Cyber Essentials, explained
A plain-English reference to the UK Government-backed Cyber Essentials scheme. It answers what Cyber Essentials is, the five controls it covers, the difference between basic and Plus, what it costs, who needs it, and how to get certified, including what changed in the April 2026 Danzell update.
What this guide answers
The basics
What is Cyber Essentials?
Cyber Essentials is a UK Government-backed certification scheme that shows your organisation has five basic technical security controls in place. It is designed to protect against the most common internet-based cyber attacks, the kind that target any organisation regardless of size or sector.
It comes in two levels. Basic Cyber Essentials is a self-assessment questionnaire, verified by a certification body. Cyber Essentials Plus covers the same five controls but adds a hands-on technical audit by an assessor. Certification lasts 12 months.
Who runs Cyber Essentials? Is it the NCSC or IASME?
Both, in different roles. Cyber Essentials was created by the National Cyber Security Centre (NCSC), part of GCHQ, which owns the scheme and sets the technical requirements. IASME is the sole Cyber Essentials Partner, the body the NCSC appointed to run the scheme day to day.
IASME accredits and oversees the network of certification bodies that actually carry out assessments and issue certificates. So the standard is the NCSC's, and the delivery sits with IASME and its accredited certification bodies.
What does Cyber Essentials actually protect against?
It protects against common, untargeted internet attacks: the automated scanning, phishing, and off-the-shelf malware that hit organisations at random rather than the sophisticated, targeted attacks aimed at a specific victim.
The five controls block the routes those attacks rely on, such as unpatched software, weak or default passwords, exposed services, and missing malware protection. Cyber Essentials is a strong baseline, not a complete security programme, and it does not claim to stop a determined, well-resourced attacker.
Is Cyber Essentials a legal requirement?
No. Cyber Essentials is voluntary and is not a law in itself. There is no general legal duty on UK businesses to hold it.
It is, however, often a contractual requirement. Many UK central government contracts mandate it under Procurement Policy Note 014, and a growing number of private buyers, insurers, and supply chains ask for it before they will work with you. So while you are not breaking the law without it, you may be locked out of certain contracts.
CE vs CE Plus
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both certify against the same five controls. The difference is how your compliance is checked. Basic Cyber Essentials is a self-assessment questionnaire that you complete and a certification body verifies. Cyber Essentials Plus keeps that questionnaire and adds an independent technical audit, where an assessor tests a sample of your devices, internet gateways, and internet-facing servers to confirm the controls really work.
In short, Cyber Essentials is your declaration; Cyber Essentials Plus is that declaration verified by hands-on testing. CE Plus gives buyers and insurers a higher level of assurance.
Do I need Cyber Essentials or Cyber Essentials Plus?
It depends on what your customers and contracts ask for. If no one is specifying a level, basic Cyber Essentials is the right starting point: it covers the same controls and gets you the certified status most buyers want. Choose Cyber Essentials Plus when a contract, framework, or insurer explicitly requires it, or when you want the stronger, independently tested assurance it provides.
A common route is to certify to basic Cyber Essentials first, then move to Plus once the controls are bedded in. You usually need a valid basic certificate before you can take the Plus audit. See how we handle both levels.
The five controls
What are the five Cyber Essentials controls?
The five controls are firewalls, secure configuration, security update management (patching), user access control, and malware protection. Together they cover the basics that block the bulk of common internet attacks. Both Cyber Essentials and Cyber Essentials Plus assess all five.
In short: keep a boundary between your network and the internet, set devices up safely, patch them, give people only the access they need, and stop malicious software running.
What does each of the five controls mean?
Firewalls: control the traffic between your devices and the internet, so only what you intend can get through. Secure configuration: remove or disable unnecessary accounts, software, and default settings that create avoidable weaknesses.
Security update management: keep supported software up to date and apply high-risk fixes promptly. User access control: give each person only the access they need and protect accounts with strong authentication. Malware protection: use anti-malware, allow-listing, or sandboxing to stop malicious code running.
Cost and time
How much does Cyber Essentials cost?
There are two parts: the certification fee paid to the certification body, which is tiered by organisation size, and any cost of getting your systems ready and being guided through the process. Cyber Essentials Plus costs more than basic because of the technical audit.
Wolds Cyber works to fixed, published prices (ex VAT): a standalone CE Gap Analysis at £750; CE Starter, for one to four users, at £795; standard CE at £1,250; CE Plus Micro, for one to nine users, at £2,495; and CE Plus Small, for ten to forty-nine users, at £2,995. See what each package includes.
How long does Cyber Essentials certification take?
If your controls are already in good shape, basic Cyber Essentials can be completed in a few days to a couple of weeks: most of the time goes on filling in the self-assessment accurately and the certification body's verification. Cyber Essentials Plus takes longer because it adds the technical audit and any remediation it uncovers.
The biggest variable is readiness. Organisations that need to fix gaps first, such as enabling MFA or sorting out patching, should allow more time. A gap assessment up front tells you realistically how far away you are.
Do I need it
Who needs Cyber Essentials?
Any UK organisation that wants a recognised baseline of cyber security can benefit, and it is sized for small and medium businesses in particular. It is most relevant if you bid for public sector work, sit in a supply chain that asks for it, want to reassure customers, or are tidying up your own security posture.
Because the scheme covers fundamentals every organisation should have, the controls are worth implementing even if no one is formally requiring the certificate.
Does Cyber Essentials help with cyber insurance?
Yes, in two ways. Many insurers view Cyber Essentials favourably when assessing or pricing a cyber policy, because it evidences a basic security baseline. Some make it a condition of cover.
Separately, basic Cyber Essentials certification includes the option of free cyber liability insurance for UK-based organisations with annual turnover under £20 million, provided the whole organisation is certified. Cover levels are limited, so treat it as a useful extra rather than a substitute for a full cyber insurance policy. Always check the current terms with your certification body.
Does Cyber Essentials help with GDPR?
It helps, but it is not the same thing. UK GDPR requires you to have appropriate technical and organisational security measures for the personal data you hold. The five Cyber Essentials controls are a recognised way to demonstrate part of that technical baseline.
It does not, on its own, make you GDPR compliant. GDPR covers far more than technical controls: lawful basis, data subject rights, records, breach reporting, and more. Cyber Essentials is good supporting evidence for the security element, not a complete answer. See how we approach compliance.
Is Cyber Essentials needed for government contracts?
Often, yes. Under Procurement Policy Note 014, suppliers bidding for many UK central government contracts must hold Cyber Essentials, and Cyber Essentials Plus is required for higher-risk contracts, typically those involving sensitive or large volumes of personal data.
The requirement applies to central government departments, their agencies, and NHS bodies, and increasingly cascades down supply chains. If you are unsure whether a specific tender needs it, the contract notice or buyer will state the level required. Routine email correspondence alone does not trigger the Plus requirement.
The 2026 changes
What changed in the April 2026 (Danzell v3.3) update?
The Danzell update introduced version 3.3 of the NCSC Requirements for IT Infrastructure, mandatory for assessments purchased from 27 April 2026. The headline change is that multi-factor authentication (MFA) is now required for all cloud services, not just remote access. Auto-fail marking is stricter, and device and asset management requirements were tightened.
The five controls themselves did not change. Danzell raises the bar on how they are implemented and assessed, with cloud services explicitly in scope and unable to be excluded. Purchases made on or before 26 April 2026 still ran against the previous Willow question set.
Does Cyber Essentials require MFA now?
Yes. Under the Danzell v3.3 update, multi-factor authentication is mandatory for all cloud services your organisation uses where MFA is available, whether it is free, bundled, or a paid add-on. This is wider than the previous rules, which focused on remote access and administrative accounts.
If a cloud service you use offers MFA and you have not enabled it, that now causes an automatic fail. The practical first step before certifying is to inventory your cloud services and switch MFA on everywhere it is offered. Passwordless methods that meet the standard are accepted as a valid form of strong authentication.
Getting certified
How do I get Cyber Essentials certified?
You apply through an IASME-accredited certification body, complete the self-assessment questionnaire honestly, and submit it for verification. For Cyber Essentials Plus you then book the technical audit. Once you pass, you receive your certificate, valid for 12 months.
Most organisations do a gap assessment first to find and fix any shortfalls before submitting, which avoids a failed assessment. Wolds Cyber certifies against the current requirements via an IASME-accredited certification body, and the process is independent of who provides your IT. Start your certification.
What is assessed in Cyber Essentials?
The assessment checks your organisation against the five controls across everything in scope: end-user devices, servers, internet gateways, and cloud services that store or process your data. Cloud services cannot be left out of scope.
For basic Cyber Essentials this is done through the verified self-assessment questionnaire. For Cyber Essentials Plus, an assessor additionally tests a representative sample of devices and internet-facing systems, checking patch levels, configuration, account controls, and malware protection in practice rather than on paper.
What are the most common reasons businesses fail Cyber Essentials?
The usual culprits are missing or incomplete MFA on cloud services, unpatched or unsupported software, and devices still running default or insecure settings. Misjudging scope, for example leaving out home workers, cloud platforms, or BYOD devices, is another frequent cause.
Other common gaps are weak account controls, such as shared logins or unused admin accounts, and inaccurate questionnaire answers that do not match the real environment. Most failures come down to readiness, which is why a gap assessment before submission is worth doing.
How should I prepare for Cyber Essentials?
Start by listing everything in scope: all devices, servers, internet gateways, and cloud services, including home working and BYOD. Then work through the five controls and close the gaps: enable MFA on every cloud service, get patching under control, remove default and unnecessary settings, tighten user accounts, and confirm malware protection is active.
A structured gap assessment gives you an honest picture before you commit to the formal submission, so you are fixing issues in advance rather than failing the assessment and having to resubmit.
Does Cyber Essentials cover home working, cloud services, and BYOD?
Yes, all three are in scope and cannot simply be excluded. Home workers' devices that access organisational data, the cloud services you use to store or process data, and any bring-your-own-device equipment used for work all fall within the assessment.
Under the Danzell v3.3 update, cloud services are explicitly defined and must be in scope, and MFA applies to them. The practical implication is that you need a clear inventory of who works where, on what devices, and which cloud platforms hold your data before you certify.
How long does Cyber Essentials last and how does renewal work?
A Cyber Essentials certificate is valid for 12 months. When it expires the certified status ends, with no grace period, so you must recertify each year to keep displaying the badge and meeting contract or insurer requirements.
Renewal follows the same process as a first application: you complete the questionnaire again, against whatever version of the requirements is current, and submit it for verification, plus the audit again for Cyber Essentials Plus. Because your IT environment and the requirements both change over a year, renewal is a genuine reassessment, not a rubber stamp.
Ready to get Cyber Essentials certified?
The first step is a free 15-minute call. We confirm your organisation size, the right price band, and what the process involves, before any work starts. No commitment, no obligation.
Not sure where you stand? Take our free Cyber Essentials self-check first.