Cyber Essentials Certification: what is it, do I need it, and how do I get certified?

Cyber Essentials Certification

To sum it up in a sentence: the Cyber Essentials Scheme was created in 2015 and follows a self-assessment process that helps businesses like yours to protect themselves against 80% of the most common cyber attacks.

Created by the National Cyber Security Centre (NCSC) in partnership with the UK government, Cyber Essentials certification can open a lot of doors to your business, and close them to cybersecurity threats. The process itself is pretty simple, especially if you have a helping hand on board.

This guide is here to take you through that process and help you understand a bit more about the scheme, the benefits, the costs, the different levels, and what the point of it all really is.

We’re going to help you get your head around:

  • What the Cyber Essentials Certification is
  • Why you need it
  • The benefits of the basic and plus certifications
  • The key differences between Cyber Essentials and ISO 27001
  • A checklist to help you get ready
  • The five controls of Cyber Essentials
  • How much does it cost?
  • Plenty of other resources along the way

Cybersecurity priorities for small to medium businesses

According to a 2022 survey from, as many as 51% of small businesses don’t have appropriate security for client and customer data. Why? Because many small and medium-sized businesses believe that they simply don’t have systems or data worth hacking.

This leaves them open to cyber security attacks, data phishing, and potentially in breech of a number of data protection laws, especially in the UK and Europe.

Why are SMBs so much more likely to lack the cyber security they need? Often it comes down to budget and internal headcount. This is also why SMBs will often upgrade their current cybersecurity protocols, or bring them in for the first time in partnership with an outsourced IT support provider.

As well as the more well-known ISO certifications many SMBs need simple to run their businesses safely and securely, it’s well worth looking into Cyber Essentials Certification.

So let’s get into it.

What is Cyber Essentials Certification?

There are two versions of the Cyber Essentials Certification: Basic and Plus. In its simplest form, Cyber Essentials Certification is a self-assessment cybersecurity check that focuses on five main areas of your systems, devices, and networks.

These five areas are also referred to as controls, and they are:

  • Firewalls to protect your internet connection
  • Secure settings on software and devices
  • Access to data and services
  • Antivirus and anti-malware protections
  • Maintaining device and software updates

We go into that in more detail a bit further down.

Before we dive into the benefits, how it works, and how we can help you get certified, it’s worth taking a look at the two different types of certification.

The Cyber Essentials basic accreditation

The basic Cyber Essentials accreditation is a self-assessment process that enables you to understand, recognise, and protect both your business and your data. Cyber attacks are becoming more and more common, with an increase of 50% in 2021 and according to this same research, Europe is the most targeted area globally.

And this certification gives you clear guidance on how basic cybersecurity can be implemented at a low cost.

As well as demonstrating to your employees and clients that your systems are up to scratch and your services are sufficiently secure, it’s a great opportunity for you to learn and implement the defences you need to protect you against the vast majority of common cyber threats.

Plus, if your business is vulnerable to simple cyber threats, it can make you more liable to be a target for more sophisticated and unwanted attention from cyber criminals.

All in all, having Cyber Essentials certification in place is a win-win.

Cyber Essentials Plus

So while the basic Cyber Essentials certification runs solely as a self-assessment and focuses on improving your knowledge and practices, Cyber Essentials Plus takes it one step further.

Cyber Essentials Plus adds a hands-on technical verification to give you reassurance. This is a more rigorous test of your organisation’s cyber security systems and protocols. Our security experts carry out vulnerability tests to make sure your small to medium-sized business is protected against hacking and phishing attacks.

Whichever one you are looking to implement, our team is here to make this process as smooth as possible. In fact, we can handle the whole thing for you.

Cyber Essentials Certificates

Cyber Essentials Basic vs Cyber Essentials Plus

For the sake of ease and clarity, here is a visual representation so you can understand what the key differences are between the Cyber Essentials Basic and Cyber Essentials Plus.

Description Cyber Essentials Basic Cyber Essentials Plus
Assessment type(s) Self-assessment questionnaire Self-assessment questionnaire
Hands-on technical verification
Vulnerability testing
What are your systems being assessed for? Firewalls
Secure settings
Access to data and services
Antivirus and anti-malware
Device and software updates
Everything in the Basic certification plus vulnerability testing for:

Phishing attacks
Password guessing
Network attacks

Expected outcomes Understanding of basic cyber security threats
Enable you to improve your own systems and protocols
Improve internal understanding of what’s needed to keep data safe
The Cyber Essentials Basic Certification
Understanding of more advanced cyber security threats
Hands-on technical verification and vulnerability testing from our team
Practical advice and implementation guidance
Consultation and (optional) ongoing support to improve your cyber security

Why should I get Cyber Essentials?

Many SMBs believe they don’t have enough of or the right sort of data to warrant an attack. And this leaves them vulnerable. But, according to Accenture’s Cybersecurity Index, 43% of cyber attacks happen against small businesses.

The Cyber Essentials Certification is a great way to learn more about your current systems and protocols as well as how to defend yourself against 80% of the most common cyber threats.

But there’s so much more than that. Here are 7 key benefits to getting your Cyber Essentials certification.

1. Improve customer retention
You can improve customer retention by improving your cyber security. If you are handling a lot of customer data, it’s more important than ever that it is protected as fully as possible. And safe in the knowledge that their data is protected, you prove yourself to be a trusted supplier and protector of that private information.

2. Attract new clients
Attracting new clients is easier when they can see you can be trusted. Trust is critical to building these relationships, especially if you’re going to have access to plenty of their data. Whether you’re providing technology, services, or products to your customers, tightly secure protocols are a must.

Much like the ISO accreditations and Microsoft Partner status we often talk about, Cyber Essentials adds a level of legitimacy to your business.

3. Open doors to government and public sector contracts
More than just attracting more, higher quality clients, there are many organisations that require their suppliers and partners to have a Cyber Essentials certification.

These include many government organisations, the NHS, and the Ministry of Defence (MOD). Some will require the basis and others will need the full Cyber Essentials Plus certification.

4. Have a better view of your organisation’s cyber security
Having a clearer view of (and external IT support team dedicated to) your cybersecurity needs and practices are only going to benefit your business. It’s one of those things that is so easy to fall by the wayside.

As we saw earlier, 51% of SMBs don’t have the appropriate security in place. Add that to the fact that 43% of cyber attacks happen to small businesses and that’s not a situation you want to be caught in the middle of.

There is never a downside to having more access to information about your business. It’s important to understand (at least at a high level) how all of this works and the ways in which your and your customers’ data is protected.

5. A practical way to get all of this done
Following the self-assessment questionnaire and, even better, the Plus certification vulnerability testing, is a great way to get through your cybersecurity to-do list. To gain certification, you need to pass five Cyber Essentials controls and going through this process is a great way to get all of this organised in one go.

It’s too easy to let it slide when it doesn’t feel like a business-critical function. But like we said, getting this certification can open the doors to more business and close the doors to 80% of common cybersecurity threats. Seems like a win-win really.

Plus, we can handle the entire process for you. So you don’t need to worry about the admin at all.

6. Decrease risk of financial and data loss
Did you know that in 2022, there was a 13% increase in ransomware attacks? More than the previous 5 years combined.

What is ransomware? It’s when people hack into your systems and lock away information, sensitive data, or network access until you give them money to get your stuff back. It’s a popular form of cyberattack and as you can imagine, can be incredibly costly. The Cyber Essentials certification helps to protect you against this (and many other common threats) in order to keep your data and finances safe.

7. Protect yourself against 80% of common cybersecurity threats
Certification can help to give everyone you work with peace of mind, reassuring your colleagues, customers and business partners that your IT is secure against cyberattacks.

Ultimately, it’s going to help you mitigate business risk and protect you against malware, ransomware, and a whole host of other common cybersecurity threats. Aside from the security benefits and peace of mind, having this certification can in turn drive down costs in other areas, so it’s a small financial investment to make for the return you’ll get.

Plus, it is such a simple process to keep you protected from so many potential risks.

You may be interested in: IT Support Best Practices (including security) To Help Your Business Succeed

Do you really need Cyber Essentials?

Building a strong cybersecurity framework for your organisation can require a big investment of your time, money, and technical resources. But recovering from a harmful cyber attack can be incredibly costly. And this time, it includes your reputation and customer retention.

The Cyber Essentials scheme helps you to achieve a sound cybersecurity structure quickly, simply, and in a much more cost-effective way than going it alone.

Do you absolutely have to have it? No.

But not having it puts your business at significant risk.

Infographic Cyber Essentials Certification

Not convinced?

Here are four more reasons you need a Cyber Essentials certification:

  • It is mandatory if you want to work with larger organisations in regulated industries or with central government and the Ministry of Defence (MOD)
  • Cyber Essentials is the ideal alternative to broader and more stringent certifications like the ISO 27001. And it’s less time and cost-intensive.
  • Cyber Essentials helps you to stay in line with international regulations such as GDPR. And by breaching GDPR you can be fined up to €20 million or 4% of your company’s global annual turnover. Ouch.
  • The scheme is backed by the UK government, so it’s not set by a random influential person in the industry. This is legitimate. You, your customers, and your business partners can all keep peace of mind.

The difference between Cyber Essentials and ISO 27001

Although Cyber Essentials accreditation and ISO 27001 accreditation complement each other, the certifications serve different purposes.

Introduced in 2005, ISO 27001 is for businesses that want to maintain the international standard for information security. So the certification defines what is required for a business to establish, implement, maintain and improve an information security system.

One key difference between the two certifications is that ISO 27001 considers all information – whether the medium is paper, systems or digital media. Cyber Essentials protects data and programs only on your IT infrastructure, including your network, server, workstations and devices.

How much does Cyber Essentials cost?

The cost of Cyber Essentials certification depends on a few things. Firstly, whether you are opting for the Basic or Plus certification.

However, it also depends on the scope of the work. For example, it will cost less for a very small business that rents its servers and has no more than 20 employees. But for an organisation of 10,000 people across multiple locations, the assessment is more extensive and there are a lot more opportunities for issues to arise.

Ultimately, the cost of your Cyber Essentials certification will be based on the following:

  • Which level of Cyber Essentials certification you wish to work towards
  • The size of your business
  • The location of your workforce (multiple offices, countries, mixture of remote and in-person)
  • Which IT and security tools you already have in place (and what you need to meet the five controls)
  • How robust your current tools and measures are
  • The results of penetration testing
  • The type and amount of changes you need to make to get your certification
  • How much time it takes to implement those changes

However, to make things easier for you, we are happy to wrap that cost up into a monthly subscription. This way we can take you from total Cyber Essentials novice to fully certified and on top of the latest updates.

How to get ready for your Cyber Essentials Certification

Well, you don’t want to go in blind otherwise it’s going to be a waste of time. So we’ve pulled together a checklist for you to make sure you have everything in place. There’s a lot more to think about than you may expect.

But it’s ok. We’re here to make your life that bit easier so you can get one step ahead.

These are the key areas and equipment that will be assessed for the Cyber Essentials certification self-assessment.

  • Hardware or devices used by your organisation
  • Software and firmware used by your organisation
  • Boundary devices
  • Firewalls and protecting your internet gateway
  • Cloud services
  • Secure configurations
  • Use of passwords
  • Protection against malware
  • User accounts

Recommended reading: Cyber Essentials Checklist: Get ready for your Cyber Essentials self assessment

The five controls tested for in the Cyber Essentials certification

The entire assessment process for Cyber Essentials Basic and Cyber Essentials Plus is based around five key controls. These are the base-level requirements you need to have in place to gain certification.

The five controls needed for the Cyber Essentials certification are:

1. Firewalls
Make sure all the devices you have connected to the internet are protected with a firewall.

2. Secure settings
This means changing settings like passwords, unnecessary software, and sharing settings away from the default settings. The defaults make it too easy for cyber attackers to get in and guess passwords.

3. Control admin permissions
Your team’s user accounts should only give them access to the devices, software and settings they need to do their job. Admin permissions should only be given to those who need them.

4. Virus and malware protection
All devices including laptops, PCs, phones and tablets, should be protected against attacks by virus or malware. Once these threats are in your network, they can infect other connected devices and software so getting antivirus and antimalware protection from day one is really important.

5. Patching requirements
All of your technical resources need to be up to date at all times. This covers operating systems, software, apps, mainframes, laptops, tablets, and phones. The update process is also known as ‘patching’.

Now, keeping all of these updates in check can be a bit tiresome. But the updates themselves are usually simple, fast, and free. Manufacturers and software developers regularly release updates and patches to add new features and improve security.

Cyber Essentials and Cyber Essentials Plus patching requirements mean you have to keep all your software up to date (and patched within 14 days of a fix being released), licensed and removed from devices when it’s no longer supported.

Working with a trusted Cyber Essentials team can make your life ten times easier

We’ve helped hundreds of businesses through this process since the scheme was launched in 2015 and we’d love to help you too.

Keeping on top of your cybersecurity is incredibly important and something that should be handled by experts. Plus, working with us can take a whole lot of admin off of your hands.

For example, when we take you through the process, we’re able to recommend any suppliers for things like antivirus software as well as help you to implement the changes you need to get your accreditation.

What does working with totality services on your Cyber Essentials certification look like?

It’s pretty simple really. You get in touch with our team for a quote. We’ll assess your current cybersecurity situation against the five controls and requirements of the self-assessment.

Even better, we then do the self-assessment for you, fixing anything we need to as we go through, and you pass your certification.

So you pay us a monthly fee, think of it like a Cyber Essentials subscription, and we’ll take care of the whole process for you. And then we will manage your updates, patches, and ongoing cyber security support.

That way you keep your admin time and costs down, and massively reduce the risk of cyber threats to your business.

Ready to get started?

Get in touch with our Cyber Essentials experts and let’s get you certified.