Cyber Essentials Explained: What It Is, What It Costs and Whether You Need It

Short answer: Cyber Essentials is a UK government-backed certification, overseen by the National Cyber Security Centre (NCSC) and delivered through IASME, that covers five core technical security controls. Self-assessed certification typically costs between roughly £320 and £600 plus VAT depending on your company size, and lasts 12 months. Many businesses now need it to bid for public-sector contracts, satisfy enterprise supply chains, or meet cyber insurance requirements.

Here's what it actually involves, and how to decide whether it's worth doing.

What Cyber Essentials covers

Cyber Essentials is built around five technical controls. Get these right and you close the door on the large majority of common, opportunistic cyber attacks:

1. Firewalls — properly configured boundary firewalls between your network and the internet.
2. Secure configuration — devices and software set up to reduce vulnerabilities, with default passwords and unnecessary features removed.
3. Security update management — operating systems and applications kept patched and within support.
4. User access control — accounts limited to what each person actually needs, with administrator access tightly controlled.
5. Malware protection — anti-malware or equivalent protection active on devices.

It's deliberately a baseline, not a gold standard. But it's a meaningful one — the NCSC designed it around the threats that hit ordinary businesses every day.

Cyber Essentials vs Cyber Essentials Plus

There are two levels, and the difference is how the controls are verified.

Cyber Essentials is a self-assessment. You complete a questionnaire about your systems, and a certification body reviews and verifies your answers. It demonstrates that you've put the five controls in place.

Cyber Essentials Plus covers the same five controls, but adds a hands-on technical audit. An assessor independently tests a sample of your devices and systems to confirm the controls genuinely work as described. It carries more weight — and it's increasingly what larger contracts and tenders ask for specifically.

A common, sensible path is to achieve Cyber Essentials first, then move to Plus once the controls are bedded in.

What Cyber Essentials costs

For self-assessed Cyber Essentials, the certification fee is tiered by company size — typically between roughly £320 and £600 plus VAT. Most small businesses sit at the lower end of that range.

Cyber Essentials Plus costs more because of the audit. The total — certification fee plus assessor time — usually runs from around £1,400 upwards, varying with your company size, the number of devices and the assessor.

Two things to budget for beyond the fee: the certification lasts 12 months, so it's a recurring cost; and you may need to invest in fixing gaps — patching, MFA, access tidy-ups — before you can certify. That remediation work is often where the real value is.

Does your business actually need it?

For many UK SMEs, the honest answer is now "yes, in practice." You're likely to need Cyber Essentials if:

• You bid for public-sector work — many government contracts mandate it.
• You're in an enterprise supply chain — larger customers increasingly require it of their suppliers.
• Your cyber insurance asks for it, or rewards it with better terms.
• You simply want a credible, recognised baseline to point clients and your board at.

Even where it isn't formally required, the five controls are exactly what a small business should have in place anyway. Certification just proves it.

How managed IT support makes it easier

Most of the Cyber Essentials controls — patching, secure configuration, access control, malware protection — are things a good managed IT provider is already doing for you day to day. That makes certification far less painful: the gaps are smaller, the evidence already exists, and renewal each year becomes routine rather than a scramble.

Our cybersecurity service covers Cyber Essentials and Cyber Essentials Plus readiness end to end — we assess your environment against the controls, fix the gaps, walk you through the certification, and handle the annual renewal.

Frequently asked questions

How long does Cyber Essentials take to achieve? For a business with reasonably well-managed IT, self-assessed certification can often be completed within a few weeks. The timeline depends mostly on how much remediation is needed first.

Does Cyber Essentials expire? Yes — certification is valid for 12 months and must be renewed annually to remain current.

Is Cyber Essentials enough on its own? It's a strong baseline, not a complete security strategy. It pairs well with layered measures like managed detection and response, security awareness training and tested backups.

Get Cyber Essentials sorted properly

If Cyber Essentials is on your to-do list — or a customer has just asked for it — book a free discovery call. We'll tell you honestly how far off you are and what it'll take to get certified.

This article is general guidance for UK SMEs and not formal compliance advice. Certification requirements and fees are set by IASME and the NCSC and can change — check current details before you budget.