Cyber Essentials Certification: A Step-by-Step Guide for SMEs

Everything an SME needs to get Cyber Essentials certified: what the five controls actually require, whether to choose self-assessment or Plus, realistic costs and timelines, and why the badge increasingly decides who wins contracts.

Why buyers keep asking for Cyber Essentials

Cyber Essentials is the UK government-backed certification, overseen by the National Cyber Security Centre and delivered through IASME, that shows your business has baseline protections against the most common internet-borne attacks. It is deliberately not an exhaustive security standard; it is a floor, and that is exactly why procurement teams like it. A supplier with the badge has answered the basic due-diligence questions before being asked.

Certification is required for many central government contracts that involve handling personal data, and the Ministry of Defence mandates it through its supply chain. Beyond the public sector, larger firms increasingly push the requirement down onto their suppliers, and insurers ask about it on cyber policy applications. For a small firm bidding against similar-sized rivals, the certificate is often the cheapest credibility you can buy. It is worth being clear about what it is not, too: it does not make you GDPR-compliant and it will not stop a determined targeted attacker, but it removes the easy openings that most opportunistic attacks rely on.

The five technical controls, in plain English

Everything in the scheme hangs off five controls, applied to all the devices and services in scope:

  • Firewalls: every device and internet connection sits behind a properly configured firewall, with no unnecessary services exposed to the internet and default router passwords changed.
  • Secure configuration: default passwords removed, unused software and accounts deleted, auto-run disabled, and device locking (PIN, password or biometrics) enforced.
  • User access control: people get the minimum access their role needs, admin accounts are separate from day-to-day accounts, and access is removed promptly when someone leaves.
  • Malware protection: anti-malware software kept current on in-scope devices, or application allow-listing where that fits better.
  • Security update management: all software licensed and vendor-supported, updates applied within 14 days when the vendor rates them high or critical, and unsupported software removed or isolated.

Multi-factor authentication runs through the requirements as well: the current question set expects MFA to be enabled for users of cloud services wherever the service offers it, starting with email and file storage.

Need a hand with this?

Our team delivers IT & Cyber Security for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →

Self-assessment or Plus: which do you need?

Basic Cyber Essentials is a self-assessment. You answer an online questionnaire about your setup, a board member or equivalent signs a declaration that the answers are true, and a licensed assessor reviews the responses. There is no site visit, so preparation is mostly about knowing your own estate honestly, including the laptop in the sales director's spare room.

Cyber Essentials Plus covers the same five controls but adds independent technical verification: an assessor tests a sample of your devices, runs vulnerability scans, and checks in practice that malware protection, patching and account separation work as claimed. Plus must be completed within three months of passing the basic assessment. Choose Plus when a contract explicitly demands it or when you sell into security-conscious enterprise or defence buyers; for most SMEs, basic certification is the sensible first year, with Plus as a follow-up once the controls have bedded in.

Realistic costs and timelines

  • Self-assessment fees are tiered by organisation size: from £320 plus VAT for micro businesses (0 to 9 staff), rising through £440 and £500 to £600 plus VAT for the largest organisations, correct at the time of writing.
  • Cyber Essentials Plus is priced by certification bodies based on your size and complexity; small firms should budget somewhere in the low thousands of pounds, plus the cost of any remediation work the audit surfaces.
  • A tidy SME can complete self-assessment in two to four weeks; allow longer if you need to replace unsupported machines or restructure accounts.
  • Certification lasts 12 months, so treat renewal as an annual fixture in the calendar, not a one-off project.

There is a useful extra baked in: UK organisations with under £20 million turnover that certify their whole organisation get cyber liability insurance with a £25,000 indemnity limit included with certification, subject to the insurer's terms. It is not a substitute for a proper cyber policy, but it is not nothing either.

A preparation checklist that avoids resubmission

  • 1. Define your scope, ideally the whole organisation, including home workers and any bring-your-own devices that access company data or email.
  • 2. Inventory everything: laptops, desktops, phones, tablets, servers and cloud services, with operating system versions recorded.
  • 3. Remove or upgrade unsupported software, including old Windows versions, out-of-date routers and abandoned plugins.
  • 4. Turn on automatic updates wherever possible, and get into the habit of applying high and critical patches within 14 days.
  • 5. Switch on MFA for every cloud service, starting with email and file storage.
  • 6. Create separate admin accounts and stop doing day-to-day work in them.
  • 7. Set password rules that match the question set, for example a minimum of 12 characters, or 8 with a deny-list of common passwords, plus protection against brute-force attempts such as lockouts or throttling.
  • 8. Download the current question set free from IASME's website and run a dry-run answer session before paying anything.

Answer honestly. Assessors allow limited clarification rounds if something is unclear, but fictional answers on a signed board declaration are a governance problem, not a shortcut, and Plus audits expose them anyway.

Key Takeaway

Start with the self-assessment level: fees begin at £320 plus VAT for the smallest firms, and a tidy SME can pass within a month. Fix the usual blockers first: unsupported software, missing MFA on cloud services, shared admin logins and patches older than 14 days. Move to Cyber Essentials Plus only when a contract demands it, remembering the audit must happen within three months of the basic pass. Renew annually, because buyers check expiry dates on the public register.

Where SMEs usually slip up, and what happens next

  • Forgotten devices: personal phones reading company email are in scope and are the single most commonly missed item.
  • End-of-life software: one unsupported operating system on one machine can sink the whole assessment.
  • Routers and firewalls still running default administrator passwords.
  • Shared logins, which make user access control impossible to evidence.
  • Cloud services nobody told IT about, discovered awkwardly in mid-assessment.

Passing is the start rather than the finish. Keep the inventory alive, review leavers' access monthly, and rebook a few weeks before expiry, because buyers do check certificate dates on the public register. Treated as annual hygiene rather than a scramble, Cyber Essentials gets cheaper and quicker every year while quietly qualifying you for work you would otherwise be screened out of. If you would like help preparing, remediating or maintaining the controls year-round, our team at Thind Global Services supports SMEs through exactly this process.

Work With Us

Need Help With Your Digital Strategy?

Our team of experts is ready to help. Get a free consultation and tailored proposal.