Certification

Cyber Essentials: The UK Baseline Your Customers Now Expect

Cyber Essentials is the UK government-backed certification that proves your business has the five fundamental security controls in place. It's increasingly demanded in procurement, required for certain government contracts, and favoured by insurers. AMVIA holds Cyber Essentials Plus ourselves — and we prepare businesses to pass.

Quick answer: what is Cyber Essentials?

Cyber Essentials is the National Cyber Security Centre's baseline certification scheme, operated by IASME. It verifies five technical controls — firewalls, secure configuration, access control, malware protection and security update management — via a self-assessment questionnaire (basic) or an independent technical audit (Plus). Certification costs from around £300–£500+VAT depending on organisation size, is required for certain UK government contracts, and increasingly appears in supplier questionnaires and cyber insurance conditions.

Compare Cyber Essentials vs Plus

What is Cyber Essentials, exactly?

Cyber Essentials is the UK's government-backed cyber security certification, designed by the National Cyber Security Centre and delivered through IASME as the scheme's certification body partner. It exists to prove one specific thing: that your organisation has implemented five fundamental technical controls that stop the majority of commodity cyber attacks — the untargeted, automated attacks that make up most of what UK SMEs actually face.

The five controls

  • Firewalls — every device protected by a correctly configured boundary or software firewall.
  • Secure configuration — default passwords changed, unused software and accounts removed, security settings actively chosen rather than left as shipped.
  • User access control — accounts run with the minimum privileges needed; admin rights restricted and controlled.
  • Malware protection — anti-malware or application allow-listing on every in-scope device.
  • Security update management — supported software only, with high and critical patches applied promptly.

None of this is exotic — which is the point. The scheme certifies disciplined execution of the basics, and the basics are what stop most real-world attacks. With 43% of UK businesses reporting a breach or attack in the past 12 months (DSIT, Cyber Security Breaches Survey 2025), the baseline matters.

Why UK businesses get certified

Three commercial drivers, in practice. Procurement: Cyber Essentials is required for certain UK government contracts and appears in a growing share of private-sector supplier questionnaires — for many SMEs, the certificate is the difference between bidding and not bidding. Insurance: basic Cyber Essentials certification through IASME includes cyber liability insurance for eligible UK organisations with under £20 million turnover, and insurers increasingly ask about certification at renewal. Discipline: the annual recertification cycle forces the security hygiene that drifts when nobody is checking.

Basic or Plus?

Basic Cyber Essentials is a verified self-assessment; Cyber Essentials Plus adds an independent technical audit of your actual systems. Plus carries more weight with enterprise buyers and regulated supply chains — it's the tier AMVIA holds ourselves. The full trade-off (cost, effort, what each proves) is covered in our Cyber Essentials vs Plus comparison, and pricing in detail in the certification cost guide.

How AMVIA gets businesses through it

We hold Cyber Essentials Plus ourselves, so we've done this the hard way — and our managed security services map directly onto the five controls: managed firewalls, endpoint protection, patch management and access control are what our plans run day to day. For certification, that means gap analysis against the current question set, remediation of what falls short, and evidence preparation — then keeping you compliant between renewals rather than scrambling annually. See managed cybersecurity for the ongoing service, or the vulnerability management page for the patching discipline the scheme demands.

What Certification Gets You

Bid Eligibility

Required for certain UK government contracts and increasingly demanded in private-sector supplier questionnaires — the certificate keeps you in the tender.

Insurance Included

Basic certification through IASME includes cyber liability insurance for eligible UK organisations under £20m turnover — and insurers look for certification at renewal.

Real Attack Resistance

The five controls are designed by the NCSC to stop the commodity attacks that make up most of what UK SMEs face.

Annual Discipline

Recertification every 12 months keeps the basics maintained rather than decaying — the audit cycle is a feature, not a chore.

Before You Apply

Five things to have in order before starting the questionnaire — most failures trace to one of these.

Know your scope

Every device that touches organisational data is in scope — including BYOD phones and home-working kit. Undeclared devices are the classic failure.

Retire unsupported software

Anything past end-of-support fails the update-management control. Audit operating systems and key applications first.

Separate admin accounts

Day-to-day work on standard accounts, admin rights used only when needed — have this working before you attest to it.

Fix authentication

MFA where the question set requires it, default passwords gone, and a password policy you actually enforce.

Evidence for Plus

If you're going for Plus, the auditor tests real devices — a gap analysis before the audit day is far cheaper than a failed assessment.

Frequently Asked Questions

Get Certification-Ready with AMVIA

Gap analysis against the current question set, remediation, and evidence preparation — from a provider that holds Cyber Essentials Plus itself. No obligation.