Cyber Essentials: The UK Baseline Your Customers Now Expect
Cyber Essentials is the UK government-backed certification that proves your business has the five fundamental security controls in place. It's increasingly demanded in procurement, required for certain government contracts, and favoured by insurers. AMVIA holds Cyber Essentials Plus ourselves — and we prepare businesses to pass.
Quick answer: what is Cyber Essentials?
Cyber Essentials is the National Cyber Security Centre's baseline certification scheme, operated by IASME. It verifies five technical controls — firewalls, secure configuration, access control, malware protection and security update management — via a self-assessment questionnaire (basic) or an independent technical audit (Plus). Certification costs from around £300–£500+VAT depending on organisation size, is required for certain UK government contracts, and increasingly appears in supplier questionnaires and cyber insurance conditions.
Compare Cyber Essentials vs PlusWhat is Cyber Essentials, exactly?
Cyber Essentials is the UK's government-backed cyber security certification, designed by the National Cyber Security Centre and delivered through IASME as the scheme's certification body partner. It exists to prove one specific thing: that your organisation has implemented five fundamental technical controls that stop the majority of commodity cyber attacks — the untargeted, automated attacks that make up most of what UK SMEs actually face.
The five controls
- Firewalls — every device protected by a correctly configured boundary or software firewall.
- Secure configuration — default passwords changed, unused software and accounts removed, security settings actively chosen rather than left as shipped.
- User access control — accounts run with the minimum privileges needed; admin rights restricted and controlled.
- Malware protection — anti-malware or application allow-listing on every in-scope device.
- Security update management — supported software only, with high and critical patches applied promptly.
None of this is exotic — which is the point. The scheme certifies disciplined execution of the basics, and the basics are what stop most real-world attacks. With 43% of UK businesses reporting a breach or attack in the past 12 months (DSIT, Cyber Security Breaches Survey 2025), the baseline matters.
Why UK businesses get certified
Three commercial drivers, in practice. Procurement: Cyber Essentials is required for certain UK government contracts and appears in a growing share of private-sector supplier questionnaires — for many SMEs, the certificate is the difference between bidding and not bidding. Insurance: basic Cyber Essentials certification through IASME includes cyber liability insurance for eligible UK organisations with under £20 million turnover, and insurers increasingly ask about certification at renewal. Discipline: the annual recertification cycle forces the security hygiene that drifts when nobody is checking.
Basic or Plus?
Basic Cyber Essentials is a verified self-assessment; Cyber Essentials Plus adds an independent technical audit of your actual systems. Plus carries more weight with enterprise buyers and regulated supply chains — it's the tier AMVIA holds ourselves. The full trade-off (cost, effort, what each proves) is covered in our Cyber Essentials vs Plus comparison, and pricing in detail in the certification cost guide.
How AMVIA gets businesses through it
We hold Cyber Essentials Plus ourselves, so we've done this the hard way — and our managed security services map directly onto the five controls: managed firewalls, endpoint protection, patch management and access control are what our plans run day to day. For certification, that means gap analysis against the current question set, remediation of what falls short, and evidence preparation — then keeping you compliant between renewals rather than scrambling annually. See managed cybersecurity for the ongoing service, or the vulnerability management page for the patching discipline the scheme demands.
What Certification Gets You
Bid Eligibility
Required for certain UK government contracts and increasingly demanded in private-sector supplier questionnaires — the certificate keeps you in the tender.
Insurance Included
Basic certification through IASME includes cyber liability insurance for eligible UK organisations under £20m turnover — and insurers look for certification at renewal.
Real Attack Resistance
The five controls are designed by the NCSC to stop the commodity attacks that make up most of what UK SMEs face.
Annual Discipline
Recertification every 12 months keeps the basics maintained rather than decaying — the audit cycle is a feature, not a chore.
Before You Apply
Five things to have in order before starting the questionnaire — most failures trace to one of these.
Know your scope
Every device that touches organisational data is in scope — including BYOD phones and home-working kit. Undeclared devices are the classic failure.
Retire unsupported software
Anything past end-of-support fails the update-management control. Audit operating systems and key applications first.
Separate admin accounts
Day-to-day work on standard accounts, admin rights used only when needed — have this working before you attest to it.
Fix authentication
MFA where the question set requires it, default passwords gone, and a password policy you actually enforce.
Evidence for Plus
If you're going for Plus, the auditor tests real devices — a gap analysis before the audit day is far cheaper than a failed assessment.
Frequently Asked Questions
Cyber Essentials is the UK government-backed certification scheme, designed by the NCSC and operated through IASME, that verifies your business has five fundamental security controls in place: firewalls, secure configuration, user access control, malware protection and security update management. Basic certification is a verified self-assessment; Cyber Essentials Plus adds an independent technical audit.
Not universally — but it is required for certain UK government contracts, particularly those involving sensitive information, and it appears in a growing share of private-sector procurement questionnaires. For many SMEs the practical answer is yes: without it, tenders and supply-chain relationships close off.
The IASME assessment fee for basic Cyber Essentials is tiered by organisation size — from around £300+VAT for micro organisations to around £500+VAT for large ones (2026 fees). Cyber Essentials Plus is priced by the certification body performing the audit, typically from around £1,500+VAT depending on size and scope. Budget for remediation work too — see our full cost guide.
Basic certification can complete within days once the questionnaire is answered accurately — the real timeline is however long remediation takes beforehand. Cyber Essentials Plus adds an audit that must complete within three months of the basic pass; a typical prepared SME lands the whole process in a few weeks.
Same five controls, different level of proof. Basic is a self-assessment questionnaire verified by an assessor; Plus adds an independent technical audit of your actual systems — device sampling, vulnerability scans and configuration testing. Plus carries more weight with enterprise buyers and regulated supply chains.
Yes — AMVIA holds Cyber Essentials Plus, the audited tier. Our managed security services map directly onto the five controls, which is why certification preparation is a natural part of what we run for clients day to day rather than a bolt-on consultancy exercise.
Get Certification-Ready with AMVIA
Gap analysis against the current question set, remediation, and evidence preparation — from a provider that holds Cyber Essentials Plus itself. No obligation.
Related Resources
Cyber Essentials vs Cyber Essentials Plus
Self-assessment or audited certification — what each proves, costs and which buyers demand which.
How Much Does Cyber Essentials Cost?
IASME fees by organisation size, Plus audit pricing, and the real first-year budget including remediation.
Managed Cybersecurity
The ongoing service that keeps the five controls running between renewals.
Vulnerability Management
The patching and update discipline the scheme's fifth control demands.
IASME Cyber Assurance
The broader IASME governance standard that builds on Cyber Essentials.
Protect your business → Get Cybersecurity Assessment