Quick answer: How to get Cyber Essentials certified in the UK: 6-step process, full checklist, remediation tips and timeline. Pass first time. Updated 2026 guide.
Last updated: April 2026 | Reviewed by: Connection Technologies team
How to Get Cyber Essentials Certified UK 2026: Step-by-Step
Getting Cyber Essentials certified in 2026 is a six-step process: scope your IT, fix the gaps against the five technical controls, register with IASME, complete the questionnaire, respond to assessor queries, and (optionally) book the Plus audit. Most UK SMEs go from “we should look at this” to a certificate on the wall in 4-12 weeks, depending on how much remediation is needed.
This guide is the practical checklist version of the journey. Follow it in order and you’ll certify first time. If you’d rather skip the project, our managed Cyber Essentials service handles every step end-to-end at £103/month — including the IASME fee, tooling, training and renewal. For background, see what Cyber Essentials is and the full requirements.
How to get Cyber Essentials — the 6-step process
| Step | What you do | Typical time |
|---|---|---|
| 1 | Scope & asset register | 1-3 days |
| 2 | Gap analysis against the five controls | 2-5 days |
| 3 | Remediation (MFA, patching, AV, MDM) | 2-8 weeks |
| 4 | Register with IASME & complete the questionnaire | 4-8 hours |
| 5 | Address assessor queries & certify | 1-2 weeks |
| 6 (optional) | Book and pass the Cyber Essentials Plus audit | 2-3 weeks |
Step 1 — Scope your IT and build an asset register
Before you do anything else, list every device, server, cloud service and application that processes organisational data and connects to the internet. This is your in-scope estate.
For each device record: make/model, OS version, owner/user, primary use, in-scope yes/no, MFA enforced yes/no. A spreadsheet works fine for under 100 devices. Larger estates need a proper asset management tool (Intune, Jamf, an MDM, or an RMM).
Don’t forget:
- BYOD phones and tablets that get email or M365
- Home routers being used by remote workers (the laptops are in scope, host firewall replaces the boundary firewall)
- Cloud services holding org data — list each SaaS
- Printers, NAS, CCTV, IoT — anything with a network interface
Step 2 — Gap analysis against the five controls
Run through each of the five control families and grade yourself honestly. The fastest way to do this is to download the official IASME requirements PDF and tick off each requirement as compliant / not-compliant / unknown.
Common gaps you’ll find:
- MFA not enforced on every M365 account (especially admin)
- Legacy authentication still enabled in M365
- No formal joiner/mover/leaver process
- No patching policy for third-party apps (Adobe, Java, Zoom)
- Personal phones receiving email with no MDM
- Default passwords still on printers / NAS / firewalls
- End-of-life software still in use (old Windows, old macOS)
Document each gap with an owner and a target date. This becomes your remediation plan.
Step 3 — Remediate the gaps
Most remediation falls into five buckets:
- Enforce MFA on every cloud service — start with M365 / Google Workspace, then expand. Use Conditional Access in M365 to make this granular.
- Deploy or verify EDR / anti-malware on every device. Microsoft Defender for Business is a cheap, capable choice if you’re M365 Business Premium.
- Enrol all devices in MDM — corporate and BYOD that touches org data. Intune for Windows/iOS/Android, Jamf for Mac.
- Set up centralised patching — Windows Update for Business, Intune patch profiles, or your RMM. Auto-update third-party apps.
- Document the policies — joiner/mover/leaver, password, acceptable use, mobile device, incident response. IASME doesn’t require ISO-grade documents but they want to see something written down.
Most SMEs need 2-8 weeks of focused work here. If you have an existing IT provider this is the moment to lean on them. Or use our managed service, which deploys the agent and remediates the gaps for you.
Step 4 — Register with IASME and complete the questionnaire
Register at iasme.co.uk/cyberessentials. Pay the IASME fee (£300-£500 + VAT depending on size). You’ll get access to the portal and a 6-month window to submit.
Work through the 70-question self-assessment in order. Save as you go. Get the IT lead, the office manager and an exec to review before you submit — different parts of the questionnaire need different knowledge. Allow 4-8 hours total.
Step 5 — Respond to assessor queries
An IASME-licensed assessor will review within 5 working days. Roughly 60% of submissions get queries on the first round; expect to send a couple of screenshots and clarifications. Common queries:
- “Please provide evidence MFA is enforced on M365 admin accounts.”
- “Please clarify how leaver accounts are removed within 7 days.”
- “Please confirm the patch management process for third-party apps.”
- “Please clarify how BYOD is kept compliant with the controls.”
Reply within 5 working days to keep the application live. After certification you’ll receive: the certificate PDF, official badge artwork, listing on the IASME register and £25k cyber-liability insurance documentation.
Step 6 — (Optional) Book the Cyber Essentials Plus audit
If you need the Plus level, book it within 3 months of your standard CE certificate. The audit is a remote engagement — typically 2-3 weeks elapsed time, 4-8 hours of your team’s involvement:
- Scoping call with the assessor — confirm device sample (10% of devices, minimum 1, maximum 30)
- External vulnerability scan of your internet-facing IPs
- Authenticated vulnerability scan of the device sample
- MFA enforcement test on M365 / cloud services
- EICAR and real-world malware sample test on the device sample
- Patch verification on the device sample
- Findings call — pass, conditional pass with quick fixes, or fail
Pass rate on first attempt for prepared businesses is around 75%. Most failures come from missing patches on a sample device or MFA not actually enforced. Our Plus audit guide walks through the test methodology in detail.
Cyber Essentials checklist — the 12 things to have ready
- Asset register (every in-scope device, OS, owner, MFA status)
- List of cloud services holding org data with MFA evidence
- Network diagram showing firewalls / boundary / VPN
- Joiner/mover/leaver process (1-page document is fine)
- Password policy (one of the three accepted approaches)
- MDM enrolment evidence for mobile devices
- Patching policy and screenshot of compliance dashboard
- Anti-malware deployment evidence
- Acceptable use policy
- Incident response procedure (1-page is fine)
- Confirmation of EOL software removal (or formal acceptance)
- Director / responsible person ready to sign the IASME declaration
Tips for first-time certification
- Start with scope — get this wrong and everything else wobbles
- Be honest — assessors prefer “we use X but haven’t formally documented it” to a confidently inaccurate yes
- Don’t certify on a Friday — assessor queries hit Monday and you need bandwidth to respond
- Take screenshots before you certify — MFA enforcement, patch dashboards, device compliance — having these to hand cuts assessor query rounds in half
- Plan the renewal at month 9, not month 12 — certificates lapse; lapsed = no insurance + procurement issues
If you’d rather not run the project yourself, our managed Cyber Essentials service takes care of every step from scoping through to renewal — RRP from £103/month, with the IASME fee, tooling and £25k insurance bundled in.
Get Cyber Essentials & Cyber Essentials Plus — fully managed
Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.
Skip the Cyber Essentials paperwork
We handle the five controls, the questionnaire, the audit and the renewal — RRP from £103/month.
Frequently asked questions
Six steps: scope your IT, gap-analyse against the five controls, remediate the gaps, register with IASME and complete the 70-question self-assessment, respond to any assessor queries, and (optionally) book the Plus audit. Total elapsed time: 4-12 weeks for most SMEs.
2-4 weeks if your IT is already mature (MFA, patching, EDR all in place); 6-12 weeks if you need significant remediation. The questionnaire itself takes 4-8 hours; the rest is fixing the gaps it surfaces.
Yes — many micro-businesses certify themselves with the IASME guidance and an evening or two of work. Or you can use a managed service like ours that runs the entire process for you, including the IASME fee, the agent that automates the controls, and the renewal.
Yes. You must hold a current standard Cyber Essentials certificate before you can book a Cyber Essentials Plus audit. Most businesses do them within 3 months of each other.
Asset register, list of cloud services with MFA evidence, joiner/mover/leaver process, password policy, MDM enrolment, patching policy, anti-malware, acceptable use, incident response procedure, and confirmation of EOL software removal. Have these ready and you’ll certify first time.
You won’t fail outright on the first round — the assessor will return up to two rounds of clarifying questions. If those don’t resolve the issues, the application is rejected and you pay the IASME fee again to resubmit. Our managed service picks up failed applications and resubmits within 4 weeks.