Cyber Essentials comes up in most conversations I have with Yorkshire small businesses. Either they have been told they need it and are not sure what it involves, they have been quoted a price that seems disproportionate to the size of their business, or they applied for it and failed and are not sure why.
This is a plain-English guide to what Cyber Essentials actually covers, who genuinely needs it, what it costs, and how to prepare for it without wasting money on a failed first attempt.
What is Cyber Essentials?
Cyber Essentials is a UK Government-backed certification scheme developed by the National Cyber Security Centre (NCSC) and now administered by IASME. It defines a set of five technical controls that, if correctly implemented, protect against the majority of common cyber attacks.
The scheme comes in two levels:
- Cyber Essentials (basic): A self-assessment questionnaire that you complete and submit to a certifying body, which independently verifies your responses. You certify that you meet the controls.
- Cyber Essentials Plus: Includes everything in the basic level plus hands-on technical testing by an approved assessor who independently verifies that the controls are actually in place. More rigorous and more valued.
The key word in the name is "Essentials." It is not a comprehensive security standard. It does not cover everything. It covers the essentials — the technical controls that address the most prevalent attack types and that all businesses of all sizes should be able to meet.
The five controls
Firewalls
All devices connected to the internet must have a properly configured firewall. For most small businesses this means the broadband router/firewall at the network boundary plus software firewalls on individual computers. Default configurations must be hardened — unnecessary ports closed, inbound connections blocked unless specifically permitted.
Secure configuration
Devices must not be in their factory default state. Default passwords changed, unnecessary accounts and services removed, software and operating systems configured to minimise attack surface. This control is one of the most frequently failed — default admin credentials on a router or NAS device will cause a failure.
Access control
User accounts must be managed properly. Standard user accounts for day-to-day work, admin accounts only used when admin rights are genuinely needed. Accounts for ex-employees removed promptly. Multi-factor authentication required for cloud services. The 2024 Cyber Essentials update tightened the MFA requirements significantly.
Malware protection
Devices must be protected against malicious software. The acceptable approaches differ by device type: anti-malware software, application allow-listing, or sandboxing. For Windows workstations, Microsoft Defender meets the requirement if properly configured. For other devices, you need to check whether your current protection meets the Cyber Essentials requirements specifically.
Patch management
Operating systems and software must be kept up to date. High-risk and critical patches must be applied within 14 days of release. Software that no longer receives security updates (end-of-life software) must be removed from the scope or isolated. This is often where businesses discover they have a Windows version on a server or specialist machine that they did not realise was out of support.
Who needs Cyber Essentials?
You must have Cyber Essentials (at minimum basic level) to bid for central government contracts that involve handling sensitive personal information or providing certain technical products and services. The Crown Commercial Service publishes a list of contract types that require it.
Beyond the contractual requirement, there are strong practical reasons to pursue it:
- Cyber insurance: Many underwriters now require Cyber Essentials or offer significant premium discounts for holders. Some policies require it as a condition of cover for certain types of incident.
- Client and supply chain requirements: Larger clients in regulated industries — NHS, financial services, large corporates — are increasingly requiring Cyber Essentials from their supply chain. This is likely to increase, not decrease.
- GDPR compliance evidence: Certification demonstrates active, documented steps to protect personal data — relevant in the event of an ICO investigation following a breach.
- NHS work: Organisations that access NHS patient data must complete the Data Security and Protection Toolkit (DSPT), and Cyber Essentials is embedded within DSPT requirements.
If you are a solicitor, accountant, healthcare provider, recruitment agency, or any business in a supply chain to a regulated industry, Cyber Essentials is likely to become a practical requirement even if it is not currently mandatory for your specific situation.
What Cyber Essentials does not cover
Cyber Essentials is not a comprehensive security assessment. It does not cover:
- Physical security
- People and process (staff training, incident response procedures)
- Application security (the security of your websites or web applications)
- Internal network segregation beyond what is required for the five controls
- Specific industry compliance (PCI DSS, NHS DSP, SRA requirements)
Achieving Cyber Essentials is a meaningful baseline. It is not a guarantee of security. Businesses that treat certification as the end point rather than a starting point are missing the point.
What it costs
| Certification type | Typical cost | Notes |
|---|---|---|
| Cyber Essentials (basic) | £300–£500 | Varies by certifying body. IASME-accredited bodies only. |
| Cyber Essentials Plus | £1,500–£3,000 | Includes basic assessment plus hands-on technical testing. Scope affects price. |
| Pre-assessment gap audit | £750 (Wolds Cyber) | Independent audit before you apply. Identifies gaps so you pass first time. |
The cost of a failed assessment is the assessment fee plus the cost of fixing the identified gaps plus the cost of a re-assessment. For basic certification, a failed attempt typically costs £300–£500 plus remediation work plus another £300–£500 to resubmit. A pre-assessment audit that costs £750 and prevents a failed attempt pays for itself.
How to prepare
The most common reason businesses fail Cyber Essentials is that they did not know where their gaps were before they submitted. The five controls sound straightforward but the specifics matter — a router with a default password, an end-of-life Windows machine in scope, MFA not enabled on a cloud service — any single one of these causes a failure.
The sensible preparation sequence is:
- Get an independent assessment of your current posture against the five controls
- Fix identified gaps with your IT provider or in-house resource
- Submit for certification knowing you meet the requirements
The Wolds Cyber Audit covers all five Cyber Essentials control areas as part of a broader network security assessment. We tell you what is in place, what is not, and what needs to change. You then go to a certifying body and pass the assessment.
Preparing for Cyber Essentials in York or Yorkshire?
A pre-assessment gap audit is £750. It covers all five control areas and more — so you know exactly where you stand before you submit.
More about Cyber Essentials preparation →The honest summary
Cyber Essentials is worth pursuing for most Yorkshire businesses that handle client data, operate in a regulated sector, or supply to larger organisations. It is a meaningful baseline, not a guarantee. The five controls address real attack vectors and meeting them demonstrably reduces your risk.
The mistake is submitting without knowing whether you will pass. The pre-assessment is not an optional extra. It is the step that makes the investment worthwhile.
Charles Cassam is the founder of Wolds Cyber Ltd, based in Pocklington, East Yorkshire. He provides independent network security audits and Cyber Essentials preparation for businesses in York and Yorkshire. More about Charles →