Cyber Essentials certification for UK SMEs
A government-backed security baseline, and a practical first step we can help you take properly.
60 minutes · No prep · No obligation
Most businesses don't come to Cyber Essentials because they want to. An insurer asks for it at renewal, a customer writes it into a contract, or a public-sector tender makes it a condition of bidding. Then the questions start. Is it necessary? What does it involve? What will it cost, and will we pass? This page answers those questions plainly, and explains how we help SMEs get certified without turning it into a project that swallows the year.
What Cyber Essentials is
Cyber Essentials is a UK government-backed certification scheme. It is run by IASME, the body the National Cyber Security Centre appointed to deliver it. The scheme sets a baseline of five technical controls that, between them, stop most common internet-borne attacks. These are the opportunistic, automated attacks that make up the bulk of what an SME will ever face.
Certification gives you a verifiable badge that says you meet that baseline, and that badge has become the main reason companies pursue it. Cyber insurers increasingly expect it before they will quote competitively. Central government requires it for contracts that handle certain types of data, and that requirement flows down through supply chains to companies that have never sold to government directly. If a customer or an insurer has asked you for evidence of basic security controls, Cyber Essentials is almost always what they mean.
The five controls
Certification is assessed against five control areas. None of this is exotic. The controls are deliberately basic. Where SMEs come unstuck is rarely the concept. It is the detail and the evidence the assessment asks for.
Firewalls
Keep your internal networks separated from the internet, with sensible boundary rules between them.
Secure configuration
Devices and software set up deliberately, rather than left on the defaults the vendor shipped them with.
Security update management
Everything patched, on time. Unpatched software remains one of the most common ways attackers get in.
User access control
Who can do what, scoped tightly. Administrator rights kept with the people who genuinely need them.
Malware protection
Anti-malware and application controls on every device that touches your data.
The assessment asks specific questions about each. A vague answer fails.
Sense-check your readinessWhat changed in April 2026
The scheme is updated each year. If your assessment account was created before 27 April 2026 you have a six-month window to certify against the older version; accounts created after it use 3.3. If you certified a year or two ago and assumed recertification would be a formality, check the three changes below before you renew.
MFA is mandatory
Where a cloud service offers multi-factor authentication and you have not switched it on, that is an automatic fail rather than a point to argue.
Cloud services in scope
Any service that holds your company or customer data has to be included, not quietly left out of the assessment.
Passwords tightened
Minimum length of twelve characters where a password is used on its own without a second factor.
We have a fuller write-up of what changed in the 2026 update in our insights section.
Cyber Essentials and Cyber Essentials Plus
Cyber Essentials comes in two levels. The standard certification is a verified self-assessment: you answer the question set, a qualified assessor reviews it, and you are certified if it meets the mark. Cyber Essentials Plus covers the same five controls, but an assessor independently tests a sample of your systems rather than taking your word for it. It is the stronger credential, and some insurers and customers ask for it by name.
The IASME certification fee is set by organisation size. In 2026 it runs from around £330 plus VAT for the smallest organisations to £500 plus VAT for the largest at the standard level, with Cyber Essentials Plus testing charged separately. The fee is only part of the picture, though. For most businesses the real cost is the preparation: finding the gaps, fixing them, and gathering the evidence. That is the part we help with.
How we help
We begin by assessing whether you need this, and at which level. If standard Cyber Essentials is enough for your situation, we will not talk you into Plus. If your customers are heading towards ISO 27001 and Cyber Essentials is a stepping stone, we will say so, so you spend once rather than twice.
From there we work the way that suits you. Some clients want a readiness review and a clear list of what to fix, then handle the remediation with their own IT team or MSP. Others want us to do the hands-on work: configuring MFA and conditional access, sorting out patching, tightening admin rights, and getting the evidence in order. We are happy doing either. We provide practical, hands-on support, not just advisory reports.
If Cyber Essentials turns out to be the start of something larger, it connects naturally to our security assessment work and, for businesses that need ongoing security leadership, to a vCISO retainer.
Free · 60 minutes · No commitment
Cyber Essentials FAQs
Ready for Certification?
The quickest way to find out where you stand is a conversation. Book a free 60-minute call and we will talk through your situation, what certification would involve, and whether it is the right move now.
Free · 60 minutes · No obligation