Cyber Essentials is a UK Government backed cyber security certification scheme that helps organisations defend against the most common online threats. It is administered by IASME on behalf of the National Cyber Security Centre (NCSC) and requires you to implement five technical controls covering firewalls, secure configuration, user access, malware protection and security updates. Achieving certification signals to customers, regulators and supply chain partners that your business takes the basics of cyber hygiene seriously.
This guide explains everything a UK business needs to know about Cyber Essentials in 2026: what the scheme actually covers, who needs it, what it costs, how long it takes, how the basic certification differs from Cyber Essentials Plus, and how it compares to broader standards like ISO 27001 . We finish with the most common mistakes organisations make and show how ISMS.online shortens the path from gap to certificate.
Wat is Cyber Essentials?
Cyber Essentials is a UK Government backed certification scheme that defines a baseline set of cyber security controls every organisation should have in place. The scheme was launched in 2014 and is now overseen by the NCSC and is now delivered by IASME, the sole accreditation body, working through a network of certification bodies across the UK. It is deliberately designed to be practical and proportionate, focused on the technical controls that block the majority of opportunistic internet attacks.
The scheme comes in two tiers. The basic Cyber Essentials certification is achieved through a self assessment questionnaire (the SAQ question set, which IASME refreshes with each scheme update) which a senior officer in the business signs off, and which is then reviewed by an external assessor. Cyber Essentials Plus adds an independent technical audit on top, where the assessor performs hands on testing of a sample of your devices, scans for missing patches and verifies that the controls genuinely work in practice.
According to the NCSC, organisations with Cyber Essentials in place are significantly less likely to fall victim to common cyber attacks such as phishing led credential theft, ransomware delivered through unpatched software, and malware spread through default configurations. The certificate is valid for 12 months from the date of issue and must be renewed annually under whichever question set is current at the time.
It is worth being clear about what Cyber Essentials is not. It is not a deep technical penetration test, it is not an information security management system (that is ISO 27001), and it is not a GDPR compliance certification (that is a regulatory obligation handled separately). It is a focused, repeatable check that the cyber security basics are in place across the organisation. The value of the scheme comes from the fact that the controls it tests are exactly the controls that block the overwhelming majority of opportunistic attacks UK businesses actually face.
Who needs Cyber Essentials? (and why)
Cyber Essentials is mandatory or strongly recommended for a growing list of UK organisations. The most common reasons businesses pursue certification are:
- Central UK Government contracts — Since 2014, suppliers bidding for contracts that involve handling personal information or providing certain ICT products and services must hold Cyber Essentials. The requirement is written into the standard procurement framework and applies to direct suppliers and many subcontractors.
- Ministry of Defence (MOD) suppliers — The MOD requires Cyber Essentials for all suppliers handling MOD identifiable information, with Cyber Essentials Plus required where the supplier processes more sensitive data under DEFCON 658.
- NHS suppliers and Data Security and Protection Toolkit — Suppliers to NHS organisations frequently need Cyber Essentials as part of the Data Security and Protection Toolkit assessment.
- Local authority and public sector tenders — Many councils, blue light services and arms length bodies now include Cyber Essentials as a pass or fail tender requirement.
- Private sector supply chains — Larger UK enterprises increasingly ask SME suppliers to evidence Cyber Essentials before signing contracts, particularly for data processors, IT vendors and managed service providers.
- Cyberverzekering — Holding Cyber Essentials often unlocks better cyber insurance premiums or, in some cases, is a precondition of cover. The IASME backed certificate also includes free liability cover for UK based small businesses with turnover under £20 million.
- Trust signalling to customers — The certification badge is a recognised marker that you have implemented the cyber security basics, which matters for B2B sales, marketing and procurement reviews.
If your organisation is none of the above and has no immediate contractual pressure, Cyber Essentials is still a sensible baseline. The cost is low, the controls are universally good practice, and the certification process forces you to document things you should already have in place.
What does Cyber Essentials cover? The 5 control areas
Cyber Essentials defines five technical control areas. Every device, user account and cloud service in scope must meet the requirements across all five. The table below summarises what each control area is for and what evidence assessors look for. For the full requirement detail, see our Cyber Essentials-vereisten gids.
| Controle gebied | Wat het omvat | What assessors check |
|---|---|---|
| 1. Firewalls en routers | The network boundary between your business and the internet, including ISP supplied routers, dedicated firewalls and host based firewalls on roaming laptops. | Default admin passwords have been changed; inbound rules are documented and justified; host based firewalls are enabled on devices used outside the office. |
| 2. Veilige configuratie | Removing the weaknesses that come baked into devices and cloud services out of the box: default accounts, sample passwords, auto run settings, unnecessary services. | Default passwords removed; unnecessary user accounts and software disabled; multi factor authentication (MFA) on all admin accounts; minimum password length of 12 characters (8 characters where MFA is in place). |
| 3. Toegangscontrole voor gebruikers | How user accounts are created, authenticated, given privileges and removed when people leave. | Documented joiner mover leaver process; admin accounts separated from day to day accounts; MFA on cloud users where supported; annual review of admin privileges. |
| 4. Bescherming tegen malware | Defending devices against malicious code using anti malware software, application allow listing or sandboxing. | One approved mechanism is in place on every in scope device; signatures are kept current; mobile apps come from official stores only; on access scanning enabled. |
| 5. Beheer van beveiligingsupdates | Keeping all software supported, licensed and patched so attackers cannot exploit known vulnerabilities. | Only vendor supported software in use; high and critical patches applied within 14 days; end of life operating systems and browsers removed; firmware on routers and firewalls kept current. |
The same five controls apply to laptops, desktops, servers, mobiles, network equipment and cloud services that are in scope. The scheme treats cloud services (Microsoft 365, Google Workspace, AWS, Azure and similar) as an extension of your environment rather than an exception, and you are always responsible for the user access, MFA and tenant configuration of every cloud service you use.
Bevrijd jezelf van een berg spreadsheets
Integreer, breid uit en schaal uw compliance, zonder rommel. IO geeft u de veerkracht en het vertrouwen om veilig te groeien.
Cyber Essentials vs Cyber Essentials Plus
The single most common question on Cyber Essentials is: do I need the basic certification or do I need Plus? The honest answer is that the two are not really alternatives. Plus is the basic certification with independent technical verification on top. You cannot hold Plus without first achieving the basic Cyber Essentials.
The table below sets out the practical differences. For the full technical detail on the Plus audit, see our Vereisten voor Cyber Essentials Plus gids.
| Kenmerk | Cyber Essentials (basic) | Cyber Essentials Plus |
|---|---|---|
| Beoordelingsmethode | Self assessment questionnaire (SAQ) signed off by a senior officer and reviewed by an assessor | Self assessment followed by an independent technical audit, including hands on testing of a sample of devices |
| Scannen op kwetsbaarheden | Niet verplicht | Internal and external authenticated vulnerability scans of sample devices |
| Test for default configurations, MFA and patching | Confirmed by attestation | Physically verified by the assessor |
| Typische kosten | From £330+VAT for micro businesses, up to £500+VAT for larger orgs | Typically £1,500 to £3,000+ depending on environment size |
| Typische tijdlijn | 2 to 4 weeks once preparation is complete | Adds a further 4 to 6 weeks for the technical audit phase |
| Geldigheid | 12 maanden | 12 maanden |
| Best voor | Smaller suppliers, lower risk contracts, businesses building a baseline | Regulated suppliers, MOD and NHS work, larger procurement deals, organisations wanting verified assurance |
If your contract specifies which tier is required, follow that. If you have a choice, start with basic Cyber Essentials to find and close gaps quickly, then plan for Plus once you are confident the controls hold up under real testing. Many organisations aim to complete Plus within three months of achieving the basic certificate, while the evidence is fresh and the environment has not drifted.
The other important nuance: Plus is the only tier that gives a procuring buyer genuine independent assurance that your controls work. Self attested Cyber Essentials is enough for many supplier categories, but where contracts involve sensitive data or critical services, expect the customer to ask for Plus. Building toward Plus from day one, even if you only certify at the basic tier initially, keeps your evidence in a state that will pass an external audit later.
How much does Cyber Essentials cost?
Basic Cyber Essentials uses a flat IASME pricing structure that scales with the size of the organisation. For 2026 the tiers are:
- Micro (0 to 9 employees) — £330+VAT
- Small (10 to 49 employees) — £400+VAT
- Medium (50 to 249 employees) — £450+VAT
- Groot (250+ werknemers) — £500+VAT
That fee includes one submission, with the option to resubmit if minor gaps are flagged, and the IASME certificate itself. For UK based businesses with turnover under £20 million, it also includes the IASME backed cyber liability insurance up to £25,000.
Cyber Essentials Plus is priced separately by your chosen certification body and depends on the size of the in scope environment and the number of sample devices the auditor needs to test. Typical UK pricing is in the £1,500 to £3,000+ range for SMEs, rising for larger and more complex estates. Add the basic Cyber Essentials fee on top, and factor in internal time for preparation and remediation.
For the full breakdown, including hidden costs and three year totals, see our Kosten van Cyber Essentials gids.
The headline IASME fee is rarely the whole story. Most UK businesses also spend on the preparation side: licence costs to bring legacy software up to a supported version, MFA tooling for accounts that did not have it, MDM enrolment for BYOD devices, and sometimes a few days of consultancy to validate the answers before submission. As a planning rule of thumb, double the IASME fee for the basic tier and budget two to three times the Plus fee on top to capture the all in cost of becoming Cyber Essentials Plus ready for the first time. Subsequent annual renewals are significantly cheaper once the controls and evidence are embedded.
How long does Cyber Essentials take?
The honest answer is: anywhere from 3 working days to 8 weeks, depending on how prepared you already are. The questionnaire itself can be completed and assessed in under a week if your controls are in place and your evidence is to hand. The slow part is closing gaps. Most UK businesses take 2 to 4 weeks for the basic certification end to end, and a further 4 to 6 weeks if they progress straight to Plus.
The biggest delays usually come from three sources:
- Discovering legacy admin accounts without MFA or end of life software that needs replacing
- Waiting for evidence from third parties such as IT support, cloud admins or BYOD users
- Re submission cycles where the assessor flags clarifications on the questionnaire
For the full phase by phase timeline and the fast track route, see our How long does Cyber Essentials take? gids.
Start uw gratis proefperiode
Wil je verkennen?
Meld u vandaag nog aan voor uw gratis proefperiode en maak kennis met alle compliance-functies die ISMS.online te bieden heeft
How to get Cyber Essentials certified: the step-by-step process
The certification journey has six distinct phases. None of them are technically complicated, but each one rewards preparation.
- Bepaal je reikwijdte — Pick either whole organisation scope (recommended) or a clearly bounded sub set. Map every in scope user, device, network and cloud service.
- Run a gap analysis — Walk through each of the five control areas against your current environment and identify what is missing. The Willow question set is published openly, so you can use it as your gap analysis checklist.
- Gaten dichten — Change default passwords, enable MFA on cloud accounts, replace end of life software, document your joiner mover leaver process, enable host firewalls on roaming laptops.
- Kies een certificeringsinstantie — IASME publishes a list of approved certification bodies on its website. Most are price competitive within a small range; choose one that responds quickly and offers helpful pre submission advice.
- Complete the SAQ — A senior officer signs off the answers and the certification body assesses the submission. If anything is unclear, expect questions back.
- Receive your certificate (and optional Plus audit) — The basic certificate is typically issued within a few working days of a clean submission. If you are going for Plus, the technical audit follows.
For a deeper look at the questionnaire itself, the evidence assessors want and the most common pitfalls, see our Cyber Essentials self assessment gids.
Cyber Essentials renewal: what happens after 12 months
Cyber Essentials is not a one time exercise. The certificate is valid for 12 months from the date of issue, and the renewal must be completed against whichever question set is current at the renewal date. Because the scheme tightens its requirements on an annual cycle, the renewal often introduces controls that were not in place when you first certified.
Common renewal sticking points include stronger MFA expectations on cloud accounts, explicit asset inventory requirements, and applying the 14 day patch window to firmware on routers and access points. Plan to start your renewal preparation at least 60 days before your certificate expires so you can close any new gaps without rushing.
For the full 12 month cycle and how to prepare in stages, see our Cyber Essentials verlenging gids.
Cyber Essentials vs ISO 27001 and SOC 2
Cyber Essentials is a UK only baseline. ISO 27001 is the international standard for an information security management system (ISMS) and SOC 2 is the US originated reporting framework most often seen with North American buyers. Each one serves a different audience and the certifications are complementary rather than competing.
| Cyberbenodigdheden | ISO 27001 | SOC 2 | |
|---|---|---|---|
| strekking | 5 technical control areas | Full ISMS plus 93 Annex A controls | 5 Trust Services Criteria, scoped to a service |
| Geografische herkenning | UK | Internationale | Voornamelijk Noord-Amerika |
| Typische kosten | From £330+VAT | £3,000 to £15,000+ for certification plus internal effort | £15,000 to £50,000+ for a Type 2 report |
| Typische tijdlijn | 2 8 weken | 6 naar 18 maand | 6 to 12 months plus a 3 to 12 month observation period |
| Vernieuwing | Jaarlijks | 3 year cycle with annual surveillance | Annual report cycle |
| Best voor | UK Government contracts, supply chain baseline, cyber insurance | Enterprise sales, international customers, regulated industries | SaaS vendors selling to North American enterprises |
The pragmatic path for most UK businesses is to achieve Cyber Essentials first to unlock contracts and insurance, then build the management system foundations for ISO 27001 (and SOC 2 if relevant) on top. The five Cyber Essentials controls map directly into ISO 27001 Annex A, so the work compounds rather than duplicating. For a head to head comparison, see our Cyber Essentials versus ISO 27001 gids.
If you are a small business with a 12 month roadmap, a sensible sequencing is: Cyber Essentials in the first three months to satisfy immediate procurement and insurance needs, Cyber Essentials Plus by month six to demonstrate verified assurance, and an ISO 27001 implementation project running in parallel from month three onwards. SOC 2 typically only enters the picture if you start selling SaaS into North American enterprises. For a small business focused walkthrough of the decision, see our Cyber Essentials voor kleine bedrijven gids.
Common Cyber Essentials mistakes (and how to avoid them)
Most failed or delayed Cyber Essentials applications come down to the same small list of avoidable mistakes:
- Scoping too narrowly — Certifying a single team or environment then being unable to use the certificate for a wider contract. Default to whole organisation scope unless you have a clear technical reason not to.
- Forgetting BYOD and home routers — Personal phones used for work email and home workers on default ISP routers are in scope. Map them up front, not after the assessor asks.
- Running end of life software — Windows versions out of support, unpatched browsers, legacy line of business apps. The scheme treats these as automatic fails. Inventory before you start.
- Inconsistent MFA — MFA enabled on the CEO’s account but not on the legacy domain admin or the service account. Assessors look for full coverage on every admin account on every cloud platform.
- Missing the 14 day patch window — Servers that get patched monthly often miss the high or critical severity deadline. Move to a more frequent cadence for security updates.
- Stale joiner mover leaver records — Long serving employees with accumulated admin rights, leavers whose accounts were never disabled. Run a clean up before you submit.
- Leaving evidence to the last minute — Trying to assemble screenshots, configuration exports and policy documents in the final week is how projects slip. Capture evidence as you close each gap.
Explore the Cyber Essentials guides
Dig deeper into the topics that matter most when planning, achieving and renewing your Cyber Essentials certification:
- Cyber Essentials-vereisten — De vijf controlegebieden, beslissingen over de reikwijdte en naar welk bewijsmateriaal beoordelaars kijken.
- Kosten van Cyber Essentials — IASME-prijsniveaus, plus kosten, verborgen kosten en totalen over 3 jaar voor Britse bedrijven.
- Is Cyber Essentials de investering waard? — Een eerlijke beoordeling van de voordelen, nadelen en wie daadwerkelijk een certificering nodig heeft.
- Vereisten voor Cyber Essentials Plus — De technische audit, kwetsbaarheidsscans en wat Plus meer biedt dan de basiscertificering.
- Cyber Essentials zelfevaluatie — De SASQ-workflow, reikwijdte, bewijsmateriaal en veelvoorkomende valkuilen.
- Hoe lang duurt de Cyber Essentials-cursus? — Typische tijdlijn in het VK, mogelijkheden voor een versnelde procedure en wat het proces vertraagt.
- Verlenging van Cyber Essentials — De cyclus van 12 maanden, veranderingen in de regelgeving voor 2026 en hoe je je 60 dagen van tevoren kunt voorbereiden.
- Cyber Essentials voor kleine bedrijven — Prijsstelling, reikwijdte en kosten-batenanalyse specifiek voor het MKB.
- Cyber Essentials versus ISO 27001 — Omvang, kosten, tijd en erkenning vergeleken.
Waarom kiezen voor ISMS.online voor Cyber Essentials?
- Pre mapped controls — Every Cyber Essentials control area is already mapped inside ISMS.online, so you assess against the full scheme without building your own checklist or spreadsheet from scratch.
- Guided gap analysis — Step through each control with built in prompts, mark current state and turn every gap into an assigned action with an owner and a due date.
- Single evidence library — Attach firewall configuration exports, MFA screenshots, joiner mover leaver records and patch logs once, then reuse them across renewals, Plus audits and other frameworks.
- Multi framework leverage — Cyber Essentials bewijs in ISMS.online also feeds ISO 27001, SOC 2 and NIS 2 werk, en daarom blijven klanten die Cyber Essentials ontgroeien, bij het platform.
- Renewal ready by default — The platform keeps your evidence current between annual cycles, with reminders 60 days before your certificate expires, so you are never starting over.
- Always up to date with the scheme — The platform tracks the current Willow question set and flags new requirements as IASME tightens the controls each year.
- Vertrouwd door duizenden organisaties - ISMS.online supports UK businesses of every size on their compliance journey, from first time Cyber Essentials applicants through to global ISO certified groups.
Veelgestelde vragen
What is Cyber Essentials in plain English?
Cyber Essentials is a UK Government backed certification that confirms your business has five basic technical controls in place to defend against common cyber attacks: firewalls, secure configuration, user access control, malware protection and security update management. It is administered by IASME on behalf of the NCSC and is the recognised entry level UK cyber security standard. The certificate is valid for 12 months.
Wat kost Cyber Essentials in 2026?
Basic Cyber Essentials uses IASME flat pricing: £330+VAT for micro businesses (0 to 9 employees), £400+VAT for small (10 to 49), £450+VAT for medium (50 to 249) and £500+VAT for large (250+). Cyber Essentials Plus is priced separately by your certification body and typically ranges from £1,500 to £3,000+ depending on the size of your environment. Add internal preparation time on top.
How long does Cyber Essentials take to get?
Most UK businesses complete the basic certification in 2 to 4 weeks, with a fast track minimum of around 3 to 5 working days if controls are already in place. Cyber Essentials Plus adds a further 4 to 6 weeks for the independent technical audit. The biggest delays come from closing legacy gaps such as missing MFA, end of life software and undocumented admin accounts.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Basic Cyber Essentials is a self assessment questionnaire signed off internally and reviewed by an external assessor. Cyber Essentials Plus is the same scope with an added independent technical audit, including vulnerability scans and hands on testing of a sample of your devices. Plus provides verified assurance and is increasingly required for MOD, NHS and regulated supplier contracts. You cannot hold Plus without first achieving the basic certification.
Who needs Cyber Essentials?
Cyber Essentials is mandatory for suppliers to UK central Government on contracts involving personal information or certain ICT services, and for MOD suppliers under DEFCON 658. NHS suppliers, local authority contractors and a growing number of private sector enterprises also require it. Many cyber insurers offer better premiums or make it a precondition of cover. Even without contractual pressure, it is a recognised baseline of good cyber hygiene.
What does Cyber Essentials cover?
Cyber Essentials covers five technical control areas: firewalls and routers, secure configuration, user access control, malware protection and security update management. Every device, user account and cloud service in scope must meet the requirements across all five. Cloud services including Microsoft 365, Google Workspace, AWS and Azure are explicitly in scope, with MFA on all admin accounts a baseline expectation in 2026.
Is Cyber Essentials worth it?
For most UK businesses, yes. The certification unlocks public sector contracts, supports cyber insurance applications, and forces a clean up of the basic controls that prevent the majority of opportunistic attacks. The cost (£330+VAT minimum) and time (a few weeks) are low relative to the contractual and insurance benefits. For a fuller honest assessment, see our Is Cyber Essentials worth it? gids.
How is Cyber Essentials different from ISO 27001?
Cyber Essentials is a UK only baseline focused on five technical control areas. ISO 27001 is the international standard for a full information security management system (ISMS) covering 93 Annex A controls, leadership, risk management and continual improvement. Cyber Essentials takes weeks and costs from £330+VAT; ISO 27001 takes months and costs from around £3,000+. The two are complementary, with Cyber Essentials typically a stepping stone toward ISO 27001.
