Cyber Essentials is the UK government-backed cybersecurity certification scheme, designed to help organisations protect themselves against the most common cyber threats. For many UK businesses, it's becoming less optional, it's required for government contracts, increasingly expected by enterprise clients, and demanded by insurers as a condition of cyber liability cover.

This guide explains what the scheme covers, how to achieve it, and why it matters beyond the certificate itself.

What Cyber Essentials Covers

The scheme is built around five technical controls, chosen because they address the most common attack vectors used against UK organisations:

1. Firewalls

A firewall controls what network traffic is allowed in and out of your organisation. Cyber Essentials requires that firewalls are configured to block inbound traffic that isn't explicitly permitted, that they're changed from default settings, and that unused ports and services are closed.

2. Secure Configuration

Devices and software often ship with default settings that prioritise convenience over security, open ports, enabled services, default admin passwords. Secure configuration means stripping this back to what's necessary, disabling unused features, and ensuring administrative accounts are properly protected.

3. User Access Control

Access to systems and data should be limited to what each user needs to do their job. Standard user accounts should not have administrative privileges. Administrative accounts should be used only for administrative tasks, and there should be a clear process for removing access when someone leaves.

4. Malware Protection

This covers protection against malicious software, antivirus/antimalware tools on all devices, application allowlisting or sandboxing in higher-risk environments, and controls to prevent malicious code from running.

5. Patch Management

Software vulnerabilities are the entry point for many cyber attacks. Patch management requires that operating systems, applications, and firmware are updated within 14 days of a critical or high-severity patch being released, and that software which is no longer supported by its vendor is removed or replaced.

The Two Levels of Certification

The scheme has two tiers:

• Cyber Essentials: a self-assessment questionnaire verified by an accredited assessor. Faster and lower cost, typically completed within a few days once controls are in place. Appropriate for most SMEs.
• Cyber Essentials Plus: includes everything in Cyber Essentials, plus independent technical testing, a vulnerability scan and hands-on verification of controls by the assessor. More rigorous and more credible with enterprise clients and government bodies.

For businesses bidding on government contracts involving the handling of personal data, Cyber Essentials Plus is often the required level.

Why It's Becoming a Commercial Requirement

Cyber Essentials began as a government initiative but has grown into a de facto baseline across UK industry:

• Government contracts: any contract involving the handling of sensitive government data requires Cyber Essentials as a minimum
• Procurement requirements: a growing number of larger private sector organisations require suppliers to hold Cyber Essentials before sharing systems access or sensitive data
• Cyber insurance: insurers increasingly require evidence of security controls, some specifically ask for Cyber Essentials certification, and those without it face higher premiums or reduced cover
• Client due diligence: in regulated sectors such as financial services and legal, clients are increasingly conducting security due diligence on their suppliers and expecting documented evidence of controls

What Typically Needs to Change to Pass

For most organisations that haven't previously focused on cybersecurity, the gap analysis typically reveals issues in a few common areas:

• Administrative accounts being used for day-to-day work
• Devices running end-of-support operating systems or applications
• Firewalls on default settings with unnecessary ports open
• No structured patch management process, updates applied when noticed rather than systematically
• Shared accounts or accounts that remain active after staff leave

None of these are difficult to fix, but they need someone to own the work. An IT partner who understands the Cyber Essentials requirements can typically prepare an organisation for assessment within a few weeks.

Cyber Essentials Is a Floor, Not a Ceiling

It's worth being clear about what Cyber Essentials is and isn't. It addresses the most common, opportunistic attack vectors, credential stuffing, unpatched vulnerabilities, exposed services. It won't protect you against sophisticated, targeted attacks.

For most SMEs, however, opportunistic attacks are the real and present threat. Passing Cyber Essentials significantly reduces the probability of the most common types of cyber incident. It's not the end of a security programme, it's a solid, structured starting point.

How Often Do You Need to Renew?

Cyber Essentials certification is valid for 12 months. Annual renewal is required to maintain the certificate. This is actually a feature rather than a limitation, it creates a regular audit cycle that encourages organisations to stay on top of their controls rather than ticking a box once and forgetting about it.

Preparing for Cyber Essentials certification? future® Office helps UK businesses get their IT environment audit-ready, from gap analysis through to post-certification support. Talk to the team about Cyber Essentials readiness.

‍