, especially where suppliers handle sensitive information or provide certain technical services. You should check the specific tender requirements because expectations vary by contract.

How does Cyber Essentials relate to UK GDPR?

Cyber Essentials supports the security side of UK GDPR by helping organisations apply technical controls that reduce cyber risk. It does not replace UK GDPR compliance, but it can help demonstrate appropriate steps to protect systems that hold personal data.

Explore our Cyber Essentials Awareness Training to prepare your team for certification and help employees understand the everyday behaviours that support stronger cyber security.