Cyber Essentials Explained: What It Is, What It Covers, and Whether You Need It
You've probably seen Cyber Essentials mentioned in a contract, an email from a prospect, or a government tender. Here's the version that actually makes sense — no jargon, no fluff.
The short version
- Government-backed basics: Cyber Essentials is a UK certification that checks whether your business has five fundamental security controls in place — firewalls, secure configuration, user access control, malware protection, and keeping software up to date.
- Mandatory for government contracts: If you want to bid for UK central government contracts, Cyber Essentials is a requirement, not a nice-to-have.
- Expect 2–6 weeks to prepare: For most unprepared SMEs, getting the controls in place takes two to six weeks of genuine work; certification itself typically costs between £300 and £600 depending on your assessor.
- Not a catch-all: Cyber Essentials does not cover GDPR, ISO 27001, or AI governance — those are separate obligations that sit alongside it, not inside it.
If you’ve been sent a supplier questionnaire, applied for a government contract, or simply Googled “what is Cyber Essentials” after a client mentioned it in passing, you’re in the right place. This is the plain-English explanation. No specification sheets, no acronym soup.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme that tests whether your business has five essential security controls in place to defend against the most common cyber threats.
The NCSC created it in partnership with industry. (NCSC stands for the National Cyber Security Centre, the UK government’s technical authority on cyber security.) The idea was straightforward. Most cyber attacks succeed not because they’re sophisticated, but because businesses have left basic doors unlocked. Cyber Essentials defines what “locked” looks like, and gives you a credible way to prove it.
It isn’t a test of perfection. It’s a test of fundamentals.
What does Cyber Essentials actually cover?
Cyber Essentials checks five control areas: firewalls, secure configuration, user access control, malware protection, and patch management. Together, they close the majority of common attack routes.
Here’s what each one means in practice:
Firewalls
A firewall (either software or hardware) sits between your network and the internet and decides what traffic to let through. Cyber Essentials checks that you have one, that it’s switched on, and that it’s configured to block traffic it shouldn’t allow. Think of it as a front door with a lock, not just a door.
Secure configuration
Devices and software come out of the box with default settings that aren’t always secure: default passwords, unnecessary features turned on, open ports. Secure configuration means you’ve gone through your devices and closed what doesn’t need to be open. Tidying the settings is often closer to a 10-minute job than a month-long project, once you know what to check.
User access control
This is about making sure people only have access to what they need to do their job, and that old accounts (former staff, lapsed contractors) are removed promptly. It also covers administrator privileges. Not everyone needs them, and handing them out loosely is a common and unnecessary risk.
Malware protection
Malware, short for malicious software, is the umbrella term for viruses, ransomware, spyware and similar threats. Cyber Essentials checks that you have active protection in place on your devices (antivirus or equivalent) and that it’s kept up to date.
Patch management (keeping software up to date)
Software vendors regularly release updates that fix security vulnerabilities. “Patching” means applying those updates. Cyber Essentials looks for evidence that your devices and software are kept reasonably current — typically within 14 days for high-risk patches. This one catches a lot of businesses off guard: it sounds simple, but keeping every device and application up to date across a whole team takes a named owner.
The honest reality
For most SMEs, the five controls aren't completely absent. They're partially in place, inconsistently applied, or not documented. Getting certified means closing those gaps, not starting from zero.
Cyber Essentials vs Cyber Essentials Plus: what’s the difference?
Cyber Essentials is a self-assessment reviewed by an assessor; Cyber Essentials Plus involves an independent technical verification that your controls actually work as described.
Both certifications cover the same five controls. The difference is who checks your work. With the standard certification, you answer a structured questionnaire honestly and an approved assessor reviews it. With Plus, an independent body carries out hands-on technical checks to verify that what you said is true. Plus carries more weight, especially with enterprise clients who’ve seen enough tick-box compliance to be sceptical.
Who actually needs Cyber Essentials certification?
Cyber Essentials is mandatory for UK central government contracts, and increasingly expected by larger enterprise clients, insurers, and supply-chain partners across both the public and private sectors.
You should take it seriously if:
- You are bidding, or planning to bid, for UK central government contracts. It is a requirement, not optional.
- Enterprise clients or procurement teams have started asking whether you’re certified (this is becoming routine in sectors like professional services, healthcare, and technology).
- Your business handles personal or sensitive client data and you want a credible, affordable way to show you take security seriously.
- You’re approaching cyber insurance renewal and want to demonstrate a baseline of security hygiene.
“Cyber Essentials is the baseline. It won’t guarantee you won’t have an incident, but it does mean you’ve closed the doors that most attackers try first.”
Who probably doesn’t need it urgently
If you’re a sole trader with no client data, no plans to tender for contracts, and no enterprise clients asking questions, Cyber Essentials may not be your most pressing priority right now. Be honest with yourself about where your business actually sits. Compliance is worth doing properly, not just ticking.
How long does Cyber Essentials take, and what does it cost?
Most unprepared SMEs need two to six weeks to get their controls in place; the certification itself typically costs between £300 and £600, depending on which assessor you use.
The cost varies because assessors are independent organisations, not a single government body. Shop around, but don’t choose solely on price. What you’re paying for is the assessment and the certificate. The real investment is the staff time to implement the controls properly.
Some businesses sail through in a few days because most controls were already in place. Others discover they have genuine gaps, particularly around patching and access control, that take real time and a named owner to close. Build in buffer.
What Cyber Essentials doesn’t cover
Cyber Essentials does not cover GDPR, ISO 27001 or AI governance; these are separate obligations that sit alongside it, so meeting one does not mean meeting the others.
It’s a great starting point, but it isn’t the whole picture:
- GDPR and UK data protection law are separate obligations governed by the ICO, the UK’s data protection regulator.
- ISO 27001, the international information security management standard, goes much deeper and is a separate certification journey.
- AI governance, including how your team uses AI tools and what data they share with them, is not addressed by Cyber Essentials at all.
Think of them as sitting alongside each other, not inside each other.
SecurSentry is launching soon to help UK SMEs work through Cyber Essentials — and carry that effort forward to every certification and questionnaire that follows. Join the waitlist to be among the first to know when we open.
This article is for general information only and does not constitute legal or compliance advice. Requirements vary by organisation and context; where in doubt, consult a qualified professional.