Cyber Essentials is a UK government-backed certification scheme that certifies a business against five basic cybersecurity controls. It costs a few hundred pounds for the basic self-assessment version, a few thousand for the independently verified Cyber Essentials Plus.
The certification gets mentioned a lot — as a tender requirement, as a baseline for cyber insurance, as evidence of good practice. But whether it's genuinely useful depends on what you're trying to achieve.
What Cyber Essentials Actually Covers
The five controls are:
Firewalls — ensuring that internet-connected devices have properly configured firewalls that block unnecessary inbound connections.
Secure configuration — ensuring devices aren't deployed with default passwords or unnecessary features enabled.
Access control — ensuring users only have the permissions they need, and that administrative accounts are properly protected.
Malware protection — ensuring devices have up-to-date malware protection, whether traditional antivirus or newer endpoint detection tools.
Patch management — ensuring operating systems and applications are kept up to date, with high-risk vulnerabilities patched within 14 days.
These are not cutting-edge security practices. They're the basics. A business that passes Cyber Essentials has demonstrably implemented the controls that prevent the majority of common cyberattacks.
Who Should Get It
If you supply to central government or the NHS, Cyber Essentials is increasingly a contract requirement. You may simply need it to bid for work.
If you're applying for cyber insurance, most insurers now require or strongly prefer Cyber Essentials. Some won't insure businesses without it; others will but at higher premiums. The certification cost often pays back in insurance savings.
If you genuinely don't know what state your IT security is in, the Cyber Essentials assessment process is useful as a structured way to find out. The questions force you to look at things that might otherwise get ignored.
If you want to reassure clients or prospects, the certification badge on your website is a credible signal of basic diligence. For professional services firms, it's increasingly expected.
Who Might Not Need to Prioritise It
Very small businesses (under 5 staff) with simple IT — cloud applications, no on-premise servers, sensible password practices — often already meet most of the criteria without realising it. For them, the formal certification cost may not be the best use of limited IT budget compared to, say, actually backing up properly.
Cyber Essentials Plus vs Basic
Cyber Essentials (basic) is a self-assessment questionnaire. You answer questions about your controls, an assessor reviews your answers, and if they're satisfied you're certified. There's no external verification that your answers are accurate.
Cyber Essentials Plus involves an independent technical assessment of your actual systems. It's more expensive (typically £1,500-4,000 for an SME depending on scope) and more meaningful. If your motivation is client assurance or competitive differentiation, Plus is worth the additional cost.
If your motivation is primarily meeting a contractual requirement, basic certification is usually sufficient.
The Honest Limitation
Cyber Essentials doesn't cover everything. Social engineering, phishing, insider threats, physical security, business continuity — none of these are assessed. A business can hold Cyber Essentials certification and still be highly vulnerable to a well-targeted phishing attack.
Think of it as a floor, not a ceiling. It's a good place to start. It's not a complete cybersecurity programme.