Quick answer: Cyber Essentials is a UK government cybersecurity certification covering five basic security controls. It is mandatory for central government IT contracts and increasingly required across NHS, local government, and defence. Without it, you will fail the selection stage on many public sector tenders. Certification costs £300-600 and takes 1-4 weeks.
The five Cyber Essentials controls
Firewalls
Boundary firewalls and internet gateways must be configured to protect all devices that connect to the internet. This includes checking that only necessary ports and services are accessible from the internet.
Secure configuration
Computers and network devices must be configured securely. This includes removing unnecessary software, changing default passwords, and ensuring security features are enabled.
User access control
User accounts must be managed carefully. This means using the principle of least privilege, having separate admin accounts for administrative tasks, and removing accounts that are no longer needed.
Malware protection
Protection against malware must be in place on all devices. This includes anti-malware software, application whitelisting, or sandboxing to prevent malicious code from running.
Patch management
Software and operating systems must be kept up to date. High-risk vulnerabilities must be patched within 14 days of a patch being released. Out-of-support software must be removed or isolated.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials
- ✓Self-assessment questionnaire
- ✓Reviewed by certification body
- ✓Certificate issued on pass
- ✓Cost: ~£300-600
- ✓Time: 1-4 weeks
- ✓Required for: most public sector IT contracts
Cyber Essentials Plus
- ✓Self-assessment + independent technical test
- ✓Assessor verifies controls are working
- ✓Higher assurance level
- ✓Cost: ~£1,500-3,000
- ✓Time: 4-8 weeks
- ✓Required for: higher-risk contracts, MOD, NHS sensitive data
Where Cyber Essentials is required
Central government IT contracts
CE or CE Plus depending on risk
NHS contracts handling patient data
CE Plus increasingly required
Ministry of Defence
CE Plus for sensitive work
Local authority IT contracts
CE as minimum, CE Plus for higher risk
Police and blue light services
CE Plus often required
Education (universities, MATs)
CE as minimum
Housing associations
CE as minimum
How to get Cyber Essentials certified
Choose a certification body
Select an NCSC-approved, IASME-accredited certification body. Compare prices — the certification is the same regardless of provider. Popular choices include IT Governance, Pentest People, and IASME directly.
Complete a readiness assessment
Before starting formally, assess your current posture against the five controls. Most certification bodies offer a free or low-cost pre-assessment tool. Address any gaps before submitting your questionnaire.
Complete the online questionnaire
Answer questions about your five security controls honestly. The questionnaire covers your firewall configuration, patching processes, access controls, and malware protection. It typically takes 2-4 hours to complete.
Submit for review
Your certification body reviews your answers. If you pass, your certificate is issued within a few days. If you fail, you receive feedback and can resubmit once issues are addressed.
For CE Plus — schedule technical assessment
If you need CE Plus, schedule the technical assessment with your certification body. An assessor will remotely test your systems to verify the controls are working as described.
Cyber Essentials and public sector tendering
Cyber Essentials appears in public sector procurement in two ways: as a mandatory pass/fail requirement in the Selection Questionnaire, and as an evaluation criterion in the technical assessment. In either case, not having current certification is a significant barrier to winning contracts.
The practical advice is simple: obtain Cyber Essentials before you need it. Certification takes 1-4 weeks — if you discover a tender requires it on the day of publication, you may not have time to certify before the submission deadline. Treating it as a foundational business credential rather than a tender-specific requirement removes this risk entirely.
Frequently asked questions
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organisations protect themselves against common cyber threats. It was developed by NCSC (National Cyber Security Centre) and covers five key technical controls: firewalls, secure configuration, user access control, malware protection, and patch management.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment certification where you complete an online questionnaire about your security controls. Cyber Essentials Plus is a higher level that includes independent technical verification of your controls by an assessor. CE Plus provides greater assurance and is required for higher-risk public sector contracts.
Is Cyber Essentials mandatory for government contracts?
Cyber Essentials is mandatory for all central government contracts that involve handling personal data or providing certain technical products and services. It is increasingly required across NHS, local government, and defence contracts. Many buyers now include it as a minimum requirement in their Selection Questionnaires.
How much does Cyber Essentials cost?
Cyber Essentials certification costs approximately £300-600 through an NCSC-approved certification body, depending on the provider and your organisation's size. Cyber Essentials Plus costs more — typically £1,500-3,000 — as it includes independent technical assessment. Prices vary by certification body.
How long does Cyber Essentials take?
Cyber Essentials self-assessment typically takes 1-4 weeks depending on your current security posture and how quickly you can implement any required changes. Cyber Essentials Plus takes longer as it requires scheduling an independent assessment — allow 4-8 weeks in total.
How long does Cyber Essentials certification last?
Cyber Essentials certification is valid for 12 months. You must renew annually to maintain certification. Many public sector contracts require current (not expired) certification throughout the contract duration.
Which certification body should I use for Cyber Essentials?
There are many NCSC-approved certification bodies. Choose one that is IASME-accredited for Cyber Essentials. Well-known providers include IASME, IT Governance, Pentest People, and QG Management Standards. Compare prices and process — the certification itself is the same regardless of which approved body you use.
Find public sector contracts that match your capabilities
Once you have Cyber Essentials, use PSIP to find relevant UK public sector IT and technology contracts. 7-day free trial, no credit card required.
Start free trial