You’ve probably come across Cyber Essentials at some point — maybe a client asked whether you hold it, or it came up when you were applying for a government contract. But what is it actually, what does getting certified involve, and is it worth your time and money? Let me break it down without the jargon.

What Cyber Essentials is

Cyber Essentials is a UK government-backed cybersecurity certification scheme, administered by the NCSC and assessed by certifying bodies accredited by IASME. It sets a baseline of five technical security controls that organisations should have in place:

Firewalls (including making sure your internet-connected devices aren’t unnecessarily exposed), secure configuration (changing default passwords, disabling services you don’t need), access control (people only having the access they actually need), malware protection, and patch management (keeping software and operating systems up to date).

These aren’t exotic security controls. They’re the basics. But the uncomfortable reality is that a significant proportion of UK businesses — including many small ones — don’t have them consistently in place. NCSC data consistently shows that the majority of successful cyberattacks exploit failures in exactly these areas: default credentials, unpatched software, employees with more access than they need.

Cyber Essentials also comes in a Plus variant, which includes an independent technical assessment by a qualified auditor. Cyber Essentials Plus costs more (typically £1,500–£2,500 for a small business) and carries more credibility, particularly in supply chains that require it.

What certification actually involves

For standard Cyber Essentials (the self-assessed version), you complete an online questionnaire about your IT setup and answer questions about each of the five control areas. A certifying body reviews your answers and either awards certification or tells you what needs to change. The whole process, if your IT is reasonably well-maintained, can be done in a day or two.

If you discover gaps during the process — and some organisations do — it’s actually a useful prompt to fix them. That’s part of the point.

The costs in 2026 are £330+VAT for micro organisations (1–9 employees), £400+VAT for small organisations (10–49), and £450+VAT for medium (50–249). These fees go to the certifying body. Valid for one year, then you renew.

The April 2026 changes worth knowing about

The Cyber Essentials scheme updated its requirements (to version 3.3) in April 2026, and there are a couple of changes that could catch businesses out.

MFA is now mandatory on all cloud services that offer it. If you’re using Microsoft 365, Google Workspace, or any other cloud platform without multi-factor authentication enabled, you’ll fail the assessment. There’s no exception for “we don’t think MFA is necessary for this service.” If the cloud service offers MFA — and most do — you have to use it. This is a reasonable requirement, not a burdensome one, but if you haven’t sorted your MFA situation yet, get that done before you attempt certification.

Cloud services are also more formally defined now and can’t be excluded from your certification scope just because they’re cloud-based. Previously, some organisations got away with a narrow scoping that excluded SaaS tools from the assessment. That loophole is closed.

The free cyber insurance

This is genuinely useful and often undersold. When you achieve Cyber Essentials certification, IASME automatically provides cyber liability insurance worth up to £25,000 at no additional cost. For a small business, that covers a meaningful chunk of the costs associated with a typical cyber incident — forensic investigation, notification of affected individuals, regulatory advice, data recovery.

You wouldn’t pay for a certificate if you were just getting a PDF to hang on the wall. But combined with insurance you’d otherwise need to buy separately, the value proposition changes significantly.

When you actually need it

Government contracts: since October 2023, Cyber Essentials certification has been mandatory for many UK public sector contracts, particularly those involving sensitive data or ICT services. If you supply to the NHS, local councils, or central government, you may already need it. Check the specific procurement requirements for any contracts you’re pursuing.

Enterprise supply chains: large private sector companies are increasingly requiring their suppliers to hold Cyber Essentials as a condition of their procurement process. It’s become a common entry requirement in sectors like financial services, legal, and professional services. If you’re trying to win business with a larger company and they ask whether you’re Cyber Essentials certified, not having it puts you at a disadvantage.

Insurance: some cyber insurers are beginning to use Cyber Essentials certification as a factor in risk assessment. Being certified may help with premiums or eligibility, though the market is still developing here.

Should you bother?

If you want to supply to government or are in a supply chain that requires it: yes, you need it. That’s not really a choice.

If you’re a micro business with no ambitions in that direction: the honest answer is that the certification process is a useful prompt to review your security controls, and the free insurance might be worth more than the assessment fee. Many small businesses that go through the process discover something worth fixing. Whether you display the badge or not is almost secondary.

What Cyber Essentials won’t do is make you immune to cyberattacks. It covers the basics, not everything — but the basics, consistently applied, prevent most of the attacks that hit small businesses. That’s a reasonable return on a few days of effort and a few hundred pounds.

Check the NCSC’s website for the list of accredited certifying bodies and find one that offers support for organisations going through the process for the first time — some do, and it makes the self-assessment questionnaire considerably less stressful.