Cyber Essentials

Cyber Essentials is a United Kingdom government-backed cyber security certification scheme for organisations. It is intended as a minimum baseline standard of protection against common internet-based cyber threats and is organised around five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection.¹²

The scheme was launched by the UK government in 2014 and is overseen by the National Cyber Security Centre (NCSC). Since 2020, IASME has acted as the NCSC's Cyber Essentials delivery partner, managing the scheme's network of certification bodies and assessors.³

Certification is annual. Organisations can certify by completing a verified self-assessment, by using paid support from a Cyber Advisor or Certification Body, or by completing the higher-assurance Cyber Essentials Plus route. Cyber Essentials Plus uses the same technical requirements but adds independent technical testing of the organisation's systems.⁴

The NCSC describes Cyber Essentials as the minimum cyber security standard recommended by the UK government for organisations of all sizes.¹ The scheme is designed to reduce exposure to common internet-based attacks by requiring a defined set of baseline controls rather than a full information security management system.

The scheme is also used for assurance. GOV.UK states that holding an up-to-date Cyber Essentials certificate enables businesses to bid for government contracts where handling financial or personal data is involved, and that the scheme is increasingly used by businesses, including UK banks, as part of supply-chain security.⁵

The scheme is overseen by the NCSC. IASME is the official Cyber Essentials delivery partner and manages a network of licensed cyber security organisations across the United Kingdom that provide certification, advice, and assessment services.¹⁴

Cyber Advisors are assured by the NCSC to provide practical support to small and medium-sized organisations implementing the five controls. Certification Bodies deliver assessment and certification; some are also qualified to conduct Cyber Essentials Plus audits.⁴

Cyber Essentials is based on a verified self-assessment questionnaire. An applicant prepares its answers, pays for the assessment, and submits the questionnaire through the assessment platform. A senior person in the organisation must confirm that the answers are accurate. A qualified assessor then reviews the submission and may request clarification or changes before a certificate is issued.⁴

As of May 2026, Cyber Essentials pricing is tiered by organisation size and starts at £320 plus VAT for organisations with 0-9 employees.⁴

Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials, but includes an independent technical audit to verify that the controls are in place. IASME states that the audit covers a representative set of user devices, all internet gateways, and all servers with services accessible from the internet. The verified Cyber Essentials self-assessment is a prerequisite for Cyber Essentials Plus.⁴

Cyber Essentials can cover an organisation's whole IT infrastructure or a well-defined and separately managed subset. The scope must define the business unit, network boundary, and physical location, and must be agreed with the Certification Body before assessment begins.²

The v3.3 requirements, applying to assessment accounts created after 26 April 2026, state that a scope excluding end-user devices is not acceptable. Corporate and bring-your-own-device (BYOD) home or remote working devices used for the organisation's business are in scope. Cloud services that host the organisation's data or services must also be in scope and cannot be excluded.²⁶

For cloud services, the applicant remains responsible for ensuring that the Cyber Essentials controls are implemented, although some controls may be implemented by the cloud provider under a shared responsibility model. The NCSC's v3.3 requirements identify IaaS, PaaS, and SaaS as different cloud-service models; examples listed in the requirements include Amazon EC2, Azure Web Apps, Microsoft 365, Dropbox, and Gmail.²

The scheme is structured around five technical control themes:²

1. Firewalls - controlling traffic between devices and the internet.
2. Secure configuration - reducing avoidable vulnerabilities by disabling or removing unnecessary accounts, services, and insecure settings.
3. Security update management - ensuring that supported software is kept up to date and that high-risk or critical vulnerability fixes are applied promptly.
4. User access control - limiting access to accounts, services, and data according to user need, including the use of strong authentication.
5. Malware protection - protecting devices from malicious software through anti-malware tools, application allow-listing, or other approved approaches.

Backing up data is not one of the five Cyber Essentials technical controls, but the v3.3 requirements strongly recommend that organisations implement an appropriate backup solution.²

Cyber Essentials requirements are reviewed over time. In January 2022, the scheme introduced substantial changes affecting cloud services, home working, BYOD, multi-factor authentication (MFA), and password requirements.⁷

The April 2026 scheme update introduced stricter marking criteria for some requirements. IASME stated that MFA is mandatory for all cloud services where it is available, and that failure to implement MFA for those services results in automatic assessment failure. Two security update management questions also became automatic-fail questions where high-risk or critical updates for operating systems, router and firewall firmware, or applications are not installed within 14 days of release.⁶

The 2026 update also changed scope transparency. Organisations are no longer limited to a short scope description on certificates, and they must describe excluded parts of their infrastructure to their assessor, although those out-of-scope descriptions are not made public.⁶

Cyber Essentials was introduced by the UK government in April 2014 and went live on 5 June 2014. The government stated at launch that it was intended to provide a single recognised cyber security assurance certification suitable for organisations of all sizes.⁸

From 1 October 2014, the UK government required suppliers bidding for certain contracts involving personal and sensitive information to hold Cyber Essentials certification. At launch, the government described the scheme as part of the National Cyber Security Strategy and said it was delivered through the National Cyber Security Programme.⁸

In April 2020, IASME became the NCSC's sole Cyber Essentials partner. IASME said the change replaced a previous delivery model involving five organisations and was intended to make certification clearer and more consistent across the UK.³

The scheme marked its tenth anniversary in 2024. In a retrospective published by the NCSC, the organisation said Cyber Essentials was created after CESG, a predecessor of the NCSC, found that one or more of five basic technical controls would have stopped several attacks from progressing.⁹

GOV.UK reported in March 2026 that more than 215,000 Cyber Essentials certificates had been awarded to businesses, charities, schools, universities, and local authorities, including 49,248 in the preceding 12 months.⁵

A 2024 impact evaluation published by the Department for Science, Innovation and Technology found that Cyber Essentials was providing protection to organisations of different sizes, improving awareness of cyber risk, stimulating wider security actions among participating organisations, and being used for supply-chain assurance.¹⁰

The NCSC reported in 2024 that data from the provider of the cyber liability insurance included with eligible certifications indicated that organisations with Cyber Essentials certification were 92% less likely to make a cyber insurance claim than those without it. The same NCSC retrospective stated that 85% of certified organisations in the 10-year review reported a better understanding of cyber risks.⁹

Cyber Essentials is focused on a defined set of technical controls. It is therefore different in purpose and scope from broader information security management and assurance frameworks such as ISO/IEC 27001, the Cyber Assessment Framework, and GovAssure. Organisations may use Cyber Essentials alongside these schemes, but Cyber Essentials certification alone does not provide a full information security management system.