Cyber Essentials is the UK Government's baseline standard for cyber security. Developed by the National Cyber Security Centre (NCSC), it sets out five practical technical controls designed to protect organisations against the most common internet-based threats. Since launching in 2014, the scheme has become central to supply-chain assurance across public and private sectors alike.

This guide covers the scheme's structure, the five controls, how certification works, and where it fits alongside Cyber Essentials Plus and penetration testing. Whether you're a security manager reviewing your own posture or a procurement lead vetting suppliers, it should give you a solid grounding.

What Is the Cyber Essentials Scheme?

Cyber Essentials is a government-backed certification scheme that defines a minimum standard of cyber security for UK organisations of any size, from sole traders to large enterprises.

It focuses on preventing common, low-sophistication attacks: the kind that exploit known vulnerabilities, weak configurations, or poor access controls rather than anything particularly advanced. The NCSC's position is that implementing the five controls can significantly reduce an organisation's exposure to these threats.

Holding a valid certificate signals to customers, partners, and regulators that you've addressed the fundamentals. For many public sector contracts, it's not optional. Procurement Policy Note 09/23 (PPN 09/23) requires suppliers bidding for certain government contracts to hold a current Cyber Essentials certificate.

Who Runs the Scheme?

Three bodies share responsibility:

The NCSC defines the technical requirements and maintains the standards. It sets the rules but doesn't directly assess or certify anyone.

The IASME Consortium is the NCSC's appointed delivery partner. IASME manages the certification ecosystem, licenses Certification Bodies, and handles quality assurance.

Certification Bodies are independent organisations licensed by IASME to assess applicants. At the basic level they verify self-assessment questionnaires. For Plus, they conduct hands-on technical audits.

So the NCSC sets the standard, IASME ensures consistency, and Certification Bodies do the day-to-day work of assessment.

The Five Technical Controls

The entire scheme is built around five areas. Each one addresses a common attack vector in plain, practical terms.

Firewalls and Internet Gateways

Every internet-connected device needs a boundary between itself and potential attackers. Firewalls, whether hardware appliances at the network edge or software firewalls on individual machines, control what traffic is allowed in and out. The scheme requires that only necessary network services are accessible from the internet and that default rules block unauthorised access.

Secure Configuration

Out-of-the-box settings for computers, servers, and software are typically designed for convenience, not security. Secure configuration means changing default passwords, removing unnecessary software and user accounts, and disabling features you don't need. The goal is to reduce the attack surface so each system exposes only what's required for its function.

Access Control

Not every user needs access to every system. The scheme requires organisations to follow the principle of least privilege: users get only the permissions their role demands. This includes unique accounts per user, separation of admin accounts from everyday accounts, and controls over who can install software or change system settings.

Malware Protection

Malicious software, including ransomware, trojans, and spyware, remains one of the most common threats to UK organisations. The scheme requires at least one of: anti-malware software kept up to date, application whitelisting (only approved software can run), or sandboxing (isolating untrusted applications). Most organisations rely on anti-malware as their primary defence.

Security Update Management (Patching)

Software vendors regularly release patches for known vulnerabilities. Unpatched systems let attackers exploit publicly documented weaknesses. The scheme requires organisations to keep operating systems, applications, and firmware current, with critical and high-severity patches applied within 14 days of release.

How Certification Works

There are two levels, each renewed annually.

Cyber Essentials (Basic)

This is a verified self-assessment:

1. The organisation completes an online questionnaire covering its implementation of the five controls.
2. A board-level representative signs off the submission, confirming its accuracy.
3. A licensed Certification Body reviews the responses.
4. If the answers demonstrate compliance, the organisation receives its certificate.

This confirms that an organisation claims to have the controls in place and that an assessor has reviewed those claims. It does not involve any technical testing of live systems.

Cyber Essentials Plus

Plus builds on the basic certificate with a hands-on technical audit. You must hold a valid basic certificate before applying.

The Plus assessment typically involves remote vulnerability scanning of internet-facing systems, sampled testing of devices and servers to verify controls are actually working (checking anti-malware is active, accounts are properly configured, patches applied), and verification against the Cyber Essentials Plus Test Specification (currently v3.2).

Because it tests live systems, Plus provides stronger evidence that controls are genuinely in place rather than just documented. For a fuller comparison, see our guide on Cyber Essentials vs Cyber Essentials Plus.

What the Scheme Covers and What It Doesn't

Understanding the scope and limitations matters as much as understanding the controls.

The scheme covers the five technical controls within a defined scope (a legal entity or a specific part of an organisation), gives a snapshot of security posture at the time of assessment, and provides a standardised, repeatable baseline comparable across organisations and sectors. It's useful for basic supply-chain assurance in procurement.

But there's plenty it doesn't touch. It includes no web application penetration testing for vulnerabilities like SQL injection or cross-site scripting. There's no internal network penetration testing simulating an attacker who's already inside. Operational processes like incident response, security monitoring, staff training, and business continuity sit outside the scope entirely. It's not a substitute for comprehensive standards like ISO 27001. And third-party cloud services aren't automatically included unless explicitly brought into scope.

Put simply, Cyber Essentials confirms that basic hygiene controls are in place. It doesn't assess whether an organisation can detect, respond to, or recover from a sophisticated attack.

How Cyber Essentials Compares with Penetration Testing

These serve different purposes, and one doesn't replace the other.

Cyber Essentials establishes a technical baseline. It asks: "Are the five fundamental controls in place?" The assessment checks for known weaknesses across a broad surface area: patching, configuration, access controls.

Penetration testing is a targeted exercise that simulates real adversary behaviour. A tester probes specific systems, applications, or networks to find complex vulnerabilities and exploit chains that a baseline assessment wouldn't uncover. The scope might include web applications, APIs, internal networks, cloud infrastructure, or other assets.

For UK buyers, the practical distinction is straightforward. Cyber Essentials confirms a supplier has addressed the basics and is a reasonable minimum for low-to-medium risk engagements. Penetration testing is appropriate when you need assurance about specific higher-risk systems, say a customer-facing web application handling sensitive data or a newly deployed cloud environment.

Many organisations hold certification and commission regular penetration tests. Certification covers the broad baseline; penetration testing provides depth on targeted assets. If you want to understand the investment involved, our guide on penetration testing costs breaks that down.

Practical Tips for UK Buyers

If you're using Cyber Essentials in supplier assurance or procurement, a few things are worth paying attention to.

Check the Scope

A certificate applies to a defined scope. Some organisations certify their entire business; others certify only a department or subsidiary. Ask what's covered and confirm it includes the systems and services relevant to your contract.

Verify Currency

Certificates are valid for 12 months. An expired certificate tells you nothing. You can check a supplier's current status through the NCSC's online directory.

Match the Level to the Risk

For lower-risk contracts where the supplier doesn't handle sensitive data, basic Cyber Essentials may be enough. If suppliers handle personal data, access your internal systems, or provide critical services, Plus gives you stronger assurance through its technical audit. For high-risk or bespoke systems, consider requiring penetration testing evidence alongside certification.

Treat It as a Starting Point

Cyber Essentials works best as part of a broader approach that includes vulnerability management, incident response planning, and ongoing monitoring. Organisations that treat certification as a box-ticking exercise may meet the standard on paper while still carrying significant risk.

Frequently Asked Questions

Is Cyber Essentials mandatory?

For suppliers bidding on certain UK government contracts involving sensitive or personal information, yes, as set out in PPN 09/23. Outside government procurement it's voluntary, though private sector buyers increasingly expect it as a minimum.

How long does certification take?

For basic Cyber Essentials, most organisations can complete the questionnaire and get a decision within a few days to a couple of weeks, depending on the Certification Body's capacity and how ready the organisation is. Plus typically takes two to four weeks from initial engagement to certification because of the technical audit.

How much does it cost?

Basic Cyber Essentials typically costs a few hundred pounds. Plus is more expensive because of the hands-on testing, generally ranging from around £1,000 to several thousand pounds depending on scope and complexity. Costs vary by Certification Body and organisation size.

Does Cyber Essentials cover cloud services?

Cloud services (IaaS, PaaS, SaaS) can be included, but it depends on how the assessment is scoped. Your responsibilities under the shared responsibility model, like configuring access controls and patching virtual machines, are assessed. The cloud provider's underlying infrastructure typically isn't.

Can Cyber Essentials replace a penetration test?

No. They assess different things at different depths. Certification confirms baseline controls are in place. Penetration testing identifies specific vulnerabilities through active exploitation. For most organisations, both have a role within a mature security programme.