What is Cyber Essentials certification and how do you get it?
Cyber Essentials certification is a UK government-backed scheme that verifies your business has basic security controls in place — here is what it involves and how to apply.
Here's a scenario that plays out often enough to be a pattern, not a one-off: a business wins a tender with a public sector client, only to be told before contracts are signed that Cyber Essentials certification is a condition of the engagement. They've heard of it but assumed it was something large organisations did. Now they have six weeks to get certified or lose the contract. A process that could have taken a few focused weeks becomes an emergency.
Cyber Essentials certification is increasingly a baseline requirement in UK public sector procurement and supply chains. Understanding what it involves, and getting ahead of it before a client asks, is worth the investment regardless of whether certification is currently required.
What Cyber Essentials certification actually is
Cyber Essentials is a UK government-backed cybersecurity certification scheme, developed by the National Cyber Security Centre and delivered through accredited certification bodies. It verifies that an organisation has a defined set of basic security controls in place covering five technical areas: firewalls, secure configuration, user access control, malware protection, and patch management.
The scheme has two tiers. Standard Cyber Essentials is a self-assessed questionnaire verified by a certification body assessor. Cyber Essentials Plus adds an independent technical verification step where an assessor tests your systems directly rather than relying on self-declaration. Most contract requirements specify standard Cyber Essentials unless they explicitly require Plus.
Who needs it and why
Cyber Essentials is mandatory for UK central government contracts involving the handling of personal information or the provision of certain technical products and services. Beyond that direct requirement, it's increasingly specified by NHS suppliers, local government contractors, and private sector enterprise clients who use it as a baseline screening criterion.
Even without a specific contractual requirement, certification carries three practical benefits: it provides a structured framework for addressing the most common security gaps, it's recognised by UK cyber insurance providers as evidence of baseline hygiene, and it signals to clients that security has been taken seriously rather than assumed to be fine.
The certification process step by step
The process starts with selecting an accredited certification body. IASME, Alcumus, and several others are authorised to deliver Cyber Essentials assessments. Costs vary but typically range from a few hundred pounds for a small business through a standard assessment.
You then complete the self-assessment questionnaire, which asks a specific set of yes/no questions about each of the five control areas. The questions cover whether your devices have firewalls enabled, whether default passwords have been changed, whether MFA is in place on internet-facing services, whether anti-malware is installed and up to date, and whether software is patched within 14 days of release.
The assessor reviews your answers and may ask for clarification or evidence on specific points. If your answers demonstrate the required controls are in place, certification is issued. If there are gaps, most certification bodies allow you to remediate and resubmit within a defined window rather than starting the process again from scratch.
How to prepare before you apply
The most common reasons businesses fail their first Cyber Essentials assessment are fixable in advance: missing MFA on cloud services, end-of-life software still in use, missing security headers on the company website, and weak or missing email authentication records. These are all things an external scan identifies before an assessor does.
Olimpio's CE Readiness checklist combines the automated external findings from a domain scan with the self-assessment questions in a single view, so you can see where the gaps are and fix them before submitting your assessment rather than discovering them during it.
Frequently asked questions
How long does Cyber Essentials certification take to get? For a business that's reasonably well prepared, the assessment itself can be completed in a day or two. The preparation work to close gaps typically takes a few weeks, depending on what needs addressing.
How much does Cyber Essentials certification cost? Standard certification typically costs between £300 and £600 for a small business, varying by certification body and organisation size. Cyber Essentials Plus costs more due to the additional technical assessment involved.
Does Cyber Essentials certification expire? Yes, certification is valid for twelve months and must be renewed annually to remain current.
Can a sole trader or very small business get Cyber Essentials certified? Yes, there's no minimum size requirement. The controls are designed to be achievable by organisations of any size, and many sole traders and micro-businesses hold certification as a requirement for their client work.
Is Cyber Essentials the same as ISO 27001? No, they're different in scope and rigour. Cyber Essentials covers a defined set of basic technical controls. ISO 27001 is a comprehensive information security management standard that covers processes, policies, and risk management at a much greater depth. For most UK SMBs, Cyber Essentials is the appropriate starting point.
Run a free scan of your domain and your CE Readiness checklist will show exactly what needs addressing before you apply for certification: olimpio.io/free-scan