What Is Cyber Essentials? The UK Government Cybersecurity Scheme Explained

What Is Cyber Essentials?

Cyber Essentials is a UK Government-backed cybersecurity certification scheme designed to help organisations of all sizes protect themselves against common cyber threats. It was introduced by the NCSC (National Cyber Security Centre) and the UK Government and is the recognised baseline standard for cybersecurity in the UK. Certification demonstrates that your business has implemented five fundamental security controls that protect against the vast majority of common attacks.

According to the NCSC, Cyber Essentials-certified organisations are protected against approximately 80% of common cyberattacks. 88% of certified organisations report improved understanding of the steps needed to reduce their security risk after completing the process.

The 5 Cyber Essentials Controls

1. Boundary Firewalls and Internet Gateways

All devices that connect to the internet must be protected by a properly configured firewall. This means enabling firewall protection, closing unnecessary ports and services, and changing all default passwords on network equipment. For businesses with office networks, a business-grade firewall appliance with active management is recommended.

2. Secure Configuration

All devices and software should be configured to minimise the attack surface. This includes removing unnecessary software and services, disabling unused features (such as macro execution in Office documents), and applying password policies that meet current guidance. Default accounts and credentials must be changed before devices are deployed.

3. User Access Control

Access to systems and data should be restricted to the minimum necessary for each user to do their job. Standard users should not have administrator privileges. Administrator accounts must only be used for administrative tasks. When staff leave or change roles, access rights must be reviewed and updated promptly.

4. Malware Protection

All devices must have active protection against malware. This can be met through reputable antivirus software or modern endpoint detection and response (EDR) tools. Real-time scanning must be enabled and malware definitions must be kept up to date automatically. Cyber Essentials Plus requirements specify that malware definitions must be updated within 24 hours of release.

5. Patch Management

Operating systems, browsers, and applications must be kept up to date with security patches. The Cyber Essentials standard requires that high-risk patches are applied within 14 days of release, and that software which is no longer receiving security updates is removed from use. Automatic updates should be enabled wherever possible.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of Cyber Essentials certification. Standard Cyber Essentials is self-assessed: an organisation completes an online questionnaire, which is reviewed by an assessor. It costs approximately £300 to £500 for most businesses. Cyber Essentials Plus provides a higher level of assurance — the same five controls are independently verified through technical testing by an accredited assessor. CE Plus is required for Ministry of Defence supply chain contracts and is increasingly specified by larger private sector customers.

Who Needs Cyber Essentials?

Cyber Essentials is mandatory for all UK Government contracts involving the handling of sensitive information or the delivery of certain ICT products and services. It is increasingly required in NHS, local authority, and defence supply chains. Beyond government, many large private sector organisations are requiring Cyber Essentials from their suppliers as a supply chain risk management measure. For any business that handles client data, holds cyber insurance, or bids for enterprise contracts, Cyber Essentials is a valuable credential.

How Long Does Cyber Essentials Take?

Most businesses can achieve Cyber Essentials in four to six weeks. The timeline depends on the current state of your IT environment and how many remediation actions are needed before the assessment. AMVIA conducts a gap assessment before beginning the formal process, identifies the actions required, implements the technical changes, and then manages the certification submission — typically achieving certification in under six weeks for SMEs.

How AMVIA Helps Businesses Achieve Cyber Essentials

AMVIA manages the full Cyber Essentials process for UK SMEs — from initial gap assessment through to certification and annual renewal. We implement the required technical controls, prepare the assessment submission, and liaise with the certifying body on your behalf. Our managed service ensures the five controls remain in place and up to date throughout the year, so your certification is always current and your business remains protected.