Understanding the Cyber Essentials certification scheme

uk cyber essentials certification

As a business, it is better late than never to move ahead with a cybersecurity-focused business strategy. To help businesses, the UK Government has formulated a range of standards and guidelines. The most crucial of these is the Cyber Essentials certification, which is of particular benefit for small and medium businesses.

Despite this increase in awareness, most SMEs remain at risk of experiencing a data breach either through a lack of knowledge or the lack of action. Such risks remain a grave concern for small and medium businesses due to the fines and costs associated with cyberattacks, and the severe impact on their reputation, custom and even business viability.

What is Cyber Essentials?

Launched in June 2014, the Cyber Essentials is the UK Government’s Cyber Security Scheme, currently operated by the National Cyber Security Centre (NCSC).

Cyber Essentials is not a silver bullet to cybersecurity.  Instead, it allows SMEs to take the first step towards defending themselves in this age of cyber warfare.

Initially developed in collaboration with several industry partners, before the United Kingdom’s Government endorsed the Cyber Essentials framework.  It was then launched by the Department for Business, Innovation, & Skills.

The bodies which contributed to the development of the Cyber Essentials Scheme were:

  • The Information Assurance for Small & Medium Enterprises, Consortium (IASME)
  • The Information Security Forum (ISF)
  • The British Standards Institution (BSI)

The primary aim of Cyber Essentials is to encourage and guide small and medium businesses, and non-profits, to adopt information security best practices and implement effective controls. Once fully implemented within an organisation, Cyber Essentials enables fundamental protection against the most prevailing types of cyber threats.

The framework of Cyber Essentials involves a self-assessment questionnaire which demonstrates that an entity’s cybersecurity is trustworthy and secure.

The five Cyber Essentials technical controls

Simply put, Cyber Essentials provides the foundation on which to build your cyber security strategy.  It achieves this through five technical controls, which lie at the core of the Cyber Essentials, which identify the critical areas in your computing infrastructure that require focus to reduce the cyber threat.

For businesses and non-profits considering Cyber Essentials certification, it is worth knowing what these five Cyber Essentials technical controls are:

cyber essentials 5 controls

Cyber Essentials Vs. Cyber Essentials Plus

Most organisations are aware that the Cyber Essentials scheme offers two methods of certification – Cyber Essentials and Cyber Essentials Plus.  These methods provide the option of choosing either self-certification or an independent audit.

For most organisation, embarking towards Cyber Essentials certification is often a crucial step towards implementing cyber resilience.  However, the perceptions offered by each of the two certification paths differ.

A Cyber Essentials certification will show that your business values cyber security.  The Cyber Essentials Plus certification presents a higher level of assurance for your stakeholders, demonstrating that you are have taken proactive steps to protect their data.


To understand more about the difference between the two paths to Cyber Essentials certification also read Cyber Essentials vs Cyber Essentials Plus.

Why do businesses need Cyber Essentials?

Small and medium businesses face the same level of risk of a cyberattack, if not more, as large enterprises. To improve cybersecurity, an essential first step for SMEs is to become Cyber Essentials certified

While having an effective cybersecurity strategy in place may be the primary driver, the motivation behind pursuing this certificate varies from organisation to organisation.

Generally, firms seek Cyber Essentials certification for several different reasons, including improved protection against prevailing cyberattacks, increasing partner confidence, and a competitive advantage for bidding on government contracts.


Business benefits of Cyber Essentials

Businesses adopting the Cyber Essentials framework will gain several benefits once certified.  To further learn about the benefits provided by Cyber Essentials certification, you can read 10 Benefits of being Cyber Essentials certified.

Presented below are the top four reasons why Cyber Essentials certification is crucial for organisations.

1. Supports protection against common cyber attacks

Businesses have become more aware of cyber attacks and the danger they pose. An ever-increasing threat, cybersecurity has now become a crucial component of corporate responsibility.

All companies, whether small or big, with an online presence, are targets for possible cyber-attacks. A significant number of these cyber-attacks aim to exploit simple weaknesses in organisations.  These vulnerabilities can be as basic as the lack of updated software or optimally-configured firewalls. In most cases, such attacks are straightforward to defend against with simple strategies which Cyber Essentials provides.

No security strategy will prevent a hundred per cent of cyber attacks.  However, Cyber Essentials helps organisations mitigate the risks of the most common attacks ones by providing a robust foundation upon which SMEs can build their cybersecurity strategy.

2. Prepares your organisation for GDPR compliance

The GDPR (General Data Protection Regulation) requires any organisation processing personal information belonging to EU citizens to protect this data from unauthorised access and theft. Organisations found to be negligent in this regard could face a fine of up to 4% of their global turnover.

Becoming Cyber Essentials certified can help prevent these hefty fines and contribute to an organisation’s effort in achieving GDPR compliance. Whilst GDPR covers a lot more than the five Cyber Essentials controls, the Cyber Essentials scheme allows small and medium businesses to audit their internal security and address any basic security threats.

As such, for most organisations, Cyber Essentials certification is often the first step towards the preparation of GDPR compliance.

3. Enables your business to bid for government contracts

To be eligible to bid on government contracts, the UK Government has made it mandatory for potential suppliers to hold a valid Cyber Essentials certification.

Where a contract involves certain technical services or handling of sensitive information, then suppliers must be Cyber Essentials compliant. Consequently, for small and medium businesses seeking a government contract, Cyber Essentials is the only way forward.

Further information regarding mandatory can be found here.

4. Shows customers and suppliers that you take cybersecurity seriously

If your organisation is unable to demonstrate cyber resiliency, your customers and even suppliers can be sceptical when dealing with you. By attaining Cyber Essentials certification, organisations can establish a stronger relationship, based on trust, with both clients and partners.

The government generally recommends that all social care establishments and health institutions provide evidence that they take cybersecurity seriously, and this includes having the Cyber Essentials certification.

Ideally, the scheme should be widely tested in Trusts, Social Care, and GP practices. Government reports indicate a considerable increase in the number of organisations that are applying for this certification.

The path to Cyber Essentials certification

Cyber Essentials and Cyber Essentials Plus certification require organisations to prove that appropriate security controls are in place.  Most organisations may struggle with the time and resources needed to gather up the essential audit information. The process can be lengthy and difficult to achieve manually or with incorrect tools.

To apply for the basic Cyber Essentials certificate, you only need to fill the correct information in the portal. The assessors don’t require any tests, vulnerability scans, or any form of 3rd-party verification.

The verification process will only involve the declaration sign by a board member. Primarily, to prove that all the provided answers regarding the cybersecurity of your organisation are accurate.

Owning to the need for independent assessment, the Cyber Essentials Plus certification is more arduous.  Depending on the state of your current computing infrastructure, in terms of cyber security, you may need for a more robust assessment to be conducted to ensure you meet the Cyber Essentials criteria.


After submission of the relevant information, it only takes a couple of days before you receive the certificate. However, this depends if the information you have given is correct or if there is still the need for more clarification.

Additionally, some organisations take weeks before they submit their data. So, the time varies from one organisation to the next.

To reduce the waiting time, make sure that you complete the scope required as soon as you get the login details. Furthermore, handle any changes as soon as you are requested to do so.

See also: How to become Cyber Essentials certified and Checklist for passing Cyber Essentials Plus

How much does the Cyber Essentials certification cost?

Each assessment costs £300 + VAT, regardless of your company size. However, this fee only covers the evaluation. It does not cover any costs associated with any remediation work required to meet the Cyber Essentials controls.

Once you pay, you will get the login details to the member’s area where you will complete your assessment.

It is advisable you do this within three months before your account is archived. In case you delay, and your account is archived, then you will need to reapply and will not get a refund.

You might also like