What Is Cyber Essentials? A Guide for UK Businesses

1. Cyber Essentials was launched in June 2014 by the UK government, developed by the NCSC, and is administered by the IASME Consortium through a network of licensed Assured Service Providers.
2. Two levels: standard Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (independent technical verification by an auditor testing your controls directly).
3. Mandatory for government contracts: since April 2014, the Cabinet Office requires Cyber Essentials for contracts involving personal data handling or certain technical products and services.
4. Five controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. All five apply to in-scope devices at both certification levels.
5. Certificate valid for 12 months: renewal is required annually. A lapsed certificate does not satisfy live government contract requirements.

Cyber Essentials was launched by the UK government in June 2014 in response to a consistent pattern in cyber incident investigations. GCHQ had been examining attacks against large organisations and found that the techniques used were far from sophisticated. The analysis showed that one or more of just five key controls would have stopped the attacks progressing.

The government designed Cyber Essentials as a baseline: controls that protect against the most common attack techniques and are achievable by organisations of any size, including those with limited IT resource.

The scheme is administered by the IASME Consortium on behalf of the NCSC. IASME licenses Assured Service Providers (ASPs), the organisations that assess and certify companies against the standard. Since April 2014, the Cabinet Office has required Cyber Essentials certification for contracts involving the handling of personal information or the provision of certain technical products and services to government.

The evidence for the scheme's effectiveness is measurable. Organisations with Cyber Essentials controls in place are 92% less likely to make a claim on cyber insurance than those without, per NCSC published data.

Standard Cyber Essentials

Standard Cyber Essentials certification is based on a self-assessment questionnaire, the Montpellier question set published by IASME. An organisation answers questions about how each of the five controls is implemented across its in-scope IT estate, and the completed questionnaire is reviewed by a licensed Assured Service Provider who issues a certificate if the requirements are met.

The certificate is valid for 12 months and must be renewed annually. Standard Cyber Essentials is sufficient for most government contract requirements and is the starting point for organisations pursuing CE+.

Cyber Essentials Plus

Cyber Essentials Plus covers the same five controls but requires independent technical verification by an IASME-accredited certification body. An auditor tests your controls directly, running authenticated vulnerability scans, reviewing device configurations, and testing email and web browsing controls using the CE+ test specification published by NCSC.

CE+ provides a higher level of assurance because it does not rely on self-reported answers. It is required for some MoD supply chain contracts and for organisations handling more sensitive government data. Organisations have three months from their standard CE certificate date to complete CE+ verification.

The five controls are consistent across both certification levels.

Mandatory: Government Contracts

Since April 2014, UK government departments have required Cyber Essentials certification from suppliers bidding for contracts that involve handling personal information or providing certain technical products and services. This requirement is enforced through the Cabinet Office procurement framework and applies to contracts let by central government departments.

Mandatory: MoD Supply Chain

Ministry of Defence suppliers are subject to the Defence Cyber Protection Partnership (DCPP) requirements, which include Cyber Essentials as a baseline. Suppliers handling more sensitive MoD information or working on contracts with a higher cyber risk profile may be required to hold Cyber Essentials Plus. Specific requirements are set out in DEFSTAN 05-138 and in individual contract terms.

Strongly Recommended: All Other Organisations

Beyond mandatory requirements, Cyber Essentials is the standard approach for any UK organisation that wants to demonstrate a credible baseline of cyber security to customers, partners, and insurers. Many large private sector organisations require Cyber Essentials from their supply chains as part of third-party risk management.

Cyber insurers increasingly reference CE as part of underwriting. Some offer premium reductions for certified organisations or require it as a condition of certain policy types. NCSC data shows 80% of certified organisations believe the scheme reduces their exposure to the financial cost of an unsophisticated cyber attack.

Standard Cyber Essentials certification takes two to four weeks from starting the questionnaire process to receiving the certificate, assuming no significant remediation is required. The timeline depends on the size and complexity of your in-scope IT estate, whether your current configuration already meets the control requirements, and the turnaround time of your chosen Assured Service Provider.

Organisations that need to remediate gaps first, for example applying overdue patches, reconfiguring firewalls, or removing end-of-life software, should allow additional time. Submitting before remediation is complete results in a failed assessment, which adds time through the correction and resubmission process.

Cyber Essentials Plus adds further time: the technical audit itself, plus any remediation and retest if the first audit reveals failures. Allow at least four to six weeks for the full CE+ process from starting standard CE.

On successful certification, your organisation receives a Cyber Essentials certificate valid for 12 months from the date of issue. You're permitted to use the Cyber Essentials certification mark on your website, marketing materials, and tender documentation. Your organisation is listed on the IASME register of certified organisations, which customers and procurement teams can search to verify your certification status.

For qualifying organisations with turnover under £20 million, certification covering the whole organisation also includes a £25,000 cyber liability insurance benefit at no additional cost, arranged through IASME. Coverage includes data breach, ransomware, business interruption, and regulatory investigation costs.

Cyber Essentials and ISO 27001:2022 are frequently discussed together but address different things. Cyber Essentials covers five specific technical controls. ISO 27001 requires an organisation to build and maintain a full information security management system, covering governance, risk management, policies, and a much broader set of controls, verified by an accredited third-party auditor.

Cyber Essentials is the starting point for most UK organisations. ISO 27001 is the right standard for organisations that need to demonstrate full information security governance, handle sensitive data at scale, or operate in sectors where ISO 27001 is explicitly required.