Why Cyber Essentials has become a commercial requirement
Cyber Essentials was introduced by the National Cyber Security Centre as a government-backed certification scheme defining the minimum technical controls every UK business should have in place. For years it was primarily associated with public sector supply chains. That has changed significantly.
Today, Cyber Essentials certification is being requested by enterprise clients as a condition of supplier relationships, by cyber insurers as a requirement for cover, by regulated sector organisations as evidence of due diligence, and by businesses preparing for acquisition or investment as part of IT due diligence. The commercial case for not having it is diminishing rapidly.
The good news is that most UK SMEs are closer to certification than they realise. The five technical controls are not exotic or expensive. What the process requires is someone who understands what assessors are looking for, where the common gaps are, and how to close them efficiently.
"Most businesses fail their first Cyber Essentials assessment not because their security is poor, but because the documentation and configuration evidence was not prepared correctly."
The five controls Cyber Essentials tests
Cyber Essentials is built around five core technical areas. Each one is straightforward in principle. The complexity is in the detail, particularly for businesses with mixed device estates, cloud-based systems, or staff using personal devices for work.
-
1
Firewalls
A boundary firewall must protect your internet connection, with only necessary services exposed. For businesses using cloud services or remote workers, this extends to software firewalls on individual devices. The most common gap here is default configurations that have never been reviewed.
-
2
Secure configuration
Devices and software must be configured securely. Default passwords changed, unnecessary software removed, unused accounts disabled. This is the control most often failed because it requires evidence across every device in scope, including laptops, desktops and mobile devices used for work.
-
3
User access control
User accounts must only have access to what they need. Administrator privileges must be limited and justified. Accounts must be removed promptly when employees leave. In practice, most SMEs have accumulated access permissions that were never reviewed and leavers whose accounts were never properly deactivated.
-
4
Malware protection
Protection against malicious software must be active on all in-scope devices. Modern endpoint detection solutions are increasingly accepted alongside traditional antivirus. The key requirement is coverage, currency and evidence that it is actively managed.
-
5
Patch management
Software, operating systems and firmware must be kept up to date. Known vulnerabilities must be patched within 14 days of a patch becoming available. Unsupported software that no longer receives security updates is automatically non-compliant. This is frequently where businesses running legacy applications face their most significant challenge.
Cyber Essentials or Cyber Essentials Plus?
There are two levels of certification and choosing the right one matters before you begin the process.
Cyber Essentials
Self-assessment questionnaire independently verified by an accredited certification body. The right choice for most UK SMEs.
- Satisfies the majority of procurement and insurance requirements
- Faster and less costly than CE+
- Certification valid for 12 months
- Suitable for businesses of all sizes
- Right for most SME situations
Cyber Essentials Plus
Includes independent technical verification by an assessor who tests your systems directly. Required for higher assurance situations.
- Required for most central government contracts involving sensitive data
- Provides stronger assurance for regulated sector supply chains
- More rigorous and time consuming than CE
- Assessor conducts independent technical testing
- Right when a client specifically requires it
How Northstar approaches Cyber Essentials readiness
Before committing to the formal assessment process, Northstar conducts an independent readiness review that tells you precisely where your business stands against the five controls, what the gaps are, and what it will cost to close them.
This matters because the cost of remediation varies significantly depending on your IT environment. A business with a well-managed Microsoft 365 estate and modern devices may need very little work. A business with legacy on-premise systems, mixed device ownership or inconsistent patch management may face a more significant programme. Knowing this before you commit to the assessment avoids failed attempts, wasted fees and timeline surprises.
Northstar then works alongside you and your MSP through the remediation phase, ensuring the right changes are made in the right way, and that the evidence required for certification is properly prepared and documented.
Common reasons businesses fail or delay certification
Having supported a number of SMEs through the Cyber Essentials process, the most common reasons for failure or delay are consistent and largely avoidable with the right preparation:
Scope uncertainty. Businesses are often unclear about which devices and systems are in scope for the assessment. Getting this wrong either means failing on devices you did not know were included, or unnecessarily expanding the remediation effort.
Unsupported software. Legacy applications that are no longer receiving security updates are automatically non-compliant. Many businesses are running software they did not know was out of support, often because their MSP has not flagged it.
Personal device usage. Staff using personal smartphones or laptops to access work email or systems brings those devices into scope. Most businesses have not assessed or documented this.
Inaccurate self-assessment. The questionnaire requires precise, accurate answers. Guessing or approximating is not sufficient and assessors are trained to identify inconsistencies. Independent preparation ensures the answers reflect reality and are expressed in the terms the assessors expect.
Start your readiness conversation