By Andy Pickett · Managing Director

Published 22 April 2026 · About the author

Last updated: April 2026  |  Reviewed by: Connection Technologies team

What Is Cyber Essentials? UK Beginner’s Guide for 2026

Cyber Essentials is a UK government-backed cyber security certification scheme that helps businesses protect themselves against the most common online attacks. Run by IASME on behalf of the National Cyber Security Centre (NCSC), it’s structured around five technical controls that — when properly implemented — block around 80% of basic cyber attacks. There are two levels: standard Cyber Essentials (a self-assessment) and Cyber Essentials Plus (the same controls, independently audited).

This is the plain-English beginner’s guide to what Cyber Essentials is, who needs it, what it costs and how to get certified. If you’ve been told you need it for a contract or tender — or you’ve seen the badge on a supplier’s website and want to know whether to bother — start here. For deeper detail see our guides on requirements, cost and how to get certified.

What is Cyber Essentials in plain English?

Think of Cyber Essentials as a basic-cyber-hygiene MOT for your business IT. It checks five fundamentals that, between them, prevent the vast majority of opportunistic attacks. If your business can demonstrate these five things, you certify. If not, you fix the gaps and try again.

The five controls are:

1. Firewalls — keep the internet at arm’s length
2. Secure configuration — change default passwords, turn off what you don’t need
3. User access control — separate admin accounts, MFA on everything important
4. Malware protection — anti-virus, allowlisting or sandboxing on every device
5. Security update management — apply patches within 14 days

None of this is exotic. It’s the security baseline most IT professionals would tell you to do anyway. The certification simply gives you a recognised badge that you’ve actually done it.

Cyber Essentials vs Cyber Essentials Plus — what’s the difference?

Standard Cyber Essentials is what most businesses start with. Cyber Essentials Plus is the upgrade — same controls, but proven by an external auditor — and is increasingly required for central government, MOD and NHS work.

Who needs Cyber Essentials?

You probably need Cyber Essentials if:

• You bid for UK central government contracts (mandatory since 2014 for many contracts handling personal data)
• You’re a supplier to a customer who’s asked for it (very common in 2024-2026)
• You hold customer data that you’d be embarrassed (or fined) to lose
• You want a low-cost way to demonstrate cyber maturity to insurers, customers or investors
• You want the bundled £25k cyber-liability insurance

You probably don’t urgently need it if you’re a sole-trader with no customer data, no contracts requiring it, and no cyber insurance interest. But increasingly even very small businesses are being asked for it as part of supplier onboarding.

Why does Cyber Essentials matter?

Three concrete reasons:

1. Procurement gate — you simply can’t bid for many UK government and enterprise contracts without it. The badge is a procurement-form box-tick that opens the door.
2. Insurance discount — most cyber-liability insurers offer a 10-30% premium discount for certified businesses. The £25k bundled cover is also genuinely useful.
3. Real risk reduction — NCSC’s own data shows that the five controls prevent around 80% of basic cyber attacks. The cheapest, highest-impact security spend most SMEs can make.

The badge itself also has marketing value. Putting “Cyber Essentials Certified” on your website, email signature and proposals is a low-friction trust signal that costs nothing once you have the certification.

How much does Cyber Essentials cost?

The IASME fee is a sliding scale by company size:

• Micro (1-9 staff): £300 + VAT
• Small (10-49 staff): £400 + VAT
• Medium (50-249 staff): £450 + VAT
• Large (250+ staff): £500 + VAT

Cyber Essentials Plus runs £1,500-£8,000 + VAT depending on environment complexity. On top of the IASME fee you’ll typically spend £500-£3,000 on tooling (MFA, EDR, MDM) and remediation, especially if certifying for the first time. Our full cost breakdown covers this in detail.

Or skip the project entirely with our managed Cyber Essentials service — RRP from £103/month all-in, including the IASME fee, tooling, training and renewal.

How long does Cyber Essentials last?

Both certifications are valid for 12 months. You re-certify annually. The renewal isn’t a fresh start: most of your evidence carries forward, and the questionnaire largely confirms what’s changed. Most businesses budget around 50% of first-year effort for the annual renewal.

The £25k insurance ends with the certificate. If you let it lapse, you lose the cover. If you re-certify within the renewal window, cover continues seamlessly.

What does the assessment actually look like?

For standard Cyber Essentials:

1. Register with IASME, pay the fee, get access to the portal
2. Complete a 70-question online self-assessment questionnaire
3. Submit; an IASME-licensed assessor reviews within 5 working days
4. Either certify, or address up to two rounds of clarifying questions before certifying
5. Receive your certificate, badge artwork and £25k insurance documentation

For Cyber Essentials Plus, you must already hold standard CE. Then you book the audit: a remote scoping call, a vulnerability scan of a sample of your devices, MFA enforcement testing, malware sample testing, and a follow-up call to confirm the findings. The whole thing typically takes 2-3 weeks elapsed time and 4-8 hours of your team’s involvement.

Common misconceptions

“Cyber Essentials is the same as ISO 27001.” No. ISO 27001 is a comprehensive information security management system; Cyber Essentials is a focused technical control set. ISO is months of work and £15k+; CE is weeks and £300-£500.

“It only covers IT, not us.” Wrong. Anything that processes organisational data and connects to the internet is in scope — including BYOD phones if they get email.

“Once we certify, we’re safe for the year.” No — the controls have to be maintained continuously. The certificate is a snapshot; ongoing compliance is what actually keeps you safe (and what keeps the bundled insurance valid).

“It costs thousands.” The certification fee is hundreds, not thousands, for standard CE. The total cost depends on how much remediation your IT needs.

Is Cyber Essentials worth it?

For most UK SMEs in 2026: yes. The £300-£500 fee is small, the bundled £25k insurance often pays for it, the procurement value is real and growing, and the underlying controls genuinely improve your security posture. The only businesses who should actively skip it are sole-traders with no customer data and no contracts requiring it — and even then, many find the insurance alone worth the certification.

Get Cyber Essentials & Cyber Essentials Plus — fully managed

Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.

Frequently asked questions