Cyber Essentials Certification Guide: What It Is, What It Costs, and How to Get It

‍‌‌‌​‌‌‌‌‌​​‌‌‌‌​​‌‌‌​​​​‌​‌​‌‌‌​​​​‌‌​​‌​‌‌‌​‌‌‌‌​​‌‌​​​‌‌‌‌​‌‌​‍Cyber Essentials is a UK government-backed cybersecurity certification built around five basic technical controls that get tested against your actual infrastructure. It won't cover everything your business does (it's not trying to). What it actually targets are the controls that stop the most common internet-based attacks from getting through.

I've certified over 800 businesses through CE and CE Plus. So this guide is what the scheme involves in practice, what it costs, how long you're looking at, and where people trip up.

What Cyber Essentials tests

Five controls make up the entire scope of the assessment.

1. Firewalls

Every device connecting to the internet needs a firewall, whether that's routers, laptops, phones, or cloud services. The assessment looks at whether default firewall rules block inbound traffic unless you've gone in and explicitly allowed it. And it checks your administrative interfaces aren't sitting there exposed to the internet.

2. Secure configuration

Default settings on devices and software need changing. Get rid of default passwords, turn off services you're not using, and disable auto-run. The assessment checks you haven't just left everything in its out-of-the-box state.

3. Access control

User accounts need proper control, and everyone gets their own account. Admin privileges go only to people who genuinely need them, and only for admin tasks. MFA is required on all cloud services and any admin interface that faces the internet.

4. Malware protection

You need something in place against malware, whether that's traditional antivirus, application allowlisting, or sandboxing. Windows Defender counts (assuming it's configured properly and kept updated). The assessment checks it's active and current on every in-scope device.

5. Patch management

Software and firmware must be updated within 14 days of a patch being released, where the patch fixes a vulnerability rated high or critical. Unsupported software, meaning anything that's stopped receiving security updates, must be removed from scope or isolated behind a sub-scope boundary.

Two levels: Basic and Plus

CE Basic

Self-assessment questionnaire completed through the IASME portal. You answer questions about how your organisation handles the five controls, a qualified assessor reviews your answers, and if they're accurate and show compliance, you get certified.

The questionnaire runs through the IASME portal. It covers your network boundary, device inventory, cloud services, user accounts, patching processes, and malware protection. You declare the scope, which is the parts of your IT infrastructure you're including.

Cost: from GBP 320 + VAT for the IASME assessment fee Timeline: Most businesses complete the questionnaire in 2-5 days of preparation. Assessment review takes 1-5 working days.

CE Plus

Everything in Basic, plus verified technical testing. An assessor (that's my role) connects to your systems and runs tests against all five controls. We're checking whether what you declared on the questionnaire is actually true.

The Plus assessment includes five standard test cases:

1. Patch verification - checking installed patch levels against known vulnerabilities
2. Malware protection - testing that antivirus detects the EICAR test file
3. Access control - verifying MFA is enforced and admin accounts are restricted
4. External vulnerability scan - identifying internet-facing vulnerabilities rated CVSS 7.0 or above
5. Configuration review - checking that devices match what was declared

If something fails, you get a 30-day remediation window to address it. Fix it, we re-test, and if it passes you're certified. Still failing after remediation means the assessment fails.

Cost: from GBP 1,200 to GBP 2,100 + VAT for most small to medium businesses Timeline: Testing takes 1-3 days depending on how many devices are in scope. You have a 3-month window from starting Basic to completing Plus.

Who needs it

Government suppliers: PPN 09/14 requires CE for contracts involving personal data or ICT services. This is based on contract type, not a monetary threshold.

NHS suppliers: NHS trusts and NHS Supply Chain typically require CE Plus for suppliers handling patient data.

Insurance requirements: Many cyber insurance providers ask for CE as a condition of cover or offer reduced premiums for certified businesses.

Supply chain requirements: Large organisations increasingly require CE from their suppliers as part of vendor due diligence.

Any UK business: Even without a contractual driver, the five controls represent a sensible baseline. They're the same controls that prevent the majority of commodity cyber attacks.

What it doesn't cover

CE tests five technical controls and nothing beyond them. It doesn't test:

• Governance - no security policy review, no risk assessment
• Detection - no monitoring, no alerting, no log review
• Incident response - no response plan, no recovery testing
• Staff training - no phishing awareness, no security culture assessment
• Physical security - no office access, no visitor management
• Backup and recovery - no backup verification, no disaster recovery

That's not me having a go at the scheme. CE is designed so any organisation can achieve it. And the five controls it does test work. A Lancaster University study tested 200 CVEs against CE controls and found 131 were fully mitigated and another 60 partially mitigated. But it's a baseline, not a complete security programme.

Common reasons businesses fail

After 800+ assessments, these are the failures I spot most often:

Unsupported software: Windows 10 reaches end of life in October 2025. Any device still running it after that date either needs upgrading or putting behind a sub-scope boundary.

Cloud MFA gaps: MFA is required on all cloud services and internet-facing admin portals. I regularly find businesses with MFA on Microsoft 365 but nothing on their accounting software, CRM, or backup platform. It's the gaps between the obvious ones that catch people.

Admin account misuse: People using admin accounts for daily work. CE requires admin accounts to be separate from standard accounts, used only for administrative tasks.

Patching delays: The 14-day window is strict. If a critical patch came out 15 days ago and you haven't installed it, that's a fail.

Scope declaration errors: Including things that shouldn't be there or excluding things that should. Most of the actual complexity in CE sits right here, in scoping.

How to prepare

1. Define your scope - identify every device, cloud service, and user account that handles business data
2. Run the self-assessment - answer the CE Basic questionnaire honestly. Where you can't answer "yes," those are your gaps
3. Fix the gaps - patch everything, enforce MFA, remove admin rights from daily-use accounts, configure firewalls, update or remove unsupported software
4. Document what you've done - the questionnaire asks for evidence. Have your device list, cloud service inventory, and patching records ready
5. Book Plus testing - if you need Plus, schedule it within the 3-month window after starting Basic

Preparation is where all the real work happens. If the controls are genuinely in place when we turn up, the assessment itself is pretty straightforward. (consistent with the 2026 attestation evaluation criteria).

Certification validity

CE certificates last 12 months from the date of issue. Renewal means going through the full process again, fresh assessment and all. Your IT environment shifts over a year. New devices, new cloud services, people leaving, software updates. The annual reassessment catches what's drifted since the last certification.

Certificates are listed on the NCSC's public register. Anyone can verify yours is genuine and current by searching the IASME portal.

Getting started

If you want to check where your controls stand before committing, the readiness quiz covers CE's five controls in five minutes with no commitment and no sales call.

For the full assessment process, read how to prepare for CE Plus. For Danzell-specific changes affecting current assessments, read the Danzell update guide.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• How to Prepare for Cyber Essentials Plus
• Danzell Changes 2026 Guide
• Failed Cyber Essentials? What to Do Next
• CE Plus vs Basic: What's the Difference?

netsec-canary-8713b311e4d4.