Cyber Essentials comes up in conversation more than almost any other topic when we talk to business owners across Bexley, Dartford, and Southeast London. Most have heard of it. Very few actually know what it involves. And an increasing number are finding out they need it — usually because a client or tender has asked for it.
This article explains what Cyber Essentials actually is, what it requires of your IT setup, who genuinely needs it, and what getting certified actually involves in practice.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cyber security certification scheme, developed by the National Cyber Security Centre (NCSC) and overseen by the IASME Consortium. It defines a baseline set of technical controls that, if correctly implemented, protect a business against the most common forms of cyber attack.
The scheme was launched in 2014 and has been mandatory for UK central government suppliers handling personal or sensitive data since that year. It has since been adopted far more broadly across the public sector and is increasingly expected by private sector enterprises when vetting suppliers and partners.
There are two tiers:
- Cyber Essentials — Self-assessed. You answer a questionnaire verifying that your systems meet the required controls. Verified by an accredited body.
- Cyber Essentials Plus — Independently assessed. A certified assessor tests your systems hands-on to verify the controls are actually in place. More rigorous, and required by some contracts.
💡 NCSC endorsement
Cyber Essentials is backed by the UK government's National Cyber Security Centre. Certification demonstrates to clients, insurers, and procurement teams that your business meets a recognised, independently verified security baseline — not just that you think you do.
What are the five technical controls?
Cyber Essentials centres on five specific technical areas. These are not abstract policies — they are concrete, verifiable configurations that your IT infrastructure either does or does not meet.
1. Firewalls
Every device connected to the internet must be protected by a properly configured firewall. This means inbound connections that are not explicitly required must be blocked. For most businesses, this means your network perimeter firewall (typically your router/gateway) must be correctly configured — not left on factory defaults, and not with unnecessary ports open.
2. Secure configuration
All devices and software must be configured securely before use. This means: default passwords changed, unnecessary software removed or disabled, unnecessary user accounts removed, and auto-run features for removable media disabled. Out-of-the-box is not good enough.
3. User access control
User accounts must only have the permissions they actually need. Standard users should not have administrator privileges. Administrator accounts should only be used for administrative tasks, not for day-to-day work like browsing the web or checking email. Multi-factor authentication (MFA) must be enabled for all accounts that can be accessed from the internet — this includes Microsoft 365, Google Workspace, and any cloud-based services.
4. Malware protection
All devices must have appropriate anti-malware protection in place and kept up to date. This can be achieved through traditional antivirus software, or through application whitelisting (only approved applications can run) — or in some cases, sandboxing. The control also covers restrictions on running code from untrusted sources.
5. Security update management (patching)
All software — operating systems, applications, firmware — must be updated to the latest supported version within 14 days of a security update being released. Unsupported software (for example, a Windows 10 machine that has not been updated, or software that is no longer receiving security patches from its vendor) is a fail against this control.
Who actually needs Cyber Essentials?
The honest answer is: more businesses than realise it. Here are the most common situations where certification becomes necessary or strongly advisable.
You supply the UK public sector
Since 2014, any supplier handling personal or sensitive data on behalf of UK central government must hold Cyber Essentials certification. This has since been extended across large parts of the NHS, local councils, and arms-length bodies. If you tender for public sector contracts of any significant value, expect Cyber Essentials to be a requirement — not a nice-to-have.
You handle sensitive or personal data
Solicitors, accountants, financial advisers, dental practices, healthcare providers, HR consultancies — any business handling client personal or financial data has a strong interest in certification, both from a risk management perspective and as evidence of due diligence in the event of a breach. Under UK GDPR, demonstrating appropriate technical controls is not optional.
Your cyber insurer requires it
This is the trigger we hear most often from clients in 2025 and 2026. Cyber insurance policies increasingly require Cyber Essentials certification as a condition of cover, or exclude specific attack types if certification is not held. Before renewing your cyber insurance, read the exclusions carefully. If your policy excludes "attacks exploiting known vulnerabilities in unpatched software" — and your systems are unpatched — you may discover you have no effective cover when you need it.
A large client has asked for it
Enterprise clients and major retailers are increasingly requiring suppliers in their chain to hold Cyber Essentials as part of supply chain security assessments. If you supply products or services to a large organisation and they are asking for evidence of your security posture, Cyber Essentials is the standard answer.
⚠️ Even if none of the above apply
Around 80% of cyber attacks on UK SMBs use techniques that Cyber Essentials directly addresses — phishing leading to credential theft on unprotected accounts, exploitation of unpatched software, and lateral movement across flat networks. Certification is useful as a forcing function to get your basic controls properly in place, even if no client ever asks for it.
What does getting certified actually involve?
Cyber Essentials (self-assessed)
You complete an online questionnaire covering your systems against the five control areas. The questions are detailed — they ask about specific configurations, not general intentions. You declare that your systems meet the controls. An accredited certifying body reviews your submission. If it passes, you receive your certificate.
The questionnaire covers your "scope" — i.e., which devices and systems you are certifying. For most small businesses, this means all devices connected to the internet. You cannot exclude your accounts PC just because it is inconvenient to update.
Current certification costs vary by certifying body but typically run to £300–£500 for Cyber Essentials (self-assessed) for an SMB.
Cyber Essentials Plus (independently assessed)
An assessor from a certified body visits (or connects remotely to) your systems and directly tests that the controls are in place. They will run vulnerability scans, test your patch levels, check MFA is functioning, and verify firewall rules. This costs more — typically £1,500–£3,000+ depending on the size and complexity of your infrastructure — but carries significantly more credibility with clients and insurers.
What does your IT setup need to look like to pass?
This is where your network infrastructure becomes directly relevant. Several of the five controls have specific implications for your network setup:
| Control | Common failure points | What's required |
|---|---|---|
| Firewalls | Consumer router on factory defaults, unnecessary ports open | Properly configured gateway; all unused inbound rules closed |
| Secure configuration | Default admin passwords, unused services running | Hardened config on all devices; factory defaults changed |
| User access | Everyone on admin accounts; no MFA on Microsoft 365 | Least privilege; MFA on all internet-facing accounts |
| Malware protection | No AV on some devices; Windows Defender disabled | Active, updated AV on all in-scope devices |
| Patching | Old Windows versions; software with known CVEs | All software on latest supported version, within 14 days of release |
A consumer or ISP router left on factory settings will fail the firewall control. Devices where staff have local admin rights will fail user access control. Any machine running software that has not been updated in the last fortnight will fail patching. These are among the most common failures we see when businesses first assess themselves against the standard.
✅ How a managed network helps
When we install and manage your network, your firewall is configured correctly from day one — no unnecessary inbound rules, hardened from factory defaults, with a documented configuration. Under a managed services contract, we handle firmware and software updates on network devices, and we can help coordinate patching across your server and endpoint estate. This directly supports compliance with three of the five Cyber Essentials controls.
Common myths about Cyber Essentials
"It's only for large businesses"
Cyber Essentials was specifically designed for small and medium-sized businesses. The questionnaire has a SME-appropriate scope. The cost is accessible. The controls are proportionate. The scheme is more relevant to a 10-person solicitors firm than to a FTSE 100 company with a dedicated security operations centre.
"We're too small to be a target"
Ransomware and credential theft attacks are automated. Attackers do not manually select targets based on company size — they scan for known vulnerabilities at scale and exploit whatever responds. A dental practice in Bexley running unpatched software is as exposed as any larger organisation. The attack does not know or care how many staff you have.
"Our IT is in the cloud, so we do not need this"
Cloud services are within scope for Cyber Essentials. Your Microsoft 365 accounts, your cloud-hosted line-of-business software, your VMs — all covered. The user access control and patching requirements apply to cloud-connected accounts as much as to on-premise devices. Cloud-first businesses are not exempt.
"We already have antivirus, so we are covered"
Antivirus alone satisfies one of the five controls, and only partially. Having antivirus installed on most devices but not all, or having it disabled on a server, or having no MFA on your cloud accounts, will still result in a failed assessment. Cyber Essentials requires all five controls across all in-scope devices.
Not sure if your setup would pass?
Our free network health check includes an honest review of your current infrastructure against the Cyber Essentials controls. We will tell you plainly what would pass, what would fail, and what it would take to get you to a certifiable state — with no obligation to use us for any remediation work.