Emergency Help
Table of Contents

Cyber Essentials Scheme: All you need to know

Reviewed & Written by:

Shahrukh Mirza

|

Published:

|

Updated:

April 26, 2026
cyber essentials scheme
Table of Contents

Cyber Essentials and Cyber Essentials Plus are government-backed accreditations for all businesses. This certification scheme requires companies to meet certain standards and measures to ensure they know the risks. Which risks? Well, something as simple as malware could affect your business if you don’t have the proper controls.

The NCSC launched the Cyber Essentials scheme in June 2014. It only applies to companies or organisations in the UK. The scheme’s initial target was small companies that were not aware of security issues.

Cyber Essentials is the government’s information assurance service, which is operated by the National Cyber Security Centre in the UK. It encouraged organisations to adopt good practices in information security and was developed in collaboration with industry partners. IASME has taken over the administration and management of the scheme. It is a regulated scheme and must be licensed by accredited bodies designated by IASME.

What is the Cyber Essentials Scheme?

Cyber Essentials (CE) Certification is a self-assessment questionnaire submitted to a certification body. It is assessed against five vital technical controls. Consider them to be a checkpoint. Your business is at risk if you are missing any of these controls. If gaps in security hygiene are found, you will get recommendations to rectify such gaps and protect your organisation.

Cyber essentials

It is an excellent start for businesses at the first step of the security maturity ladder that ensures cyber security hygiene for the most common attacks. This means that whether it is for the public/private sector, SME, or large corporation, there is one standard benchmark that can be used to gauge the condition of any organisation.

An independent body assesses each company and determines what steps must be taken. Then, continual assessments ensure that companies do not suffer from complacency, which leads to gaps.

The main advantages of this scheme for your business are:

  • Demonstrate cyber security commitment to your customers and supply chain.
  • You and your team clearly understand your organisation’s security maturity level.
  • Validation of security controls against the most common cyber attacks.
  • Use it to your business advantage to attract new business. It’s a requirement for public sector and government contracts. Many private organisations may also seek this as an assurance factor.

How does it work?

Most cybercriminals are opportunistic, looking to add any sensitive data with an underground market value to their control. Stolen data is valuable in varied forms, more than you can imagine.

Based on the nature of sensitive data, it could be sold to multiple sellers depending upon its misuse (identity fraud, social engineering attacks, credit card accounts, or logging in into various accounts of the victim).

The argument that only big companies are the targets doesn’t hold up. Threat actors look for insecure installations, misconfigured applications, exposed endpoints, open databases, and any stepping stone that could lead to a higher privilege level.

The Cyber Essentials scheme helps organisations avoid such pitfalls by ensuring essential homework is in place. If an organisation is willing to take on a proactive approach, there is Cyber Essentials Plus certification – a step up from basic Cyber Essentials.

  • The first step to securing your systems is often the hardest.
  • Cyber Essentials is a self-assessment that allows you to demonstrate the appropriate cyber security measures that are being taken for your system/data/network.
  • Before achieving the Cyber Essentials Plus certification, many businesses choose first to gain their Cyber Essentials certification.
  • Cyber Essentials (CE) is a stepping stone to more advanced Cyber Essentials Plus (CE+) certification.

Cyber Essentials Controls

The critical control areas assessed for Cyber Essentials certification are:

  1. Firewalls
  2. Secure Configuration
  3. Access Control
  4. Malware Protection
  5. Patch Management

Determining what needs to be done will move your business forward in terms of keeping data secure and safe from common cyber attacks. If you are looking for extensive technical assessments in each of these areas, check out our main offerings page on technical risk.

cyber-essentials-controls

For basic certification, external processes such as onsite auditors, marking, etc., are not involved, but you can choose to involve an accredited assessor if you wish to support the CE journey.

Cyber Essentials Certification Process

Whether you are going for a tender, a public sector or a procurement pre-requisite, you’ve decided to go for this certification. More than certification, it prompts your team to act on security controls that may or may not improve otherwise. 

  • The initial scoping and objectives are agreed upon during the initial call. Some customers are comfortable with self-assessment questionnaires, and some require support (which attracts extra charges). 
  • Our assessors review customer-submitted questionnaires. Should you fail in certain areas, we advise you to correct them, and timelines are agreed upon for submission. 
  • After the assessment, a CE certificate is issued to the customer. 

What is Cyber Essentials Plus certification?

Cyber Essentials Plus Certification is the next step after achieving your Cyber Essentials certification. It starts with the completion of assessment tests, which will detect/recommend security gaps and a list of actionable items that need to be completed to fix them.

It is a more advanced assessment than basic certification, in which security experts from the certification body carry out a hands-on technical assessment. This ensures that verification is performed in accordance with good security practices. 

The difference between CE and CE+ certification is the involvement of external assessors who examine and understand the issues affecting the organisation and can provide insights into whether identified risks should be remediated for a pass.

This is performed in a broader scope than covered by CE. It includes checks around secure communication controls, secure configuration of operating systems., It builds-in use and ensures that the business follows a proactive approach to cybersecurity against advanced threats.

Suggested Read: Cyber Essentials Plus Checklist

Upcoming Changes in the Cyber Essentials: Download a free guide covering key Cyber Essentials changes from April 2026

CE+ Certification Process

  • An assessor will work with the customer to assess a sample of assets at your organisation (depending upon the scale of your network and systems). Device hardening configuration checks are performed in the form of a technical audit. 
  • A vulnerability scan is performed on the systems in scope to confirm that cyber security measures are in place. 
  • An external network pen test is performed on the Internet-facing infrastructure. 
  • Malware protection assessment is conducted with fake malicious content to assess the behaviour of endpoint controls and resources in place. 

Customers are given a few weeks(up to 30 days) to remediate the identified vulnerability findings (if any). On successful certification, your organisation is awarded a certificate valid for 12 months. You may or may not opt into a list of Cyber Essentials-certified companies on the online register.

Cost of Cyber Essentials

Basic cyber essentials cost between £400 and £700. However, we offer free cyber essentials for customers who opt for an Internet security health check.

For Cyber Essentials Plus certification, organisations may find it priced anywhere between £1399-£3000.

cyber essentials vs cyber essentials plus

Which one is right for you – Cyber Essentials or Cyber Essentials Plus?

Cyber Essentials Plus is right for your organisation if it wants to go beyond the bare basics and take a proactive approach to security. It helps your organisation make tangible improvements to defensive controls.

Cyber Essentials is the basic framework for the first step in cyber hygiene. It is suitable if your organisation is tiny and wants to demonstrate basic controls. Should you need to discuss or require guidance, we have specific services for security compliance.

Contact us for guidance or initial information, or visit our security compliance services. Also, read about key Cyber Essentials scheme changes from April 2026 (Danzell)

Good Security Practices Start With the Right Foundations

Explore actionable insights that help businesses map their attack surface and address exploitable risks ranked by real business impact.

Book a free Consultation
Check Your Security Readiness

Trusted by 150+ UK orgs

Picture of Shahrukh Mirza

Shahrukh Mirza

Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.
View Author Profile

Related Reads

Join 1000+ subscribers getting the best tips on cybersecurity, security management, and more!

You may opt-out at any time. Read our privacy policy.

Services that might interest you

Cloud Security
Network Security
Web Apps & API Security
Mobile Applications Security

Get in touch

No salesy newsletters. View our privacy policy.

How "Defensible" is your firm compared to UK peers?

Most SMBs and mid-market firms have “silent” gaps in their people, process and tech controls implementation. Take the 90-second maturity audit to see your percentile rank.

Check Your Security Readiness