What is Cyber Essentials and does my UK small business need it?

Cyber Essentials gets asked about more than any other compliance scheme we deal with — usually because a buyer has just put it in a tender response, or because the directors saw a competitor mention it on LinkedIn. Here's what it actually is, who needs it, and what getting certified looks like in practice.

What is Cyber Essentials?

Cyber Essentials is a UK certification scheme launched in 2014 by the government and now operated by IASME Consortium under contract to the National Cyber Security Centre (NCSC). It verifies that a business has five fundamental security controls in place. The scheme is deliberately basic — it's the security equivalent of "you've put a lock on the door and you're using it." It will not protect you from a determined targeted attack, but it does block the overwhelming majority of opportunistic ones.

The five controls, in plain English

You will see these phrased differently in different places, but here is what each one actually means for a normal UK SMB:

1. Firewalls. Every internet-connected device must have a firewall enabled. Default passwords on routers must be changed. Inbound rules must be justified.
2. Secure configuration. Devices ship with too much enabled by default. Unused services off, unused accounts removed, default passwords changed, auto-run disabled.
3. Access control. Every user has their own account. Admin accounts are separate from daily-use accounts. Multi-factor authentication on all cloud services. Joiner/mover/leaver process is documented.
4. Malware protection. Every endpoint (laptops, desktops, servers, in-scope mobiles) has malware protection enabled. App allow-listing or sandboxing where applicable.
5. Security update management. Operating systems and applications get high/critical patches within 14 days. End-of-life software is removed.

Who actually needs it?

Cyber Essentials is a legal requirement for almost nobody. But it is contractually required, increasingly:

• UK central government contracts handling personal or sensitive data — mandatory since 2014.
• Many local councils, NHS trusts, and police procurement — increasingly required as a baseline for any IT or data-handling supplier.
• Private sector supply chains — particularly in legal, accountancy, healthcare, and any business handling client data on behalf of regulated buyers.
• Cyber insurance underwriters — many UK insurers now require Cyber Essentials as a precondition for cover or charge a meaningful premium without it.

If you're answering tenders, working with regulated buyers, or trying to renew cyber insurance — you almost certainly need this.

Cyber Essentials vs Cyber Essentials Plus

Same five controls. Different verification methods.

Cyber Essentials is a self-assessment questionnaire reviewed by an IASME-certified assessor. Around 60 questions covering scope and the five controls. You answer honestly, the assessor reviews, you pass or get a list of remediations.

Cyber Essentials Plus is the same questionnaire plus hands-on technical testing of a sample of your devices and accounts by an external assessor. They verify your patching, your malware protection, your MFA enforcement, and they check that an attacker emailing a malicious file would actually get blocked.

Plus is more expensive (typically 3x), takes longer, and is more credible. If a buyer asks for "Cyber Essentials" they almost always mean basic — but read the tender language carefully.

How long does certification take?

For a typical 10–30 user UK business that has Microsoft 365 and reasonably modern endpoints, we usually plan for:

• Week 1: Scoping call. Confirm what's in scope (which devices, which cloud services, which network locations). Identify gaps.
• Weeks 2–5: Remediation. Enforce MFA everywhere, update patching policy, sort out admin account separation, document joiner/leaver process, fix any device configuration drift.
• Week 6: Complete the questionnaire together. Submit for assessment.
• Weeks 7–8: Assessor review and any back-and-forth. Certificate issued.

Businesses that are starting from a strong baseline can often do this in 3–4 weeks. Businesses that need real remediation (no MFA, mixed admin accounts, unsupported Windows versions) sometimes take 12–16 weeks because the work is bigger than the certification itself.

What it costs

The IASME assessment fee in 2026 starts at £320 + VAT for micro businesses (under 10 employees) and scales up to around £600 + VAT for larger SMBs (50–249 employees). Cyber Essentials Plus adds roughly £1,400–£3,000 depending on scope.

On top of the assessment fee, expect MSP support time for remediation and questionnaire help — typically £500–£2,000 for a clean run, more if there's significant remediation.

Why renewal matters more from June 2026

Cyber Essentials certificates are valid for 12 months. From June 2026, IASME has tightened the renewal grace period — if you let your certificate lapse by more than 30 days, you will need a brand new assessment rather than a renewal. We wrote about this in detail recently; the practical effect is that diary discipline matters more than ever.

Should you bother if no one's asked you to?

Honestly — yes, in most cases. The five controls are things you should be doing anyway. Going through the questionnaire forces a useful audit. The certificate becomes a credibility asset on your website and in conversations. And it's much easier to renew than to scramble through a fresh assessment when a tender lands with a 4-week response window.

If you'd like to talk through where you currently sit and what a clean Cyber Essentials run would look like for your business, drop us a note. We run a free 90-minute Cyber Essentials briefing at our Denton office regularly — you'll walk away with a real plan whether or not you work with us.