Cyber Essentials Explained: A Plain-English Guide for UK Businesses (2026)
If you run a business in the UK, you have probably seen "Cyber Essentials" appear on a tender, an insurance form, or a supplier questionnaire. It sounds technical and official, and it is easy to put off. The good news is that Cyber Essentials is far simpler than it looks. This guide explains what it is, what it covers, and how to get certified, all in plain English.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, created by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium. It sets out a baseline of five technical controls that protect your business against the most common internet-based cyber attacks.
The idea is deliberately practical. Most attacks on small and medium businesses are not sophisticated. They rely on unpatched software, weak passwords, and misconfigured devices. Cyber Essentials makes sure those basics are covered, which stops the overwhelming majority of opportunistic attacks before they start.
The NCSC estimates that the controls in Cyber Essentials can prevent around 80 percent of common cyber attacks. For most businesses, it is the single highest-impact security step you can take.
Cyber Essentials vs Cyber Essentials Plus
There are two levels of certification, and the difference matters.
- Cyber Essentials is a verified self-assessment. You complete a questionnaire about your IT setup, a qualified assessor reviews your answers, and you are certified if you meet the requirements. It is the right starting point for almost every business.
- Cyber Essentials Plus covers the exact same five controls, but adds a hands-on technical audit. An assessor independently tests your systems, scans your devices, and verifies that the controls are genuinely in place. It carries more weight with clients and is often required for public-sector or higher-value contracts.
A common route is to achieve Cyber Essentials first, then upgrade to Plus within three months while the assessment is still current.
The five controls, explained
Everything in Cyber Essentials comes down to five areas. Here is what each one actually means for your business.
1. Firewalls
Firewalls sit between your network and the internet and block unwanted traffic. The certification expects every device that connects to the internet to be protected by a properly configured firewall, whether that is your office router or the built-in firewall on a laptop used from home. Default passwords on routers must be changed, and remote administrative access should be locked down.
2. Secure configuration
Devices and software often ship with settings designed for convenience, not security. Secure configuration means removing or disabling anything you do not need: default accounts, unnecessary software, auto-run features, and guest access. The fewer doors there are, the fewer an attacker can try.
3. User access control
Not everyone needs access to everything. This control is about giving each person only the access their role requires, using unique accounts, and protecting administrator accounts carefully. Admin rights should be the exception, not the default, and multi-factor authentication is strongly expected, especially for cloud services and email.
4. Malware protection
Every device needs a defence against malicious software. That usually means up-to-date anti-malware software, but it can also include only allowing approved applications to run. The aim is simple: if something malicious lands on a device, it is detected and stopped before it spreads.
5. Security update management
Software vendors release updates to fix security holes, and attackers actively hunt for businesses that have not applied them. This control requires that all your operating systems and applications are still supported by the vendor, and that high-risk security updates are installed within 14 days of release. Unsupported software, such as an old version of Windows that no longer receives updates, will cause a certification to fail.
Need Reliable IT Support for Your Business?
Our managed IT support services keep your systems secure, monitored, and running efficiently.
Why Cyber Essentials matters for your business
Beyond the obvious security benefit, certification brings real commercial value.
- It wins work. A growing number of contracts and tenders, especially in the public sector and larger supply chains, now require Cyber Essentials as a minimum. No certificate, no bid.
- It reassures clients. Displaying the Cyber Essentials badge tells customers and partners that you take the security of their data seriously.
- It can include cyber insurance. Certifying through some routes includes limited cyber liability insurance for smaller UK businesses, and it can reduce premiums elsewhere.
- It genuinely reduces risk. The controls block the common attacks that cause most real-world breaches, downtime, and ransom demands.
How much does it cost, and how long does it take?
Cyber Essentials certification fees are tiered by company size, starting from around 320 pounds plus VAT for a micro business. Cyber Essentials Plus costs more because of the technical audit, and the price depends on the size and complexity of your IT.
The bigger cost is usually the preparation. If your IT is already well managed, certification can take a couple of weeks. If there are gaps, such as missing updates, shared admin accounts, or unsupported software, those need to be fixed first. That remediation work is exactly where most of the value lies, because you are closing the gaps an attacker would target.
Why businesses fail, and how to avoid it
Most failed assessments come down to a handful of avoidable issues:
- Running software or operating systems that are no longer supported by the vendor.
- Security updates not applied within the 14-day window.
- Staff using accounts with administrator rights for everyday work.
- No multi-factor authentication on cloud services and email.
- Default passwords still in place on routers or devices.
None of these are hard to fix, but they are easy to miss if no one is actively managing your IT. A short readiness review before you apply saves time, money, and the frustration of a failed assessment.
How to get certified, step by step
- Scope it. Decide which parts of your business are covered. Most businesses certify the whole organisation, including home workers and cloud services.
- Review and fix. Check your setup against the five controls and close any gaps, from patching to access control.
- Complete the assessment. Answer the self-assessment questionnaire honestly and accurately.
- Get reviewed. A qualified assessor checks your answers and confirms certification.
- Maintain it. Certification lasts 12 months. The real goal is to keep the controls in place all year, not just on assessment day, then renew.
How IT-MSP helps you get certified and stay certified
We help London businesses achieve Cyber Essentials without the jargon and the headache. We run a readiness review against the five controls, fix the gaps for you, guide you through the assessment, and then keep the controls in place all year with managed updates, access control, and monitoring, so renewal is straightforward.
If Cyber Essentials is on a tender you want to win, or you simply want the basics done properly, we can get you there quickly.
Find out how ready your business is with a free 15-minute IT health check. Call 0207 112 4812 or visit it-msp.net.
Frequently asked questions
Is Cyber Essentials a legal requirement?
No, it is not a law. But it is increasingly required to win contracts, and many cyber insurance policies expect it. For most businesses it is effectively a commercial necessity.
How long does certification last?
Twelve months. You then renew, ideally having kept the controls in place throughout the year rather than scrambling before the deadline.
Does it cover cloud services like Microsoft 365?
Yes. The cloud services your business uses are in scope, and controls such as multi-factor authentication and user access apply to them.
We are a small team. Is it really worth it?
Yes. Smaller businesses are frequently targeted precisely because attackers expect weaker defences. Cyber Essentials closes the most common gaps at a modest cost.
Looking for proactive IT support instead of reactive fixes?
Speak to our team today and discover how IT-MSP can transform your business technology.
Other Articles
How to Spot Today's Cyber Scams: Token Hijacking, AI Voice Clones, WhatsApp Takeovers and More
AI has made scams harder to spot than ever. Here's how to recognise Microsoft 365 token hijacking, phishing, AI-powered fraud, WhatsApp hijacking and voice-clone calls - and the simple habits that stop them.
Windows 10 End of Life: What UK Businesses Must Do Now
Windows 10 reached end of support on 14 October 2025. Businesses still running it are now exposed to unpatched vulnerabilities, compliance failures, and unsupported software. Here is what you need to do.
Employee Monitoring Tools: Do You Use Them?
Employee monitoring tools help UK businesses protect sensitive data, meet compliance requirements, and manage remote work security. Learn how to implement monitoring proportionately and lawfully with ICO-compliant best practices.
Internal Backups Done Right: How Small Businesses Can Protect Their Data Without Exposing Themselves
Many small businesses invest in backups but unknowingly introduce serious security risks. Learn how to properly secure your NAS-based backups and protect your data without exposing your business.
How Businesses Should Use AI Safely - A Practical Guide for 2026
AI is transforming business operations, but most companies lack governance around its use. Learn how AI tools use your prompts as training data, why unmonitored AI adoption is risky, and how to create an internal AI usage policy that protects your business.
Why Every UK Business Needs Managed IT Support in 2026
Discover why managed IT support is essential for UK businesses in 2026. Learn about proactive monitoring, cost savings, and how to choose the right IT partner.
Microsoft 365 vs Google Workspace: Which Is Right for Your Business?
Compare Microsoft 365 and Google Workspace across collaboration, security, pricing, and features to find the best productivity platform for your UK business.
Top 10 Cybersecurity Threats Facing Small Businesses This Year
Learn about the top 10 cybersecurity threats targeting small businesses in 2026, from AI-powered phishing to ransomware, and how to protect your organisation.
How to Choose the Right IT Support Partner for Your Business
Learn how to evaluate and choose the right IT support partner for your business. Discover key factors, red flags, and essential questions to ask providers.
The Complete Guide to Business Backup and Disaster Recovery
Learn everything about business backup and disaster recovery, including RPO/RTO, the 3-2-1 rule, cloud vs local backup, and how to test your recovery plan.