Content Quick Links:
What does it mean to be Cyber Essentials certified?
If you’re hearing more about Cyber Essentials from clients, insurers or public-sector tenders, you’re not alone. It’s the UK’s government‑backed baseline for cybersecurity, designed so any organisation, large or small, can stop the most common attacks and prove it with a certificate. In this guide, we explain exactly what “Cyber Essentials certified” means and the quickest way to pass without the geek speak.
Who this helps: Whether you’re an accountancy firm safeguarding financial data, a manufacturer protecting operational systems, or a professional services business securing client confidentiality, Think Cloud guides you every step of the way, quickly and confidently.
Cyber Essentials in a nutshell
Cyber Essentials is a UK government-backed certification, delivered by the National Cyber Security Centre (NCSC) in partnership with IASME, that helps you guard against the most common cyber-attacks and demonstrate that basic, effective controls are in place. It’s designed to be practical, simple, and widely applicable. (NCSC)
At its core, there are five technical control measures you implement and maintain. Passing gives you a certificate you can share with customers on your website and in procurement portals, evidence that you meet a recognised baseline.
It focuses on controls that stop the most common threats: phishing, malware, unauthorised access, and exploitation of unpatched systems.
Two levels: Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials (Self‑Assessment): You complete a structured questionnaire about your controls. An external assessor validates your responses.
Cyber Essentials Plus (Audited): Includes everything in Cyber Essentials, plus a hands‑on technical audit with vulnerability checks and sample device testing. Think of it as independent verification of what you’ve declared.
If you achieve Cyber Essentials less than three months before Cyber Essentials plus, you won’t need to repeat the self‑assessment stage. (IASME - Home)
Both levels give you a recognised badge that reassures clients, insurers, and procurement teams that your foundations are solid.
Who benefits and why it matters
Whether you are an accountancy firm safeguarding financial data, a manufacturer protecting operational systems, or a professional services business securing client confidentiality, Cyber Essentials helps you:
Reduce risk of common attacks with five proven controls.
Win work by meeting a common prerequisite in supply chains and public-sector bids.
Lower premiums by aligning with insurer expectations (and sometimes eligibility).
Build trust with a clear, independent signal of good practice.
Simplify compliance by aligning with other frameworks (a strong stepping stone towards ISO 27001 which is the international standard for implementing an Information Security Management System (ISMS). It provides a framework of policies, processes, and procedures to help organisations protect sensitive data by managing risks and establishing robust security controls.
The five technical controls
The Cyber Essentials Requirements for IT Infrastructure v3.2, April 2025, categorise Cyber Essentials into five themes. At Think Cloud, we keep the language simple and the outcomes clear:
Firewalls – Control what comes in and out of your network to block bad traffic. Put proper gatekeeping at your boundaries and on devices (especially laptops on public Wi‑Fi). Change default admin passwords, restrict admin interfaces, and only allow necessary services.
Secure configuration – Make sure devices, apps, and services (including cloud services) aren’t running risky defaults, unused features, or exposed ports. Remove unnecessary accounts and software, switch off risky settings, and secure every new device or service before using.
Security update management – Keep operating systems, firmware, and applications up to date so known vulnerabilities can’t be exploited. Apply vulnerability fixes, not just patches.
User access control – Limit admin rights, use strong authentication (including two-factor authentication - 2FA), and follow the principle of least privilege, which means giving people the least access they need, protect admin accounts, and recognise password less options alongside 2FA where supported.
Malware protection – To keep your devices safe from malware, it's important to use effective security tools and safe browsing practices. Make sure you have up-to-date antivirus software and consider using a list of trusted sites to help block harmful content.
These controls apply across your IT hardware, cloud platforms, remote users, and third-party services, where your data lives, and your security should live too.
What does the Cyber Essentials assessment cover?
To successfully pass Cyber Essentials, you need to outline the scope, which includes specifying the systems, locations, and devices that are part of the assessment. Additionally, you must demonstrate compliance with the five required controls:
Devices & IT hardware: Laptops, desktops, servers, mobiles, and tablets including corporate and personal, within scope.
Cloud & SaaS: Microsoft 365, Azure, Google Workspace, line-of-business apps configured securely with MFA and conditional access
Networks & Internet access: Routers, firewalls, Wi-Fi, and remote access (VPN - Virtual Private Network)
Accounts & Identities: Admin segregation, strong passwords and passphrases, 2FA, joiners, movers, leavers process (JML), which is a strategic management framework for handling an employee's lifecycle in an organisation, covering onboarding, internal role changes, and departures.
Update & Vulnerability Management: Patching cadence, firmware updates, and vulnerability remediation.
If you choose Cyber Essentials Plus, an accredited assessor will perform technical tests against a sample of in-scope devices to validate your controls.
How Think Cloud gets you accredited fast
We make accreditation painless by aligning our services to your business goals and the Cyber Essentials controls:
Discovery & Gap Analysis (IT Consultancy): We review your policies, device inventory, cloud tenancy, and network setup. You get a clear action plan ranked by risk and effort.
Remediation & Hardening (IT Support + Cyber Security): We implement fixes: 2FA rollouts, secure configuration, patching, EDR deployment, firewall rules, conditional access, and least privilege admin.
Cloud Security Baselines (Cloud Security): We apply secure defaults in Microsoft 365/Azure, backup critical data, and align identity controls to best practice.
Hardware & Endpoint Readiness (IT Hardware): We onboard compliant devices, replace risky legacy kit, and standardise builds with automated configuration.
Policy, Training & Evidence Pack (IT Consultancy): We provide practical policies (acceptable use, password/2FA, patching), user training, and assemble your evidence for submission.
Assessment & Plus Audit Support: We guide your self-assessment and liaise with the certification body. For Cyber Essentials Plus, we prep sample devices and support you through the technical checks.
Result: You become Cyber Essentials certified quickly and confidently, and you keep it that way.
Ready to get Cyber Essentials certified?
Become Cyber Essentials certified, fast and jargon‑free
Book a discovery call and we’ll map your path to accreditation: scope, actions, timelines, and costs, all in one focused session.
Book your discovery call
Request a Cyber Essentials readiness review
Ask us anything about the process
Protect Your Business Today
Cyber threats are evolving, don’t wait until it’s too late. Download “15 Ways to Protect Your Business from a Cyber Attack” and discover practical steps to safeguard your data, reputation, and bottom line.
✅ Actionable tips you can implement immediately
✅ Expert guidance from Think Cloud
✅ Peace of mind for your business
Download Now and take control of your cybersecurity.
Cyber Essentials FAQ's
Not for everyone, but it’s a common requirement for public‑sector contracts and is increasingly expected by private‑sector clients and insurers.
That you’ve implemented five baseline controls that stop many common attacks and that you can evidence them to a recognised national standard.
It’s a baseline. For higher-risk environments or where customers demand more, consider adding Cyber Essentials Plus and further controls proportionate to your specific risks.
If you handle sensitive data, work in regulated supply chains, or want stronger assurance, Plus is worth it. Many start with Cyber Essentials, then move to Plus within 6–12 months. You can upgrade to Cyber Essentials Plus within 3 months of CE to avoid paying for it twice.
Yes, IaaS, PaaS and SaaS are in scope. The implementation of controls varies by model, but you remain responsible for ensuring that controls are in place and contractually committed.
Pricing depends on company size and employee count. Basic CE ranges from £600 to £900. CE Plus pricing varies based on complexity, so we recommend requesting a tailored quote.
Most SMEs complete CE in days to a few weeks depending on readiness; CE+ adds time for technical testing. If you passed CE in the last 3 months, you typically don’t repeat the questionnaire for CE+.
Share this post: