What Is Cyber Essentials? The UK Government Cybersecurity Scheme Explained

What Is Cyber Essentials?

Cyber Essentials is a UK Government-backed cybersecurity certification scheme designed to help organisations of all sizes protect themselves against common cyber threats. Launched in 2014 and overseen by the NCSC (National Cyber Security Centre), it is the recognised baseline standard for cybersecurity in the United Kingdom. The scheme requires organisations to implement five fundamental technical controls that, when properly applied, protect against the vast majority of common internet-based attacks.

The need for a baseline standard is clear. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past twelve months. Despite this, only approximately 3% of UK businesses are Cyber Essentials certified (DSIT/NCSC), leaving the overwhelming majority without even the most basic verified security controls. The NCSC estimates that Cyber Essentials-certified organisations are protected against approximately 80% of common cyberattacks — a significant reduction in risk from a relatively straightforward set of controls.

Who Runs the Cyber Essentials Scheme?

The Cyber Essentials scheme is owned by the UK Government and managed by the NCSC, which is part of GCHQ. The NCSC sets the technical requirements and maintains the question set used in assessments. Day-to-day delivery of the scheme is managed by IASME (the Information Assurance for Small and Medium Enterprises Consortium), which acts as the scheme's accreditation body. IASME licenses certification bodies — the organisations that actually assess and certify businesses. There are currently several hundred licensed certification bodies across the UK.

The scheme is updated periodically to reflect changes in technology and the threat landscape. The most recent significant update (known as the Montpellier update) expanded the scope to include cloud services, home workers' devices, and multi-factor authentication requirements — reflecting the shift to hybrid working that has occurred since the scheme was originally launched. For businesses preparing for certification, our Cyber Essentials service page explains how AMVIA manages the full process.

The Five Cyber Essentials Controls

The scheme is built around five technical controls. Each addresses a specific category of common attack and together they provide a solid baseline against the most prevalent threats facing UK businesses.

1. Firewalls and Internet Gateways

Every device that connects to the internet must be protected by a properly configured firewall. This includes not only traditional network firewalls at the office boundary but also the software firewalls built into individual devices — laptops, desktops, and servers. The requirement applies to all devices in scope, including those used by remote and hybrid workers at home. Key requirements include ensuring the firewall is enabled and active, closing all inbound ports that are not explicitly required for business purposes, changing default administrator passwords on all network equipment, and documenting which ports and services are open and why.

2. Secure Configuration

All devices and software must be configured to reduce the attack surface — the number of ways an attacker could potentially gain access. This means removing or disabling software, services, and features that are not needed for business purposes. Default user accounts must be removed or disabled, and default passwords must be changed before devices are deployed. Specific requirements include disabling auto-run features for removable media, applying password policies that meet current NCSC guidance (a minimum of eight characters, with twelve or more recommended), and ensuring that screen lock is configured on all devices after a period of inactivity.

3. User Access Control

Access to systems and data must be restricted to the minimum necessary for each user to perform their role — the principle of least privilege. Standard users should not have administrator privileges. Administrator accounts must only be used for administrative tasks, not for day-to-day work such as email and web browsing. When staff leave the organisation or change roles, their access rights must be reviewed and updated promptly. The scheme also requires that all user accounts are protected by passwords or other authentication mechanisms, and that multi-factor authentication is enabled where available — particularly for cloud services and remote access.

4. Malware Protection

All devices in scope must have active protection against malware. This control can be satisfied through reputable antivirus software with real-time scanning enabled, modern endpoint detection and response (EDR) tools, or application allowlisting that prevents unauthorised software from running. Malware definitions must be kept up to date — for Cyber Essentials Plus, definitions must be updated within 24 hours of release. The scheme recognises that modern EDR tools provide significantly stronger protection than traditional signature-based antivirus, though both are acceptable for certification purposes.

5. Patch Management (Security Update Management)

Operating systems, web browsers, and applications must be kept up to date with security patches. The Cyber Essentials standard requires that high-risk or critical patches are applied within 14 days of release. Software that is no longer receiving security updates from the vendor (end-of-life software) must be removed from use or isolated from the network. Automatic updates should be enabled wherever possible. This control addresses one of the most common attack vectors — exploiting known vulnerabilities in software that has not been patched.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of certification, and understanding the difference is important for deciding which is appropriate for your business.

Cyber Essentials (Basic) is a self-assessment. The organisation completes an online questionnaire describing how the five controls are implemented. This questionnaire is reviewed by a licensed certification body, which may ask clarification questions. If the answers demonstrate that the controls are in place, certification is granted. The cost is typically £300 to £500 for most small and medium businesses. The process can usually be completed within a few weeks, depending on how many remediation actions are needed before the questionnaire is submitted.

Cyber Essentials Plus provides a higher level of assurance. An accredited assessor visits (physically or remotely) and independently verifies that the five controls are implemented through technical testing. This includes vulnerability scanning of internet-facing systems, testing of malware protection against simulated threats, and verification of patching levels across a sample of devices. CE Plus costs more — typically £1,500 to £3,500 depending on the size and complexity of the organisation — and requires the organisation to pass the technical tests, not just describe its controls in a questionnaire.

55,995 Cyber Essentials certifications were issued in 2025 (NCSC), covering both Basic and Plus levels. CE Plus is required for Ministry of Defence supply chain contracts and is increasingly specified by larger private sector customers as a procurement requirement.

Who Needs Cyber Essentials?

Cyber Essentials is mandatory for all UK Government contracts involving the handling of sensitive or personal information, or the delivery of certain ICT products and services. This requirement has cascaded through government supply chains — NHS trusts, local authorities, and defence contractors increasingly require their own suppliers to hold certification. Beyond the public sector, many large private organisations are requiring Cyber Essentials from suppliers as a supply chain risk management measure.

Even for businesses that are not contractually required to hold certification, Cyber Essentials provides tangible benefits. Many cyber insurance providers offer reduced premiums or simplified underwriting for certified businesses. The certification demonstrates to clients and partners that the business takes security seriously and has implemented verified baseline controls. For any business that handles client data, processes payments, or stores sensitive information, Cyber Essentials is a valuable and increasingly expected credential.

How to Get Certified: The Process

The certification process follows a structured path. First, the business needs to understand its current security posture against the five controls — identifying what is already in place and what gaps need to be addressed. AMVIA's Cyber Essentials readiness assessment provides this gap analysis, documenting exactly what needs to change before certification can proceed.

Second, the identified gaps are remediated — this might involve enabling firewalls on remote worker devices, removing end-of-life software, implementing MFA on cloud services, or establishing a patching policy. For businesses with a managed IT provider like AMVIA, many of these controls will already be in place as part of the standard managed service.

Third, the self-assessment questionnaire is completed and submitted to a licensed certification body. AMVIA prepares this submission on behalf of clients, ensuring the answers accurately reflect the implemented controls. If the assessor raises queries, AMVIA manages the response process.

Fourth, upon successful assessment, the certification is granted. Certification is valid for twelve months and must be renewed annually. AMVIA manages the renewal process proactively, ensuring that controls remain current and that certification does not lapse.

Common Reasons Businesses Fail Cyber Essentials

Understanding common failure points helps businesses prepare more effectively:

• End-of-life software — Running Windows versions or applications that no longer receive security updates is an automatic failure. All software in scope must be within its supported lifecycle
• Missing patches — Devices with outstanding critical patches older than 14 days will fail. This is particularly common on devices that are not centrally managed
• Admin rights on standard accounts — Users logged in with administrator privileges for day-to-day work is one of the most common non-compliance findings
• Default passwords unchanged — Routers, firewalls, and other network equipment still using factory-default credentials
• No MFA on cloud services — The updated scheme requires MFA where it is available, which includes Microsoft 365, Google Workspace, and most SaaS applications

How AMVIA Helps Businesses Achieve Cyber Essentials

AMVIA manages the full Cyber Essentials process for UK SMEs — from initial readiness assessment through to certification and annual renewal. We conduct the gap analysis, implement the required technical controls across all managed devices, prepare the assessment submission, and liaise with the certification body on your behalf. Our managed service ensures the five controls remain in place and up to date throughout the year, so your certification is always current and your business remains protected against the threats it is designed to address. Contact AMVIA on 0333 733 8050 to discuss Cyber Essentials certification for your business.