How much does Cyber Essentials certification cost?

Cyber Essentials certification costs from £300 for small organisations (up to 9 employees). Cyber Essentials Plus, which includes a technical audit, costs significantly more — typically £1,500–£5,000+ depending on organisation size and complexity.

How long does Cyber Essentials certification take?

For organisations that are already broadly compliant, the self-assessment questionnaire can be completed in a few days. If remediation work is needed, the full process typically takes 4–8 weeks. Cyber Essentials Plus takes longer, usually 6–12 weeks in total.

Is Cyber Essentials mandatory for UK businesses?

Cyber Essentials is mandatory for organisations bidding for UK government contracts involving the handling of sensitive information or personal data. It is strongly recommended for all UK businesses as a baseline security standard.

Cyber Essentials Certification: A Practical Guide for UK Businesses

If you've received a supplier questionnaire recently, been asked to bid for a government contract, or had a client ask about your cyber security posture, there's a good chance you've encountered the words "Cyber Essentials" — and wondered what you actually need to do about them.

Cyber Essentials is a UK government-backed certification scheme, developed by the National Cyber Security Centre (NCSC), that helps businesses of all sizes protect themselves against the most common cyber threats. It's not as complex or costly as many businesses assume. But it does require genuine technical controls to be in place — and this guide explains exactly what those are, how the process works, and how to approach it without wasting time or money.

80% Of cyber attacks prevented by basic controls covered in Cyber Essentials

£1,100 Average cost of a cyber incident for a small UK business

39% Of UK businesses reported a cyber attack or breach in 2025

What is Cyber Essentials?

Cyber Essentials is a certification framework developed by the UK government, administered through accredited certification bodies and overseen by the National Cyber Security Centre (NCSC). It was launched in 2014 and has become the baseline standard for UK business cyber security.

The scheme exists because the majority of successful cyber attacks exploit a relatively small number of well-understood vulnerabilities — misconfigured systems, unpatched software, weak passwords, and inadequate access controls. Cyber Essentials doesn't try to address every possible threat. It focuses on the foundational controls that, when properly implemented, eliminate or significantly reduce the risk of the most common attack types.

"Cyber Essentials isn't about achieving perfect security. It's about closing the doors that attackers walk through most often."

Two levels of certification

Cyber Essentials

From £300 + assessment fee

Self-assessment questionnaire completed online
Answers verified and reviewed by a certification body
Suitable for organisations of any size
Certificate valid for 12 months
Meets basic government contract requirements
Includes 12 months of free cyber liability insurance (for eligible SMEs)

Cyber Essentials Plus

From £1,500–£5,000+ (size dependent)

Includes everything in Cyber Essentials
Plus independent technical verification by assessors
Assessors test your systems hands-on
Higher assurance level for clients and partners
Required for some higher-value government contracts
Demonstrates security to a higher standard of evidence

For most UK SMEs pursuing Cyber Essentials for the first time, starting with the standard self-assessment certification makes sense. Cyber Essentials Plus is typically pursued once the standard level is achieved and where clients or procurement processes specifically require it.

The five technical controls

Cyber Essentials is built around five core technical control categories. Your organisation must demonstrate compliance with all five. Here's what each one actually means in practice:

Control 01

Firewalls

A properly configured boundary firewall must protect all devices connected to the internet. Cloud-based services must be assessed to confirm firewall protections are in place at the network perimeter.

Control 02

Secure Configuration

All devices and software must be configured securely before use — unnecessary features disabled, default passwords changed, and only software that is needed for the role installed and active.

Control 03

Access Control

User accounts must be managed carefully. Standard users should not have administrator-level privileges. Multi-factor authentication (MFA) is required for cloud services, administrative accounts and remote access.

Control 04

Malware Protection

Appropriate anti-malware software must be running and up to date on all devices. For modern Windows environments, Microsoft Defender is explicitly recognised as meeting this requirement when properly configured.

Control 05

Patch Management (Software & Security Updates)

All software in use — operating systems, applications, firmware — must be kept up to date with the latest security patches. Software that is end-of-life (no longer receiving patches) must be removed from scope or isolated. High-risk patches must be applied within 14 days of release.

How the certification process works

The process for Cyber Essentials (self-assessment level) is more straightforward than many businesses expect. Here's how it unfolds step by step:

Pre-assessment gap review

Before you formally begin, review your current IT environment against the five control requirements. This gap analysis tells you what's already in place and what needs to change before you submit. Most businesses find a handful of gaps — typically around MFA, patch management processes or device configuration.

Remediation

Address the gaps identified. Common remediation tasks include enabling MFA on Microsoft 365 or Google Workspace, removing end-of-life software, updating device configurations, reviewing firewall rules, and documenting patch processes. This stage takes most of the calendar time — typically 2–6 weeks depending on how much needs to change.

Register and complete the self-assessment questionnaire

Register with a CREST or IASME-accredited certification body. Complete the online questionnaire, which asks you to confirm and evidence your compliance with the five control areas. A typical questionnaire takes 2–4 hours to complete if you're well-prepared.

Assessor review

Your certification body reviews your submission. They may come back with clarifying questions. If your answers are satisfactory, they issue your Cyber Essentials certificate.

Certificate issued and published

Your certificate is valid for 12 months. You'll appear on the NCSC's public register of Cyber Essentials-certified organisations, which clients and partners can verify. Set a reminder to renew before it lapses — maintaining an unbroken certification record is valued by many clients.

Why bother? The real business benefits

Many businesses approach Cyber Essentials as a compliance checkbox — something they need to get done to win a contract or satisfy a client. That's a valid reason to certify. But the benefits go beyond the certificate itself.

Win more business. Cyber Essentials is increasingly requested by procurement teams across both public and private sector clients. Having it in place removes a common barrier to winning contracts.
Reduce real risk. The five controls genuinely reduce your attack surface. The vast majority of successful cyber attacks exploit the exact vulnerabilities these controls address.
Free cyber liability insurance. Eligible SMEs (UK turnover under £20m) receive 12 months of free basic cyber liability insurance as part of the IASME-administered Cyber Essentials scheme — which alone can cover the cost of certification several times over.
Staff and stakeholder confidence. Certification demonstrates to your team, your board and your clients that cyber security is taken seriously. That has genuine reputational and commercial value.
A platform for growth. Once certified, your organisation has a documented security baseline to build from. It's much easier to implement additional security improvements when you have a clear record of what's in place.

Common questions answered

Is Cyber Essentials mandatory?

Cyber Essentials is mandatory for UK government contracts that involve handling personal data or sensitive government information. For all other businesses, it's not a legal requirement — but it is strongly recommended and increasingly expected by clients across many sectors.

What if we use cloud services — does that change what's in scope?

Yes. Cloud services are in scope for Cyber Essentials. If you use Microsoft 365, Google Workspace, or other SaaS tools, you need to confirm that they are configured securely (particularly around MFA and access controls) and that your organisation is using them in a compliant way. The good news is that major cloud platforms like Microsoft 365 make it straightforward to meet these requirements when properly configured.

Do we need to include all our devices?

Yes, in principle — all devices that can access your business systems or internet resources are in scope. However, you can define a specific assessment scope that excludes certain segments (such as operational technology or manufacturing systems) if they are properly separated from your business network.

What happens if we fail the assessment?

You won't "fail" in the way an exam works. If your submission has gaps, the certification body will identify them and you'll need to remediate before resubmitting. Working with an IT partner who knows the requirements makes this much smoother — we help businesses address issues before submission, not after.

How often do we need to renew?

Cyber Essentials certificates are valid for 12 months. Annual renewal is required. The renewal process is the same as the initial certification — though it's typically faster for organisations that have maintained their controls throughout the year.

How Techfident supports your Cyber Essentials journey

We've helped businesses across a range of sectors achieve Cyber Essentials certification — from professional services firms to manufacturers, charities and legal practices. Our approach is practical and direct: we assess where you are now, identify exactly what needs to change, fix it for you where that's appropriate, and support you through the questionnaire process.

We don't make Cyber Essentials more complicated than it needs to be. For most SMEs with a relatively modern IT environment, it's achievable within 4–8 weeks and at a cost that's proportionate to the benefits. If you're starting from a position where significant remediation is needed, we'll tell you that upfront — with a clear plan and timeline.

We can also support ongoing compliance: monitoring patch status, managing access controls, reviewing firewall configurations and helping you prepare for annual renewal — so maintaining your certification doesn't become a distraction from running your business.

Cyber Security

Ready to start your Cyber Essentials journey?

Get a free gap assessment against the five Cyber Essentials controls. We'll tell you exactly where you stand, what needs to change, and how long it will take — with no obligation.

Get your free gap assessment View all services

Akbar Ali

Founder & Principal, Techfident Limited

Akbar has nearly two decades of experience in B2B IT and infrastructure. He founded Techfident to give UK businesses access to genuinely expert, vendor-neutral technology advice — without the jargon or the mark-up. When you work with Techfident, you work with Akbar directly.