Skip to main content

Ultimate Guide to Cyber Essentials (2025)

15 January 2025
man touching cyber space

Businesses in the UK are facing growing challenges to protect themselves from cyber threats such as phishing, malware, or ransomware. The risks of not having the correct controls to avoid these threats are too large to ignore; according to UK Government statistics, the average annual cost of cyber crime for businesses is estimated at roughly £1,120 per victim, excluding crime where the only activity was phishing. 

So, to avoid adding to this statistic, what can you do to strengthen your business’s online security? To help businesses address this exact issue, the UK Government introduced the Cyber Essentials and Cyber Essentials Plus Schemes. 

In this guide, we’ll assess the important aspects of Cyber Essentials, including different certification levels, benefits, mistakes to avoid, and how to conduct a self-assessment. 

Table of Contents

What Is the Cyber Essentials Scheme?

Created by the National Cyber Security Centre (NCSC) back in 2014, Cyber Essentials is a certification scheme designed to help businesses protect themselves against common online threats, using a set of basic security controls to safeguard key business information. Backed by the government, the scheme offers two different levels of certification - Cyber Essentials and Cyber Essentials Plus - which offer different levels of assessment. 

The Cyber Essentials scheme is seen as a cost-effective solution for many businesses across the UK, particularly those classed as small to medium-sized enterprises (SMEs) who may find more advanced cyber security more difficult to afford. Additionally, since its creation, Cyber Essentials certification has been required for suppliers to the central government who handle certain kinds of sensitive and personal information.

Why Cyber Essentials Certification is Important for Your Business

There are several benefits associated with Cyber Essentials, such as:

  • Improved protection against common cyber threats, such as malware.
  • Reassurance to customers and clients that you take cyber security seriously. 
  • Affordable, straightforward framework for improving cyber security. 
  • Protecting business operations and reputation, creating better client relationships. 
  • Potential for insurance benefits or preferential terms for certified businesses.
  • Increased awareness of cyber security risks within the business and outside world. 

The Five Key Controls of Cyber Essentials

The five key technical controls of Cyber Essentials are designed to cover a range of the most common internet-based threats, giving businesses a suitable level of protection for their most important data. These five controls are:

  1. User Access Control: Restricting access to data and services to authorised users only.
  2. Secure Configuration: Ensuring that systems are configured in the most secure way for the needs of the business.
  3. Security Update Management: Applying security updates and patches promptly to protect against known vulnerabilities.
  4. Firewalls and Internet Gateways: Implementing measures to prevent unauthorised access to or from private networks.
  5. Malware Protection: Deploying appropriate measures to detect and prevent malware infections.

Cyber Essentials vs Cyber Essentials Plus

Comparison laptop

As mentioned earlier, there are two levels of this scheme:

  1. Cyber Essentials: This is a self-assessment option where businesses evaluate their own systems against the prescribed security controls, through an online assessment which is then reviewed by a Cyber Essentials Assessor who provides feedback on areas for improvement. There is no independent validation at this level. 
  2. Cyber Essentials Plus: This higher-level approach requires an independent evaluation, completed by an accredited third party. In addition to the self-assessment questionnaire, it involves a technical audit of your IT systems to verify the implementation of security controls, giving greater assurance that you’re complying with the scheme. 

For more in-depth information of the key differences, check out our dedicated Cyber Essentials Vs. Cyber Essentials Plus article.

Cyber Essentials vs ISO 27001

People often compare Cyber Essentials and ISO 27001, but they are both very different standards; Cyber Essentials is an accessible starting point for many businesses but is considered to be basic, whereas ISO 27001 is an international standard for comprehensive Information Security Management Systems (ISMS), requiring businesses to assess, manage, and continuously improve their overall security processes and risks.

While Cyber Essentials is simpler and quicker to achieve, ISO 27001 provides a more rigorous and detailed framework for long-term security management, specifying 93 security controls categorised into four categories (organisational, people, physical, and technological). Although this is a reduction from the previous version, SO/IEC 27001:2013 (which included 114 controls), it is still significantly more than Cyber Essentials’ five controls!

Steps to Achieve Cyber Essentials Certification

Although designed to be a simple process, you should still familiarise yourself with how the application and assessment stages typically unfold. Here’s a basic overview of the process:

  1. Choose Your Certification Level: Consider whether you require Cyber Essentials or Cyber Essentials Plus, and familiarise yourself with the framework. 
  2. Prepare Your Systems: Align your IT systems with Cyber Essentials standards by implementing the required technical controls and promptly updating your systems where needed. For example, you should enforce strict access control, conduct a regular security review, and implement multi-factor authentication (MFA) appropriately. 
  3. Complete the Self-Assessment: For Cyber Essentials, complete a self-assessment questionnaire, detailing how your business has met the required standards. 
  4. Submit to an Accredited Body: Submit your self-assessment to a certification body approved by the National Cyber Security Centre for review, such as ReformIT
  5. Certification Review: The certification body evaluates your submission, verifies compliance, and provides feedback or approval.
  6. Independent Assessment (Cyber Essentials Plus Only): An additional independent on-site or remote assessment is conducted by an accredited third-party assessor. Contact us if you need assistance or advice with this aspect.
  7. Achieve Certification: Once approved, your business receives either the Cyber Essentials or Cyber Essentials Plus certification, demonstrating your adherence to cyber security practices.

How to Align “Your Bring Your Own Device” (BYOD) Policy with Cyber Essentials

locked laptop

Managing BYOD (Bring Your Own Device) policies is crucial for Cyber Essentials compliance, as personal devices can introduce significant security risks. To meet the certification standards while allowing employees to use their own devices, consider the following:

  • Policy Guidelines: Create a clear BYOD policy outlining security requirements and compliance expectations.
  • Device Security: Enforce security measures like firewalls, secure configurations, and software updates on all personal devices.
  • Access Control: Use strong access controls and multi-factor authentication (MFA) to restrict access to sensitive data.
  • Encryption: Ensure personal devices are encrypted to protect data at rest and in transit.
  • Remote Wipe: Enable remote wiping of data from lost or compromised devices.

Common Mistakes to Avoid Before Your Assessment

Some of the more common mistakes people make before certification include:

  • Outdated Software: Regularly update all systems with the latest patches.
  • Weak Passwords: Enforce strong password policies and use multi-factor authentication (MFA).
  • Incomplete Documentation: Provide accurate, well-supported responses with evidence like policies and configurations.
  • Excessive Access Privileges: Apply the principle of “least privilege” and review access regularly.
  • Unsecured Devices: Ensure all endpoints, including personal devices, meet security standards. 
  • Firewall Issues: Properly configure and document all network firewalls. 
  • Inadequate Malware Protection: Use updated, robust malware protection tools. 
  • Third-Party Oversight: Include all third-party systems in security reviews.
  • Lack of Ongoing Compliance: Regularly review systems to maintain certification standards.

Get Cyber Essentials Certified With Help From Gloucestershire’s Leading Cyber Essentials Consultants 

At ReformIT, we are Gloucestershire’s leading certified Cyber Essentials experts, offering expert support and assessment services to help local businesses meet cyber security best practices and achieve certification with confidence.

For help with obtaining your certification or if you have any questions, please don’t hesitate to get in touch with our friendly team, and we will be more than happy to help.

Contact Us

FAQs About Cyber Essentials

  • What are the costs involved?

    The cost of Cyber Essentials certification can vary depending on the size of your business and whether you opt for the basic or Cyber Essentials Plus certification. For 2025, basic certification starts from £320 + VAT for 0-9 employees, whereas Cyber Essentials Plus requires a bespoke quote based on the size and complexity of your network.

  • How long does Cyber Essentials certification last?

    Cyber Essentials certification is valid for 12 months; after this period, businesses must reapply and pass the assessment again to maintain their certification.

  • How can I conduct a Cyber Essentials self-assessment?

    To begin the self-assessment process, you’ll need to register for certification and make a payment determined by the size of your business. You’ll then be sent portal login details to access your online assessment, which an external body will assess once all the questions have been completed. 

    You may receive some feedback from the assessor, which will need to be addressed and resubmitted within two working days. If you’re successful, your business will receive an official Cyber Essentials certificate that demonstrates your compliance with the key controls; this will need to be renewed annually. 

    To help you prepare for your assessment, the NCSC has produced a preparation booklet which features typical questions asked during the assessment. These are based on the current assessment standard (Montpellier), which expires on April 25th 2025, and the next assessment standard (Willow), which begins after April 28th 2025.

    Free Download of Question Set (Montpellier)

    Free Download of Question set (Willow)

  • Does my business need Cyber Essentials for a government contract?

    Yes, Cyber Essentials is required for all businesses bidding for certain government / public sector contracts, particularly those that handle sensitive or personal data.

  • How to Find a Cyber Essentials Assessor

    To achieve Cyber Essentials certification, you'll need to work with an accredited Cyber Essentials assessor; these assessors are certified bodies (CBs) authorised to review your self-assessment and validate your compliance with the Cyber Essentials standards. To find a certified assessor, IASME has a “search by location” tool to connect you with local certification bodies. 

  • What is a Cyber Essentials advisor?

    A Cyber Essentials advisor is an experienced and qualified assessor who can guide your business through the Cyber Essentials certification process. They help identify security gaps, offer advice on implementing required controls, and ensure your business meets the necessary standards.

  • What are the password requirements for Cyber Essentials compliance?

    Cyber Essentials requires businesses to enforce strong password policies. For example, passwords must be a minimum length of at least 8 characters, including a mix of letters, numbers, and symbols, and involve multi-factor authentication (MFA) to further secure access. 

  • What are the patching requirements?

    Cyber Essentials mandates that all software, operating systems, and applications are regularly patched and updated to address known vulnerabilities. Businesses must have a patch management process in place to ensure critical security updates are applied promptly.

  • What is a managed Cyber Essentials service?
    p>A managed Cyber Essentials service is a comprehensive solution provided by a third-party cyber security company that takes care of the entire certification process for you. This service includes regular monitoring, security assessments, and implementation of necessary controls to ensure ongoing compliance with Cyber Essentials standards.