Cyber Essentials is the UK government-backed cybersecurity certification scheme that more and more businesses are being asked to demonstrate. If you have been asked about it by a client, an insurer, or a procurement team, or if you have heard the term and wondered what it actually involves, this post is for you.

What Cyber Essentials is

Cyber Essentials is a certification scheme developed by the National Cyber Security Centre (NCSC) in partnership with industry. It defines a set of five basic technical controls that, when properly implemented, protect organisations against the most common cyber attacks.

The scheme was introduced in 2014, initially as a requirement for businesses supplying certain government contracts. It has since become a much broader benchmark – used by insurers, enterprise procurement teams, and regulated sector clients as a baseline indicator of cyber hygiene.

There are two levels of certification:

**Cyber Essentials** – a self-assessment questionnaire, independently verified by an accredited certification body. You answer a series of questions about your IT environment and security controls. A qualified assessor reviews your answers and, if they meet the required standard, issues the certification.

**Cyber Essentials Plus** – includes everything in the standard certification, plus an independent technical verification carried out by an assessor who tests your systems directly. This provides a higher level of assurance and is increasingly required for public sector contracts and regulated sector supply chains.

The five controls

The Cyber Essentials framework is built around five technical controls:

1. Firewalls – a boundary firewall must be in place to protect your internet connection. For cloud-based businesses, this extends to software firewalls on individual devices.

2. Secure configuration – devices and software must be configured securely. Default passwords must be changed. Unnecessary software and services must be disabled or removed.

3. User access control – user accounts must have only the access they need for their role. Administrator privileges must be limited to those who genuinely require them. Accounts must be removed or disabled promptly when employees leave.

4. Malware protection – protection against malicious software must be in place on all devices. This includes up-to-date antivirus or modern endpoint detection and response (EDR) solutions.

5. Patch management – software, operating systems and firmware must be kept up to date. Known vulnerabilities must be patched within 14 days of a patch becoming available.

These are not complex or expensive controls. Most businesses are at least partially compliant already. The certification process tests whether the controls are properly implemented, consistently applied, and accurately documented.

Who needs it and why

Cyber Essentials was originally associated primarily with government contracts – the Cabinet Office mandated it for suppliers handling certain types of government data from 2014. That requirement has been progressively extended and today covers the majority of central government contracts involving sensitive data or network connectivity.

Beyond government procurement, the drivers are now broader:

Cyber insurance – insurers are increasingly using Cyber Essentials as a rating factor. Businesses with certification typically attract lower premiums and face fewer exclusions. Some insurers are beginning to require it for new policies.

Enterprise supply chain – large organisations are extending their security requirements to suppliers. If you supply a financial services firm, a healthcare provider, or a large retailer, you may find Cyber Essentials appearing in their supplier questionnaires or as a contractual requirement.

Client confidence – for professional services businesses, certification provides a straightforward way to demonstrate that client data is being handled responsibly.

Regulatory environment – while Cyber Essentials is not currently a legal requirement for most UK businesses, it aligns closely with the technical controls expected under UK GDPR and sector-specific regulations such as those applying to financial services and healthcare.

How long does it take and what does it cost?

For most SMEs, achieving Cyber Essentials from a standing start takes between four and twelve weeks, depending on how compliant your current IT environment is.

The cost of the certification itself is relatively modest – typically between £300 and £500 for the standard certification, with additional costs for CE+ depending on the size and complexity of your environment. The main variable is the cost of closing any gaps identified during the assessment process – which may require IT changes that your MSP will charge for.

This is one of the reasons working with an independent advisor before starting the certification process is valuable – understanding what gaps exist, what they will cost to close, and whether the remediation approach your MSP proposes is proportionate.

CE vs CE+: which do you need?

For most SMEs, the standard Cyber Essentials certification is sufficient. It demonstrates compliance with the five core controls, satisfies the majority of procurement requirements, and provides a meaningful baseline of cyber hygiene.

Cyber Essentials Plus is appropriate if:

– You supply central government contracts that specifically require it

– You handle particularly sensitive data – healthcare, financial, or defence-related

– Your clients are large enterprises with mature supply chain security requirements

– You want to provide the highest level of assurance to the market

If you are unsure which level is right for your business, the answer usually depends on what you are being asked to demonstrate and by whom. That is a question an independent advisor can help you answer in about fifteen minutes.

Getting started

If you are considering Cyber Essentials and want to understand where your business currently stands before committing to the assessment process, a readiness review is the sensible first step. It tells you what the gaps are, what they will cost to close, and what the assessment process will involve for a business with your particular IT environment. Northstar offers Cyber Essentials readiness assessments as part of its IT and Cyber Risk Review service.

← All Insights
← Previous Next →

More Insights

Supplier Management

The MSP Contract Renewal Playbook: How to Negotiate from Strength

Most SMEs accept their MSP's renewal offer without negotiation. This is almost always a commercial mistake. Here is how to approach contract renewal in a way that produces better terms, better service commitments and better value.

17 July 2026 · 4 min read
Cyber Risk

Business Email Compromise: The Cyber Threat Most SME Boards Have Never Heard Of

Ransomware gets the headlines. Business email compromise quietly costs UK businesses more money every year. Here is what it is, how it works, and why it is particularly dangerous for SMEs.

9 July 2026 · 4 min read
IT Governance

The IT Governance Checklist Every SME Board Should Work Through Once a Year

Most SME boards have no structured way to review their IT governance position. This practical checklist gives you a framework for doing exactly that in plain English, without technical jargon, in under an hour.

1 July 2026 · 5 min read