What is Cyber Essentials?

What is Cyber Essentials

You’ve heard that it’s something your business needs, but what is Cyber Essentials? Get your answers here as we explain what it is, how to get certified, and whether it’s worth it.

The Cyber Essentials scheme is a government-created scheme designed to help SMEs stay protected and productive in a world of increasing cyber threats.

The certification gives you a solid cybersecurity foundation to build upon. And it’s highly recommended for SMEs because it protects you against 98.5% of the most common cyber threats.

In a nutshell, Cyber Essentials includes two things:

  1. Five controls every business needs to mitigate the risk from common cybersecurity threats
  2. A mechanism for SMEs to show customers, investors, and insurers that they’re serious about cybersecurity

Who runs Cyber Essentials?

Cyber Essentials was created by the National Security Centre (NCSC). The NCSC was assembled in 2016 and combines expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure. They’ve pooled their collective knowledge into a cybersecurity certification that any business can access.

Want to protect your business from 98.5% of cyber threats? Get Cyber Essentials certified today.

What areas does Cyber Essentials cover?

Cyber Essentials covers five key areas of cybersecurity across your IT infrastructure. It even covers common outliers, like thin clients, BYOD, and home working devices. The certification is updated as new technology becomes commonplace to keep pace with today’s working world.

The five Cyber Essentials controls

  1. Firewalls. The boundary defences of your networks
  2. Secure configuration. Security measures for building or installing devices
  3. User access control. Managing user access and admin rights
  4. Malware protection. Protection from malicious software
  5. Patch management. Making sure all systems are updated correctly

How it works

The Cyber Essentials Certification is a self-serve activity. All you have to do is complete a self-assessment questionnaire and submit it via an online portal. The assessment questionnaire is about 30 pages long and is broken up into 8 sections. It includes questions like:

A4.7. Have you configured your boundary firewalls so that they block all other services from being advertised to the internet? By default, most firewalls block all services from inside the network from being accessed from the internet, but you need to check your firewall settings.

On average, we’ve found that it takes small businesses around 2 weeks to complete an assessment. When you submit your assessment, the certification body reviews and grades your application. They have a ‘pass/fail’ system, so once you’ve passed, you’re good to go.

What happens if you fail?

If you fail your certification the first time around, don’t panic. You’ll get feedback from the assessor, so you know what you need to address. They give you two working days to resolve any issues and resubmit for further review without any further cost. If you don’t get the fixes done in time, you may be charged again.

You can avoid this scenario with the support of a Cyber Essentials certification provider. With this support, you can be certified in as little as 24 hours.

How long does the certification last for?

Cyber Essentials certification lasts for 12 months. During that time, your business can be listed on the NCSC’s Cyber Essentials Certification search, so potential customers or investors can confirm your due diligence to cybersecurity. After 12 months, you must reapply to renew your certification.

Is it worth having?


The sad truth is that every business, no matter how small, could be connected to the target of a cyberattack. Suppliers, third-party vendors, and large organisations exist in an interconnected ecosystem. An attack on one part of that ecosystem could affect anyone in the supply chain.

That’s why we believe that Cyber Essential is worth having. It’s a low-effort way for any SME to go from 0% protection to 98.5% protection from the most common cyber threats. In as little as 24 hours, you can transform your IT security.

It’s mandatory for some businesses to have Cyber Essentials. If your business wants to secure government or MOD contracts, Cyber Essentials is… well, essential.

PwC revealed that 85% of consumers “wish there were more companies they could trust with their data”. And in the B2B space, more than 25% of businesses expect double-digit growth in cyber budgets in 2022. So you can bet that they’ll look hard at their potential vendors and suppliers, too.

And while Cyber Essentials isn’t a panacea for all cyber threats, it provides a valuable set of controls that deliver cost-effective cybersecurity for any business. With this foundation and protection from over 98% of common cyber threats, you can start to grow your business with confidence.

So, is Cyber Essentials right for your business? That depends on what your business goals are. But, if you want to…

  • …protect your business from the most common cyberattacks
  • …be certified and visible on a public register 
  • …win new business by displaying your cybersecurity credentials
  • …have a clear picture of your business’s cybersecurity

…then Cyber Essentials is for you.

CTA button