cyber essentials

What is Cyber Essentials?

Cyber Essentials is a UK Government operated scheme that was introduced in 2014 by the National Cyber Security Centre (NCSC) to offer small-medium sized businesses a straightforward and affordable way to tackle the growing cyber threat and achieve a good standard of cyber security.

By aligning with the five critical technical controls of the standard, businesses can protect themselves from up to 80% of common internet-based attacks as well as demonstrate to clients and prospects that they take cyber security and data protection seriously.

illustration of man looking at his cyber essentials assessment

the 5 Cyber Essentials technical controls

Update Management

Systems and software should be up to date and secure.

User Access

Employees should only have access to the data they need.

Firewalls & Internet Gateways

Internet devices must have activated firewalls.

Secure Configuration

Settings and systems should be configured correctly.

Malware Protection

Data must have sufficient protection against malware/viruses.

“Cyber Essentials is an important part of the NCSC’s mission to make the UK one of the safest places to live and do business on-line.

If you haven’t consciously implemented Cyber Essentials, you could be vulnerable to attack right now.”

ncsc logo

Cyber Essentials

The basic certification can be achieved by completing a self-assessed online questionnaire, with the answers checked by a qualified Certification Body to determine alignment with the standard.

Cyber Essentials Plus

The highest level of the scheme involves an in-depth scan and vulnerability analysis of an organisation’s systems by a qualified assessor, who will personally verify whether your business is compliant.

Frequently Asked Questions

With cyber threats growing in sophistication and frequency every day, businesses need to have adequate protective measures in place to avoid being victim to a cyber attack. Cyber Essentials offers an achievable starting point for every business across all sectors, focusing on the absolute fundamentals of good cyber security.

The National Cyber Security Centre and many professional associations and regulatory bodies including The Law Society and The Financial Conduct Authority (FCA) have strongly recommended that organisations align with the standard to demonstrate their commitment to cyber security. Complying with the standard is also increasingly becoming a prerequisite for tenders in both public and private sectors, including all MOD and NHS contracts.

Further benefits of the certification include:

  • Gain insight into the security posture of your organisations and its vulnerabilities
  • Free cyber insurance and reduction in premiums for more comprehensive cover
  • Increased business opportunities and an advantage over competitors
  • Improved relationships with suppliers, partners and clients


Learn more about the benefits of here.

This will largely depend on your business and your risk profile, but Cyber Essentials Plus is quickly becoming the de facto standard. The basic level certification, although necessary to identify the controls within your organisation, does not actually verify them. Achieving the Plus standard is therefore a better indication of your actual security posture because security specialists will check out your infrastructure themselves to make sure all the requirements of the standard are being met.

As long as your business commits the time and resources and follows any guidance provided, the basic SAQ can be completed and assessed in as little as 24 hours. We do also offer an expedited assessment option for a small additional cost.

The CE Plus process has a bit more to it. No CB should really be making promises about turnaround times for CE Plus, since it’s impossible to tell until you fully understand the business being assessed e.g. how complex their infrastructure is and how much remedial work is going to be needed. In general, assuming your business dedicates the time and resource needed throughout the process it can take around 2-9 weeks.

You have to achieve Cyber Essentials Basic before you proceed to Plus, but if you have already got the Basic certification with one Certification Body and you are still within the 90 day window (Plus must be achieved within 90 days of achieving Basic) then you can go straight to Plus with another Certification Body.

ISO27001 has many controls, some of which align to Cyber Essentials Plus and some which are additional, however, Cyber Essentials (unlike ISO27001) is about the safety and ultimately the configuration of your systems and is a fully audited assessment of the security of your systems. ISO 27001 is a great standard to align with but it does not include the checks and vulnerability assessments that CE Plus requires. For those with ISO27001, Cyber Essentials Plus is a complementary solution that will further enhance the overall security of the organisation and for those that don’t have ISO27001, it’s a great start and should be completed.

Download the Ultimate guide

Got questions about Cyber Essentials?

Download our Ultimate Guide to learn more about the scheme and how to get your business certified.