Cyber Essentials: The Complete UK Guide

1. Cyber Essentials was launched by the NCSC in 2014. The CE v3 (Montpellier) update in 2021 expanded scope to cover cloud services, home working devices, and multi-factor authentication.
2. Two levels exist: Cyber Essentials (verified self-assessment) and Cyber Essentials Plus (independent technical verification). CE+ requires a current CE certificate as a prerequisite.
3. UK government suppliers whose contracts involve handling personal data or providing technical services must hold Cyber Essentials certification.
4. Certification is valid for 12 months. Annual renewal requires a new self-assessment, not a restatement of the previous year's submission.
5. The five controls are: firewalls, secure configuration, user access control, malware protection, and security update management.
6. High and critical severity patches must be applied within 14 days of release under the security update management control.

The NCSC launched Cyber Essentials in 2014 in response to evidence that the majority of successful cyber attacks exploit a small number of well-understood technical weaknesses: misconfigured systems, unpatched software, weak access controls, and the absence of basic network boundary defences. The scheme was designed to make a defined set of defensive controls accessible and verifiable for organisations of all sizes, without requiring the resource investment of a management system standard such as ISO 27001:2022.

In 2021, the scheme underwent a significant update (CE v3, the Montpellier revision) which expanded scope to include cloud services, home working devices, and multi-factor authentication requirements. These changes reflected the shift in how organisations operate: a definition of in-scope devices that excluded cloud infrastructure or remote worker endpoints was no longer credible.

The Cabinet Office mandates Cyber Essentials certification for all suppliers bidding for central government contracts that involve handling personal data or providing certain technical services. In the 12 months to March 2026, 49,248 Cyber Essentials certificates were issued across businesses, charities, schools, universities, and local authorities.

Cyber Essentials

The baseline certification involves a Verified Self-Assessment (VSA). An organisation completes a detailed questionnaire, administered through an Assured Service Provider (a body licensed by IASME to deliver the scheme), confirming that the five technical controls are in place across its in-scope systems.

The assessment is reviewed by the Assured Service Provider. If the evidence provided satisfies the scheme's requirements, certification is granted. Cyber Essentials certification is valid for 12 months and must be renewed annually.

Cyber Essentials Plus

Cyber Essentials Plus covers the same five technical controls but adds independent technical verification. An assessor from an Assured Service Provider conducts hands-on testing: internal and external vulnerability scanning, configuration checks, and end-user device testing, to verify that the controls described in the self-assessment are operating as claimed.

CE+ requires a current Cyber Essentials certificate as a prerequisite. CE+ is required by some government frameworks and strongly preferred by cyber insurers assessing coverage for higher-risk organisations. The independent verification element makes it substantially more credible as third-party evidence of control effectiveness.

The Cyber Essentials scheme defines five control areas, each of which must be satisfied across all in-scope devices and systems to achieve certification.

1. Firewalls

You need a boundary firewall, or for cloud environments, equivalent network-level controls, configured to block all inbound connections that aren't explicitly permitted. Personal firewalls must be active on any device connecting outside the protected network perimeter. Default-open configurations don't pass.

2. Secure Configuration

Devices and software must be configured securely before deployment and kept that way. Change default passwords. Remove or disable unnecessary software, accounts, and services. This control exists because a surprising number of breaches trace back to systems that were deployed in vendor default states and never hardened.

3. User Access Control

User accounts must be provisioned with the minimum access necessary for the role. Administrative or privileged access must be limited and used only for administrative tasks. Standard user accounts must not have elevated privileges by default.

This control maps directly to the principle of least privilege and is one of the areas most frequently failed in CE assessments. See SureCloud's industries guidance for sector-specific access control considerations.

4. Malware Protection

In-scope devices must be protected against malware. The scheme accepts either traditional anti-malware software with up-to-date definitions, or application allowlisting, which only permits explicitly approved software to run. Allowlisting gives you a stronger posture, but it takes more active management to maintain.

5. Security Update Management

Software must be kept up to date. High and critical severity patches must be applied within 14 days of release. Software that's no longer supported by its vendor must be removed from in-scope systems or isolated from the network. For organisations with legacy estates, this is often the hardest control to satisfy.

Cyber Essentials certification is mandatory for UK government suppliers whose contracts involve handling personal data or providing technical products or services to central government. Beyond that mandatory requirement, certification is increasingly expected or incentivised in the following contexts.

1. Cyber insurance: Many UK insurers now treat CE or CE+ as a condition of coverage, or offer reduced premiums to certified organisations. Organisations with Cyber Essentials are 92% less likely to make a cyber insurance claim than those without certification.
2. Regulated sectors: Financial services firms, legal practices, and healthcare organisations operating under sector-specific frameworks (FCA, Solicitors Regulation Authority, CQC) increasingly treat CE as a baseline hygiene expectation.
3. Supply chain requirements: Larger organisations in the private sector are beginning to require CE certification from their suppliers as a condition of contract, mirroring the government model downstream.
4. Frameworks alignment: CE aligns with and partially satisfies control requirements across ISO 27001:2022, NIS2, and DORA for organisations subject to those frameworks, though it does not substitute for compliance with any of them.

Cyber Essentials certification is delivered through the IASME Consortium, the body that manages the scheme under licence from the NCSC, and its network of Assured Service Providers. Certification is not applied for directly with the NCSC.

To certify, an organisation must work through the following steps.

1. Step 1: Select an Assured Service Provider from the IASME-maintained register.
2. Step 2: Define the scope of certification: which systems, devices, and users are in scope. Scope decisions significantly affect both the cost and time required.
3. Step 3: Complete the Verified Self-Assessment questionnaire via the IASME portal, answering questions across each of the five control areas.
4. Step 4: Submit the completed questionnaire to the ASP, who reviews it for accuracy and completeness.
5. Step 5: If the submission meets requirements, the ASP issues a Cyber Essentials certificate, valid for 12 months.

For Cyber Essentials Plus, you complete steps 1 to 5 first. The ASP then conducts independent technical testing against the five control areas using a defined test specification.

Cyber Essentials and ISO 27001:2022 address different things. CE certifies that five specific technical controls are in place. ISO 27001:2022 certifies that an organisation has established and maintains an information security management system (ISMS): a management framework governing how security risks are identified, assessed, treated, and continuously improved. The standards are complementary: CE provides a technical baseline that supports ISO 27001 implementation, and ISO 27001 goes substantially further in scope and depth.

For organisations subject to DORA (which came into force on 17 January 2025), CE doesn't substitute for DORA compliance. That said, the five CE controls, particularly secure configuration, patch management, and access control, are directly relevant to DORA Article 5 ICT risk management requirements and the technical resilience obligations in DORA Article 9. CE-certified organisations aren't starting from scratch when they turn to DORA.