SecurSentry
← All notes
Cyber Essentials

Cyber Essentials Explained: What It Is, What It Covers, and Whether You Need It

You've probably seen Cyber Essentials mentioned in a contract, an email from a prospect, or a government tender. Here's the version that actually makes sense — no jargon, no fluff.

The short version

If you’ve been sent a supplier questionnaire, applied for a government contract, or simply Googled “what is Cyber Essentials” after a client mentioned it in passing, you’re in the right place. This is the plain-English explanation. No specification sheets, no acronym soup.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme that tests whether your business has five essential security controls in place to defend against the most common cyber threats.

The NCSC created it in partnership with industry. (NCSC stands for the National Cyber Security Centre, the UK government’s technical authority on cyber security.) The idea was straightforward. Most cyber attacks succeed not because they’re sophisticated, but because businesses have left basic doors unlocked. Cyber Essentials defines what “locked” looks like, and gives you a credible way to prove it.

It isn’t a test of perfection. It’s a test of fundamentals.

What does Cyber Essentials actually cover?

Cyber Essentials checks five control areas: firewalls, secure configuration, user access control, malware protection, and patch management. Together, they close the majority of common attack routes.

Here’s what each one means in practice:

Firewalls

A firewall (either software or hardware) sits between your network and the internet and decides what traffic to let through. Cyber Essentials checks that you have one, that it’s switched on, and that it’s configured to block traffic it shouldn’t allow. Think of it as a front door with a lock, not just a door.

Secure configuration

Devices and software come out of the box with default settings that aren’t always secure: default passwords, unnecessary features turned on, open ports. Secure configuration means you’ve gone through your devices and closed what doesn’t need to be open. Tidying the settings is often closer to a 10-minute job than a month-long project, once you know what to check.

User access control

This is about making sure people only have access to what they need to do their job, and that old accounts (former staff, lapsed contractors) are removed promptly. It also covers administrator privileges. Not everyone needs them, and handing them out loosely is a common and unnecessary risk.

Malware protection

Malware, short for malicious software, is the umbrella term for viruses, ransomware, spyware and similar threats. Cyber Essentials checks that you have active protection in place on your devices (antivirus or equivalent) and that it’s kept up to date.

Patch management (keeping software up to date)

Software vendors regularly release updates that fix security vulnerabilities. “Patching” means applying those updates. Cyber Essentials looks for evidence that your devices and software are kept reasonably current — typically within 14 days for high-risk patches. This one catches a lot of businesses off guard: it sounds simple, but keeping every device and application up to date across a whole team takes a named owner.

The honest reality

For most SMEs, the five controls aren't completely absent. They're partially in place, inconsistently applied, or not documented. Getting certified means closing those gaps, not starting from zero.

Cyber Essentials vs Cyber Essentials Plus: what’s the difference?

Cyber Essentials is a self-assessment reviewed by an assessor; Cyber Essentials Plus involves an independent technical verification that your controls actually work as described.

Both certifications cover the same five controls. The difference is who checks your work. With the standard certification, you answer a structured questionnaire honestly and an approved assessor reviews it. With Plus, an independent body carries out hands-on technical checks to verify that what you said is true. Plus carries more weight, especially with enterprise clients who’ve seen enough tick-box compliance to be sceptical.

Who actually needs Cyber Essentials certification?

Cyber Essentials is mandatory for UK central government contracts, and increasingly expected by larger enterprise clients, insurers, and supply-chain partners across both the public and private sectors.

You should take it seriously if:

“Cyber Essentials is the baseline. It won’t guarantee you won’t have an incident, but it does mean you’ve closed the doors that most attackers try first.”

Who probably doesn’t need it urgently

If you’re a sole trader with no client data, no plans to tender for contracts, and no enterprise clients asking questions, Cyber Essentials may not be your most pressing priority right now. Be honest with yourself about where your business actually sits. Compliance is worth doing properly, not just ticking.

How long does Cyber Essentials take, and what does it cost?

Most unprepared SMEs need two to six weeks to get their controls in place; the certification itself typically costs between £300 and £600, depending on which assessor you use.

The cost varies because assessors are independent organisations, not a single government body. Shop around, but don’t choose solely on price. What you’re paying for is the assessment and the certificate. The real investment is the staff time to implement the controls properly.

Some businesses sail through in a few days because most controls were already in place. Others discover they have genuine gaps, particularly around patching and access control, that take real time and a named owner to close. Build in buffer.

What Cyber Essentials doesn’t cover

Cyber Essentials does not cover GDPR, ISO 27001 or AI governance; these are separate obligations that sit alongside it, so meeting one does not mean meeting the others.

It’s a great starting point, but it isn’t the whole picture:

Think of them as sitting alongside each other, not inside each other.


SecurSentry is launching soon to help UK SMEs work through Cyber Essentials — and carry that effort forward to every certification and questionnaire that follows. Join the waitlist to be among the first to know when we open.

This article is for general information only and does not constitute legal or compliance advice. Requirements vary by organisation and context; where in doubt, consult a qualified professional.

Frequently asked questions

What is Cyber Essentials and do I need it?

Cyber Essentials is a UK government-backed certification scheme that verifies your business has five core security controls in place. It is mandatory for UK central government contracts, and increasingly expected by enterprise clients and insurers. If you handle client data or have ambitions to work with larger organisations, it is worth serious consideration.

How much does Cyber Essentials certification cost in the UK?

The cost varies by assessor but typically falls in the range of £300–£600 for the basic Cyber Essentials self-assessment. Cyber Essentials Plus, which involves independent verification, costs more. Budget for the certification fee and the internal time needed to implement any controls you don't already have.

How long does it take to get Cyber Essentials certified?

For an SME that hasn't prepared before, most of the time goes into getting the five controls properly in place — that typically takes two to six weeks. The assessment itself, once you're ready, is relatively quick. Some businesses find they're closer than they expected; others discover gaps that take real time to close.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment: you answer questions about your controls and an assessor reviews your answers. Cyber Essentials Plus involves an independent technical verification of those same controls — someone actually checks that what you said is true. Plus carries more credibility, especially with enterprise clients.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.