Cyber Essentials: What It Is, the Five Controls, and How to Apply

Cyber Essentials is the UK government's baseline cybersecurity certification scheme. It was created by the National Cyber Security Centre (NCSC) to help organisations of all sizes protect themselves against the most common cyber threats. This guide explains what it is, what the five technical controls require, how to apply, and whether your business needs it.

Government-backed scheme

Cyber Essentials is backed by the UK government and endorsed by the NCSC. The NCSC estimates that the five Cyber Essentials controls can prevent around 80% of commodity cyber attacks. Certification is renewed annually.

The Five Cyber Essentials Controls

Cyber Essentials requires organisations to have controls in five technical areas. All five must be met for certification.

Firewalls

A boundary firewall must protect internet-connected devices. Home and office routers with default settings count, but they must be properly configured with unnecessary ports closed.

Secure Configuration

Devices and software must be configured securely. Remove unnecessary software, disable unused features, and change default passwords on all devices.

User Access Control

User accounts should have the minimum access needed to do their job. Administrator accounts must be separate from standard accounts. Only authorised users may access systems.

Malware Protection

Anti-malware software must be installed and actively used on all devices, or application allow-listing must prevent unauthorised software from running.

Patch Management (Software Updates)

All software (operating systems, applications, and firmware) must be kept up to date. High-risk vulnerabilities must be patched within 14 days of a patch being available.

Cyber Essentials vs Cyber Essentials Plus

	Cyber Essentials	Cyber Essentials Plus
Assessment method	Self-assessment questionnaire	Hands-on technical audit
Cost (up to 99 staff)	£300+VAT	£300+VAT + audit fee (£1,500–£5,000+)
Time to complete	1–3 hours questionnaire	1–3 days for the audit
Who it suits	Most small businesses	Government supply chain, NHS, MoD
Certificate validity	12 months	12 months

Who Needs Cyber Essentials?

Cyber Essentials is mandatory if your business:

!Bids for UK central government contracts that involve handling personal data or sensitive information

!Operates in the MoD or NHS supply chain

!Holds a contract with certain regulated sectors (some utilities, legal, financial)

Cyber Essentials is strongly recommended if your business:

✓Handles client or employee personal data (UK GDPR obligation to secure data)

✓Works with business clients who increasingly expect it as a condition of supply

✓Wants to demonstrate basic security hygiene to insurers (may reduce cyber insurance premiums)

✓Wants the discipline of a structured security review at least once a year

How to Apply for Cyber Essentials

1Choose a Cyber Essentials certification body: IASME, CREST, or a body listed on the NCSC website.
2Complete the self-assessment questionnaire: typically takes 1–3 hours for a small business.
3Submit for verification: the certification body reviews your answers.
4Address any gaps: if you do not meet a control, you have a limited time to fix it and resubmit.
5Receive your certificate: valid for 12 months. Your organisation is listed in the NCSC certification database.

Check your Cyber Essentials readiness, free

Cyber Nova AI maps your security tasks to all five Cyber Essentials controls and shows you exactly where you stand. Start your free security check today.

Check my Cyber Essentials readiness →

Related guides

What Is Phishing?

Phishing attacks are one of the main threats Cyber Essentials defends against.

UK GDPR Guide for Small Businesses

Cyber Essentials supports your GDPR security obligations.

Frequently asked questions

Is Cyber Essentials mandatory in the UK?

Cyber Essentials is mandatory for UK government contracts that involve handling sensitive information or personal data. It is also required for certain MoD and NHS supply chain contracts. For private sector businesses, it is voluntary, but increasingly expected by larger clients as a condition of supply.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessed questionnaire verified by a certification body. Cyber Essentials Plus adds a technical hands-on audit: a qualified assessor tests your systems against the same five controls. Cyber Essentials Plus costs more (typically £1,500–£5,000+) but carries greater weight with clients and government departments.

How much does Cyber Essentials cost?

Cyber Essentials self-assessment costs £300+VAT for organisations with up to 99 staff. Larger organisations pay more. Cyber Essentials Plus adds a technical audit on top, typically £1,500–£5,000 depending on the size and complexity of your infrastructure.

How long does Cyber Essentials take?

The self-assessment questionnaire takes 1–3 hours to complete. Implementing the required controls takes most small businesses 1–4 weeks, depending on how mature their security already is. Once submitted, certification is typically granted within a few working days if you pass.