What Is Cyber Essentials? A Plain-English Guide for UK Small Businesses

What is Cyber Essentials?

Cyber Essentials is a cybersecurity certification scheme backed by the UK government and run by the National Cyber Security Centre (NCSC). It was introduced in 2014 to help UK organisations — from sole traders to large companies — protect themselves against the most common and preventable cyber attacks.

The core idea is straightforward: most successful cyber attacks exploit basic, well-known weaknesses. Cyber Essentials defines five technical controls that, if properly implemented, protect against the vast majority of them.

Getting certified means an independent assessor has verified those controls are in place. It tells customers, partners, and suppliers that your business takes security seriously — and it is increasingly required for businesses that want to work with the UK government or handle sensitive data.

Who needs Cyber Essentials?

Cyber Essentials is relevant to any UK business that:

• Has a website, email address, or any internet-connected systems
• Handles personal data belonging to customers or employees
• Wants to bid for UK government contracts (mandatory for many since 2014)
• Works with clients in regulated industries like finance, legal, or healthcare
• Processes payments online or stores customer information

In practice, that covers almost every small business operating in the UK today. You do not need to be a technology company — a florist with an online shop, an accountant with a client portal, or a 10-person agency all have the same basic exposure.

The five Cyber Essentials controls

Cyber Essentials covers five areas. Here is what each one means in plain English.

CE1 — Firewalls

Your internet-connected devices and networks should have a firewall in place that blocks unauthorised incoming connections. This includes your office router, any cloud servers you run, and the devices your staff use.

What assessors check: whether unnecessary ports and services are exposed to the internet, and whether your firewall rules are configured to deny by default.

CE2 — Secure configuration

Devices and software should be set up securely from the start. This means changing default passwords, disabling features and services you do not use, and removing software that is no longer needed.

What assessors check: whether devices have been hardened from their factory defaults, and whether unnecessary applications or services are running.

CE3 — Access control

Only the people who need access to your systems should have it — and they should only have the level of access they actually need. Administrator accounts should be used sparingly.

What assessors check: whether user accounts are set up correctly, whether admin privileges are restricted, and whether there are controls around remote access.

CE4 — Malware protection

Your systems should have protection against malicious software. This typically means up-to-date antivirus on devices and controls that prevent untrusted software from running.

What assessors check: whether endpoint protection is active and current, and whether there are policies around software installation.

CE5 — Patch management

Software vulnerabilities are discovered constantly. Keeping your operating systems, applications, and firmware up to date closes the gaps that attackers exploit.

What assessors check: whether critical security updates are applied within 14 days of release, and whether unsupported software (which no longer receives patches) has been removed.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of certification.

Cyber Essentials is a self-assessment. You complete a questionnaire, a certifying body reviews your answers, and if you pass, you receive the certification. Cost is typically £300–£500 depending on the assessor.

Cyber Essentials Plus includes everything above, plus a hands-on technical audit carried out by an assessor who actually tests your systems. It is more thorough and carries more weight, but costs significantly more — typically £1,500–£3,000 for a small business.

For most small businesses, the basic Cyber Essentials certification is the right starting point. Cyber Essentials Plus is worth pursuing if you are working towards contracts that specifically require it, or if you want a higher level of assurance.

How long does Cyber Essentials last?

Certification lasts for 12 months. You need to renew annually to stay certified. The NCSC recommends treating it as an ongoing process rather than a one-time exercise — your technology changes, new vulnerabilities are discovered, and your security posture needs to keep up.

What does Cyber Essentials not cover?

It is worth being clear about what Cyber Essentials is not. It does not cover:

• Physical security — protecting devices from theft or physical tampering
• People and processes — staff training, phishing awareness, incident response procedures
• Application security — the security of bespoke software or web applications you have built
• Cloud configuration — detailed security settings in platforms like Microsoft 365 or Google Workspace (though CE Plus does touch on some of this)

Cyber Essentials is a technical baseline, not a comprehensive security programme. Passing it does not mean you are immune to attack. It means you have closed the most common doors.

How to check your current Cyber Essentials readiness

Before paying for an assessment, it is worth understanding where you currently stand against each of the five controls. The most common gaps we see on UK small business domains are:

• Missing or misconfigured DMARC records — leaving your email domain open to spoofing (CE1)
• Unnecessary open ports — services exposed to the internet that should not be (CE1)
• Expired or expiring SSL certificates — a basic secure configuration failure (CE2)
• Missing HTTP security headers — easily fixed but frequently overlooked (CE2)
• Leaked API keys in GitHub repositories — a critical access control issue (CE3)

An external vulnerability scan will surface most of these automatically. Run a free scan on your domain to see how your infrastructure maps against the Cyber Essentials controls before you start your formal assessment.

The business case for getting certified

Beyond the technical benefits, Cyber Essentials has practical commercial value:

Government contracts. Since 2014, Cyber Essentials has been mandatory for all UK government contracts involving the handling of personal data or the provision of certain technical products. If public sector work is on your radar, certification is a prerequisite.

Cyber insurance. Many insurers now factor Cyber Essentials certification into their underwriting. Some offer reduced premiums for certified businesses; others require it before they will offer cover at all.

Customer trust. Displaying the Cyber Essentials badge on your website and proposals signals to clients that you take their data seriously. In competitive tender situations, it can be a differentiator.

ICO and GDPR. The UK GDPR requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Cyber Essentials certification provides documented evidence that you have done exactly that — which matters if you are ever subject to an ICO investigation.

Next steps

If you have never assessed your domain from the outside, that is the right place to start. Knowing what an attacker or assessor would find gives you a clear picture of what needs fixing before you go through a formal Cyber Essentials assessment.

Scan your domain free with Olimpio — it checks your open ports, DNS configuration, SSL status, HTTP security headers, and more, and maps findings against the relevant Cyber Essentials controls. No setup required, results in around 15 minutes.