The five Cyber Essentials controls
Every certified organisation must demonstrate these controls across every in-scope device — including laptops, servers, cloud services and BYOD.
- Firewalls — perimeter and host-based, with default deny inbound
- Secure configuration — hardened builds, no default passwords, unused services disabled
- User access control — least privilege, MFA on admin and cloud accounts
- Malware protection — EDR / AV with automatic updates and quarantine
- Security update management — critical patches within 14 days
Cyber Essentials vs Cyber Essentials Plus
Standard Cyber Essentials is a self-assessment questionnaire verified by an IASME assessor. Cyber Essentials Plus adds a hands-on technical audit — vulnerability scans of a sample of devices, verified patch levels, MFA checks and a simulated malware test. Plus is what most enterprise buyers and MoD supply chains actually want.
Typical UK cost and timeline
Certification body fees start at £320+VAT for micro companies and scale by headcount. Cyber Essentials Plus adds an assessor day rate on top. Most SMEs go from kickoff to a passed Plus audit in four to eight weeks; enterprises with legacy Windows estates or unmanaged BYOD usually need twelve.
Where teams fail the assessment
The most common fail reasons in the last IASME reporting cycle are unpatched browsers on user laptops, missing MFA on cloud admin accounts, local admin rights left on user devices, and firewalls with any-any inbound rules on cloud VPCs.