Guide

Cyber Essentials certification in the UK: the practical guide

Cyber Essentials is the UK government-backed baseline that most public sector contracts and enterprise procurement teams now expect. This guide walks through scope, the five technical controls, how to prep for Cyber Essentials Plus, and where teams usually fail the assessment.

The five Cyber Essentials controls

Every certified organisation must demonstrate these controls across every in-scope device — including laptops, servers, cloud services and BYOD.

  • Firewalls — perimeter and host-based, with default deny inbound
  • Secure configuration — hardened builds, no default passwords, unused services disabled
  • User access control — least privilege, MFA on admin and cloud accounts
  • Malware protection — EDR / AV with automatic updates and quarantine
  • Security update management — critical patches within 14 days

Cyber Essentials vs Cyber Essentials Plus

Standard Cyber Essentials is a self-assessment questionnaire verified by an IASME assessor. Cyber Essentials Plus adds a hands-on technical audit — vulnerability scans of a sample of devices, verified patch levels, MFA checks and a simulated malware test. Plus is what most enterprise buyers and MoD supply chains actually want.

Typical UK cost and timeline

Certification body fees start at £320+VAT for micro companies and scale by headcount. Cyber Essentials Plus adds an assessor day rate on top. Most SMEs go from kickoff to a passed Plus audit in four to eight weeks; enterprises with legacy Windows estates or unmanaged BYOD usually need twelve.

Where teams fail the assessment

The most common fail reasons in the last IASME reporting cycle are unpatched browsers on user laptops, missing MFA on cloud admin accounts, local admin rights left on user devices, and firewalls with any-any inbound rules on cloud VPCs.

Frequently asked questions

Is Cyber Essentials mandatory in the UK?
It is mandatory for suppliers bidding on most central government contracts that handle personal or sensitive information, and increasingly required by NHS trusts, universities and MoD supply chains. It's optional but strongly recommended for private-sector procurement.
How long does Cyber Essentials Plus take?
Once your environment is in scope and evidence is prepared, the audit itself is typically 1-2 assessor days. Prep work is where the time goes — plan four to eight weeks for a first-time Plus certification.
Does Cyber Essentials cover cloud services like Microsoft 365?
Yes. Cloud services are in scope wherever your company data is stored or accessed. MFA on all cloud admin and user accounts is mandatory, not optional.

Get a Cyber Essentials gap assessment

Talk to the GoaTech team. We'll map your current position and show what a tailored UK-focused programme looks like.

Get started