What Is Cyber Essentials?
Cyber Essentials is the UK Government's cybersecurity certification scheme, administered by the NCSC and IASME. It requires organisations to demonstrate five technical controls are in place and is required for any business applying for government contracts that involve handling sensitive or personal data.
Direct Answer
Cyber Essentials is a UK Government-backed certification scheme launched by the National Cyber Security Centre (NCSC). It specifies five technical controls that organisations must implement: boundary firewalls, secure configuration, user access control, malware protection, and patch management. There are two tiers: Cyber Essentials (self-assessed via questionnaire) and Cyber Essentials Plus (independently audited). Certification is required for certain government contracts and is increasingly requested in private-sector supply chain due diligence. IASME is the lead certification body. 55,995 Cyber Essentials certificates were awarded in 2025; 42,288 at CE level and 13,707 at CE Plus. Only 3% of all UK businesses are Cyber Essentials certified — rising to 21% among large businesses.
What Cyber Essentials Covers
The five controls required for Cyber Essentials certification, and why each one matters.
Boundary Firewalls
A correctly configured firewall must protect all internet-facing services. Unused ports must be closed and access restricted to what is necessary.
Secure Configuration
All in-scope devices must have default passwords changed, unnecessary software removed, and auto-run disabled. A documented build standard is required.
User Access Control
Least privilege must be applied: users receive only the permissions they need. Admin accounts are separate and not used for day-to-day activities.
Malware Protection
Anti-malware or application allowlisting must be active on all in-scope devices. Signatures must be kept up to date with real-time scanning enabled.
Patch Management
High and critical patches must be applied within 14 days of release. Software that cannot be updated must be removed from scope.
Cyber Essentials vs Cyber Essentials Plus
The two tiers of the scheme and what distinguishes them.
| Feature | Cyber EssentialsSelf-assessed | CE PlusIndependently auditedRecommended |
|---|---|---|
| Five technical controls required | ||
| Self-assessment questionnaire | ||
| Independent technical audit | ||
| External vulnerability scan | ||
| Required for MoD/NHS supply chain | ||
| NCSC certificate issued | ||
| Typical cost (small organisation) | £300–£800 | £1,200–£2,500 |
Both tiers require annual renewal. AMVIA offers fixed-price guided and managed certification services for both levels.
Frequently Asked Questions
Organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance. Certification is mandatory for UK government contracts involving sensitive data. Only 3% of UK businesses are currently certified, giving certified businesses a competitive advantage.
The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.
Phishing is the most common attack type, identified by 85% of businesses that experienced a breach (DSIT 2025). Phishing accounts for 93% of cyber crimes against businesses. AI-powered phishing has driven a 204% increase in phishing emails delivering malware in 2025.
Only 14% of UK businesses formally review cyber risks from their immediate suppliers. 35.5% of all global data breaches in 2024 originated from third-party compromises. Supply chain attacks add an average of £241,620 to the total cost of a breach and take 267 days to detect and contain.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
Achieve Cyber Essentials Certification
AMVIA guides UK SMEs through Cyber Essentials and CE Plus certification, including gap assessment and any technical remediation required. Get a quote today.
Related Guides
What Is Cyber Essentials Plus?
The independently audited tier: when it's required and how the process works.
Cyber Essentials Requirements
The five technical controls in detail — what is required to pass.
How Much Does Cyber Essentials Cost?
Assessment fees and remediation costs for UK organisations.