Cyber Essentials Certification: The Complete Step-by-Step Guide for Small Businesses (2026)

What is Cyber Essentials and how do you get certified?

Cyber Essentials is a UK government-backed certification scheme that protects organisations from the most common cyber threats. To get certified, a business must meet five technical controls — secure configuration, access control, malware protection, network firewalls, and patch management — then pass a self-assessment questionnaire verified by an accredited certifying body. Certification typically takes two to six weeks. Cyber Essentials Plus involves independent hands-on testing and costs more but provides stronger assurance. Government contracts handling sensitive data now require the certification, and many insurers offer reduced premiums to certified businesses.

A local accountancy firm received an email that appeared to come from one of its long-standing clients. The message asked for an urgent bank transfer. The firm complied. Within 48 hours, £18,000 had gone — and the client had never sent that email.

This is not an extreme example. Across the UK, small and medium-sized businesses lose millions every year to phishing, ransomware, and credential theft. The most alarming fact? The majority of these attacks exploit simple, preventable weaknesses.

Cyber Essentials certification exists precisely to close those gaps. Developed by the National Cyber Security Centre (NCSC) and backed by the UK government, it gives businesses a structured, affordable way to demonstrate that their digital foundations are secure.

This guide walks you through everything you need to know — what the five controls are, how the certification process works, how much it costs, and how to pass the first time. Whether your business operates in professional services, construction, retail, or any other sector, the steps are the same.

What is Cyber Essentials — and why does it matter for your business?

Cyber Essentials is a government-endorsed certification scheme that sets out a baseline of cybersecurity hygiene. The launch was in 2014 and is managed by the NCSC. When a business achieves certification, it demonstrates that it has implemented five specific technical controls designed to defend against the most prevalent forms of cyber attack.

For many small businesses, the immediate trigger for pursuing certification is a procurement requirement. Since 2014, all UK central government contracts involving the handling of personal data or sensitive information have required Cyber Essentials. That requirement has increasingly filtered down to supply chains, meaning suppliers to larger organisations — councils, NHS trusts, defence contractors, large retailers — face the same expectation.

Beyond procurement, certification delivers tangible business benefits:

• Insurance advantages. Several major insurers now offer reduced premiums or enhanced cyber cover to certified businesses.
• Customer trust. Displaying the Cyber Essentials badge signals to clients that their data is handled responsibly.
• Risk reduction. The NCSC estimates that meeting the five controls protects against approximately 80% of the most common cyber attack types.

What does Cyber Essentials actually protect against?

The scheme focuses on the most prevalent threats facing small organisations:

• Phishing attacks — fraudulent emails designed to steal credentials or deliver malware
• Ransomware — malicious software that encrypts files and demands payment
• Malware infections — viruses and spyware delivered via websites, email attachments, or removable media
• Password attacks — brute-force attempts to access accounts using stolen or guessed credentials
• Exploitation of unpatched software — attacks targeting known security vulnerabilities in outdated software

It is important to understand what Cyber Essentials does not cover. It does not prevent sophisticated, targeted attacks from nation-state actors or advanced persistent threats. For businesses handling highly sensitive data or operating in critical national infrastructure, additional frameworks such as ISO 27001 may be appropriate.

Is Cyber Essentials a legal requirement?

Cyber Essentials is not a legal requirement for most businesses in the general sense. However, it is effectively mandatory if you supply goods or services to UK central government under contracts involving personal data or sensitive information. Many large private-sector organisations are now applying similar requirements to their suppliers. Businesses in sectors regulated by the Financial Conduct Authority (FCA) or operating under contracts with NHS bodies frequently require to demonstrate compliance.

Even without a contractual obligation, certification represents sound due diligence. Given that cyber incidents can trigger obligations under the UK General Data Protection Regulation (UK GDPR) — including mandatory reporting to the Information Commissioner’s Office (ICO) within 72 hours of a data breach — maintaining robust cybersecurity controls is not optional for any responsible business.

What are the five Cyber Essentials controls?

The entire scheme builds around five technical controls. Each one addresses a specific category of vulnerability. Understanding them in detail helps you prepare efficiently and avoid the most common failure points.

1. Firewalls — Is your network boundary protected?

A firewall acts as a barrier between your internal network and the outside world. Cyber Essentials requires that a properly configured firewall protects every device connecting to the internet — either a boundary firewall covering the whole network, or a software firewall on each individual device (or both).

The key requirements include:

• You must change the default administrator password on all routers and firewalls.
• Only necessary network services and ports should remain open and accessible from the internet.
• The firewall must block all unsolicited incoming connections.

Many small businesses use consumer-grade routers their broadband provider supplied. These often carry weak default configurations and may not meet the requirements without adjustment. A qualified IT provider can audit and reconfigure these settings during the preparation phase.

2. Secure configuration — Are your devices set up safely?

Every device your business uses — desktop computers, laptops, smartphones, and tablets — needs configuration that minimises its attack surface. Manufacturers design the default settings on most devices and software applications for ease of use, not security.

Secure configuration requirements include:

• Remove or disable software, services, and user accounts you no longer need.
• Change default passwords on all devices and applications.
• Disable auto-run features that allow software to execute automatically from removable media.
• Ensure that only approved software can be installed (where technically feasible).

The underlying principle is simple: every unnecessary feature you leave enabled is a potential entry point for an attacker.

3. User access control — Who really needs admin rights?

Cyber Essentials requires that you set up user accounts on the principle of least privilege — meaning each user gets access only to what they need to do their job, and no more. You must strictly limit administrator accounts, which carry elevated privileges, and use them only for system management tasks.

The specific requirements include:

• Use standard user accounts for all day-to-day work, including browsing the internet and accessing email.
• Never use administrator accounts for routine tasks such as reading email or browsing.
• Document a clear process for creating, modifying, and disabling user accounts.
• Enable multi-factor authentication (MFA) on all accounts that can access sensitive data — a requirement the April 2023 Cyber Essentials update strengthened.

MFA is one of the most commonly reasons small businesses fail their assessment. Implementing it across Microsoft 365, Google Workspace, or cloud-based accounting and CRM platforms is now a prerequisite, not an optional extra.

4. Malware protection — Are you defended against malicious software?

Malware — software that attackers design to disrupt, damage, or gain unauthorised access to systems — remains one of the most persistent threats to small businesses. Cyber Essentials requires that you protect devices against malware in one of two ways:

• Anti-malware software that actively updates and performs real-time scanning. This remains the most common approach for Windows devices.
• Application allow-listing (also known as whitelisting), which prevents any software from running unless you explicitly approve it. This approach is more robust but demands more management overhead.

On mobile devices, you can typically meet the requirement by ensuring that staff only install applications from official app stores (such as the Apple App Store or Google Play Store) and that developer mode stays disabled.

5. Patch management — Are your systems up to date?

Developers discover vulnerabilities in software constantly. When vendors release security patches, attackers study those updates to understand the vulnerability they fix — and then target organisations that have not yet applied the patch. The window between a patch release and active exploitation is often just days.

Cyber Essentials requires that:

• You keep operating systems, applications, and firmware up to date with security patches.
• You apply patches rated “critical” or “high” within 14 days of release.
• You remove or isolate from internet-facing systems any software the vendor no longer supports — and therefore no longer patches.

The 14-day patching window is specific and demanding. Businesses without automated patch management in place will likely struggle to meet this requirement consistently.

Cyber Essentials vs Cyber Essentials Plus — which one do you need?

There are two tiers of certification.

Cyber Essentials is the foundational level. You complete a self-assessment questionnaire (SAQ) describing how your organisation meets the five controls. An accredited certifying body reviews the questionnaire and verifies it. If your answers demonstrate compliance, certification is awarded. The assessment is based on your own declarations.

Cyber Essentials Plus builds on the foundational level. After passing the initial SAQ, a qualified assessor visits — or connects remotely to — your systems to verify that the controls are actually in place and working as described. This involves vulnerability scanning, configuration checks, and simulated phishing tests. It provides a much higher level of assurance, because it replaces self-declaration with independent technical verification.

Which level is right for your business?

Consideration	Cyber Essentials	Cyber Essentials Plus
Government contracts (personal data)	Required	Sometimes required
Defence sector contracts	Sometimes required	Often required
Higher-value supply chains	Usually sufficient	Increasingly preferred
Businesses handling sensitive financial/health data	Consider	Recommended
Time to achieve	2–6 weeks	6–12 weeks
Credibility with larger clients	Good	Excellent

For most small businesses with fewer than 50 employees, Cyber Essentials at the foundational level is both sufficient and appropriate. Cyber Essentials Plus is worth considering if you supply to the Ministry of Defence, larger NHS trusts, or enterprise clients who specify it in their tender requirements.

How long does Cyber Essentials take?

The timeline depends primarily on how prepared your current systems are and how quickly you can implement any required changes.

• Well-prepared businesses (modern hardware, up-to-date software, MFA already in place) can complete the process in two to four weeks.
• Businesses requiring remediation — particularly around MFA implementation, firewall reconfiguration, or software patching — should allow four to eight weeks.
• Businesses working toward Cyber Essentials Plus should add a further two to six weeks for the technical assessment phase.

The most common cause of delay is discovering that existing systems do not meet the MFA or patch management requirements, then needing time to implement changes across all devices and user accounts before the assessment can proceed.

How do you apply for Cyber Essentials — step by step?

Step 1 — Choose an accredited certifying body

All Cyber Essentials assessments must be conducted by a certifying body accredited by the IASME Consortium. The IASME website maintains a searchable directory of accredited bodies. When choosing, consider:

• Whether the body has experience working with businesses in your sector.
• Whether a local certifying body or IT partner can support you through the process face to face.
• The level of support offered alongside the assessment (some certifying bodies provide guidance on gap remediation; others do not).

Several IT companies operating in the West Midlands and across the Marches region are accredited to conduct or assist with Cyber Essentials assessments. Working with a local provider has the practical advantage of on-site support if your systems require hands-on remediation.

Step 2 — Complete the self-assessment questionnaire

In the IASME online portal is where you can complete the SAQ. It asks detailed questions about how your organisation meets each of the five controls — covering your specific devices, operating systems, user account management, firewall configuration, and patch management processes.

Practical tips for completing the SAQ:

• Compile a device inventory before you start — you will need to account for every device in scope.
• Clarify your scope with your certifying body. Devices that are genuinely isolated from your main network (such as manufacturing equipment on a separate air-gapped network) may be excluded.
• Be precise rather than aspirational. Answer what you currently do, not what you intend to do. Incorrect answers can lead to certification revokation if discovered later.

Step 3 — Submit and await verification

Once the SAQ is submitted, your certifying body reviews your answers. This review typically takes two to five business days. The reviewer may request clarification on specific points before making a decision.

Step 4 — Remediate any gaps

If your assessment reveals areas where your current setup does not meet the requirements, you will need to remediate those gaps before certification can be awarded. Common areas requiring remediation include:

• Enabling MFA on cloud services and email accounts.
• Applying outstanding software patches.
• Reconfiguring firewall rules to block unnecessary inbound connections.
• Removing or disabling unsupported software.

Your IT provider can implement most of these changes quickly. MFA rollout is usually the most time-consuming element, particularly in organisations where staff have not previously used it.

Step 5 — Receive your certificate

Once your certifying body confirms that your SAQ demonstrates compliance, your Cyber Essentials certificate is issued. The certificate is valid for 12 months, after which you must recertify. The NCSC badge can then be displayed on your website, marketing materials, and tender documentation.

Mark a recertification date in your calendar when you receive the certificate. Lapsed certification can disqualify you from contracts at the point of renewal, which is an entirely avoidable problem.

What are the most common reasons businesses fail Cyber Essentials?

Based on patterns observed across our experience working with Shropshire small businesses, the most frequent failure points are:

1. Multi-factor authentication not fully deployed. MFA must be in place on all accounts that can access sensitive or personal data from outside the office network. Many businesses have MFA enabled on email but not on their cloud storage, accounting software, or CRM.

2. Unsupported software still in use. Windows 10 reached end of support in October 2025. Any device running Windows 10 without an active Extended Security Update agreement is now considered unsupported. Legacy versions of Office, Adobe products, or bespoke line-of-business applications that no longer receive patches also trigger a failure.

3. Default credentials not changed. Routers, network switches, printers, and IoT devices often ship with default admin usernames and passwords. These are publicly known and must be changed before an assessment.

4. Scope confusion. Businesses sometimes omit devices from their assessment scope — tablets used by field staff, personal devices that access company email, cloud services used for business purposes — then discover these devices are in scope and do not meet requirements.

5. Patch management gaps. Critical patches not applied within the 14-day window are a direct failure point. Automated patch management tools — available in most modern endpoint management platforms — resolve this reliably.

How can a local IT provider help you prepare?

Many small and medium-sized businesses across Shropshire find that working with a local IT support partner like Shropshire Computers is the most efficient path to certification. An experienced provider can:

• Conduct a pre-assessment gap analysis to identify exactly what needs to change before the formal assessment begins.
• Implement technical changes (firewall reconfiguration, MFA rollout, patch management automation) on your behalf.
• Help you complete the SAQ accurately, avoiding the ambiguity that leads to clarification requests and delays.
• In some cases, act as your accredited certifying body, delivering the assessment and the preparation support in a single engagement.

The benefit of local expertise goes beyond technical knowledge. A provider familiar with your sector, your business model, and the specific regulatory environment you operate in can advise on scope, prioritise remediation effort effectively, and help you build the processes needed to maintain compliance through recertification.

Cyber Essentials certification is one of the most cost-effective risk management investments available to a small business. It closes the vulnerabilities exploited in the vast majority of cyber attacks, satisfies an increasingly common procurement requirement, and demonstrates to clients and partners that you take data security seriously.

The process is straightforward when approached methodically: understand the five controls, identify your gaps, remediate them, and complete the self-assessment with the support of an accredited certifying body. Most businesses achieve certification within four to six weeks of starting the process.

If you are looking to get certified, contact Shropshire Computers to support Cyber Essentials to arrange a pre-assessment gap analysis. The sooner you begin, the sooner you can display that badge — and the sooner your business is protected.

Frequently Asked Questions

Q: What is Cyber Essentials certification?

Cyber Essentials is a UK government-backed certification scheme managed by the NCSC and IASME Consortium. It confirms that a business has implemented five foundational cybersecurity controls: firewalls, secure configuration, access control, malware protection, and patch management.

Q: How long does Cyber Essentials take to complete?

Most businesses complete the process in two to six weeks. The timeline depends on how much remediation is needed before the assessment — particularly around multi-factor authentication and software patching.

Q: Is Cyber Essentials mandatory?

It is mandatory for UK central government contracts that involve handling personal data or sensitive information. Many private-sector organisations, particularly in healthcare, finance, and defence supply chains, also require it from their suppliers.

Q: What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials involves a self-assessment questionnaire reviewed by a certifying body. Cyber Essentials Plus involves independent technical testing of your actual systems by a qualified assessor, providing stronger assurance. The Plus level costs more and takes longer to achieve.

Q: Do I need Cyber Essentials to bid for government contracts?

Yes, if the contract involves handling personal data or sensitive government information. This requirement has applied to UK central government contracts since 2014 and is increasingly common in broader public sector procurement.

Q: What happens if I fail the Cyber Essentials assessment?

Certification is not awarded, but you receive feedback on the areas where your systems do not meet the requirements. You can remediate those issues and resubmit. There is no limit on resubmissions, though additional fees may apply depending on your certifying body.

Q: How long is Cyber Essentials certification valid?

Certification is valid for 12 months. You must recertify annually to maintain your certified status and continue displaying the NCSC badge.

Q: Can cloud services be included in the Cyber Essentials scope?

Yes. Cloud services that your organisation uses for business purposes — including Microsoft 365, Google Workspace, cloud accounting platforms, and CRM systems — fall within scope for the controls around access management, MFA, and patch management.

Q: Do I need an IT company to help me get Cyber Essentials?

No, technically a business can complete the self-assessment independently. However, most small businesses benefit from IT support for gap analysis, technical remediation, and SAQ completion. A local IT provider familiar with Cyber Essentials can significantly reduce the risk of failure and the time to certification.