Cyber Essentials for Startups: What You Actually Need

‍‌​​​​​‌​​‌‌​‌​​‌​​​‌‌​​‌​‌​‌‌​‌​‌‌‌‌​‌​‌​​​‌​​‌‌​‌​​‌‌‌​‌​​​‌‌​‌‍I've certified over 800 organisations across every sector. A fair number of those were startups, some pre-revenue, some with nothing more than a laptop and a broadband connection. And the thing that surprises most founders is how little stands between them and the certificate. Five controls, a questionnaire, and a couple of weeks if you're organised about it.

But there's a gap between "it's straightforward" and "I know exactly what to do." That gap is where startups either breeze through or waste weeks second-guessing themselves. So here's everything you actually need to know, from someone who's assessed businesses at every stage from sole trader to FTSE 350.

Do you actually need it?

Honest answer: it depends on who you're selling to.

There's no law that says every UK business must hold Cyber Essentials. It isn't like registering with Companies House or filing your self-assessment. Nobody from IASME is going to knock on your door demanding a certificate.

But the practical reality is different from the legal one.

Government contracts. If you're bidding for any government work involving personal data or ICT services, you need CE certification under Procurement Policy Note 09/14. No certificate, no bid. I've seen startups discover this the week a tender closes. By that point it's too late.

Enterprise clients. Bigger companies are getting stricter about their supply chain. I'm seeing more procurement questionnaires that ask specifically for Cyber Essentials, not "do you have good security" in general terms, but "do you hold CE certification, yes or no." If you're a SaaS startup selling to enterprise, expect this question to land during due diligence.

Investment rounds. Some accelerators and investors want to see evidence that you take security seriously. A CE certificate is the quickest way to show that without writing a 40-page security policy that nobody reads.

Insurance. Eligible SMEs with CE certification get up to £25,000 in free cyber insurance bundled with the certificate. For a startup watching every pound, that's worth knowing about.

If none of those apply to you today, you might not need CE right now. But if you're heading towards any of those markets, getting certified while your setup is simple costs less and takes less time than doing it when you've got 50 devices and a tangled web of cloud subscriptions.

What the assessment actually covers

The whole scheme is built on five controls.

I'll walk through each one, because the names sound more intimidating than the reality.

Firewalls. Your broadband router already has one built in. The assessment checks that you've changed the default admin password (the one printed on a sticker on the side of the router), that you're not exposing services to the internet that don't need to be exposed, and that the software firewall on your laptop is turned on. For a startup working from home or a co-working space, this is usually sorted already.

Secure configuration. This one catches people out more than you'd expect. It means removing software you don't use, changing default passwords on every device, setting a screen lock, and controlling who can install applications. That printer in the corner of your co-working space? If it's on your network, its default password matters. Most startups trip up on the "remove unused software" part because they've never thought about it.

User access control. Everyone gets their own account with no shared logins. MFA turned on for every cloud service that supports it. Admin accounts used only for admin tasks, not for day-to-day work. Passwords need to be at least eight characters with MFA, or 12 characters without.

I'll be blunt: shared accounts are the single most common issue I see in startup assessments. Two co-founders sharing a Notion login, a "team" Slack account, a shared password for the company's social media dashboard. Every person needs their own credentials, so sort this before you start the questionnaire.

Malware protection. Antivirus on every device, updated automatically, scanning files when they're accessed. If you're on Windows, Defender is built in and meets the requirement out of the box. On macOS, the built-in protections generally meet it too, though you should confirm that malware scanning is active rather than assuming it is.

Patch management. Critical and high-severity patches applied within 14 days. Automatic updates turned on. No unsupported software running anywhere in scope.

The 14-day patching deadline is reasonable for startups because you're usually running modern operating systems that update themselves. It's companies with 200 devices and three legacy applications that struggle with this control, not a four-person team on MacBooks.

What's in scope when you're small?

For a startup with three laptops, Microsoft 365, and a broadband router, that's your entire assessment. The scope is small because your infrastructure is small.

Everything that connects to the internet and touches your organisation's data is in scope. Under Danzell v3.3 (the current question set), cloud services can't be excluded. So your email, your project management tool, your accounting software, your CRM, all of it without exception.

Here's what catches people: it's not just the services you pay for. If someone on your team uses Trello for task management and it holds anything related to the business, it's in scope. Startups accumulate SaaS tools quickly: Notion, Slack, Xero, HubSpot, Figma, and Linear. Each one that stores your data needs MFA enabled and proper account controls.

Seriously, make a complete list of everything. Go through your team and ask everyone what tools they use for work. You'll find services you forgot you'd signed up for. Better to discover them now than during the assessment.

What does it cost?

CE basic starts from £320 plus VAT for micro organisations (zero to nine employees). Most startups fall into that lowest pricing band.

CE Plus starts from £1,200 plus VAT. That adds a hands-on technical audit where an assessor actually tests your systems, not just reviews your questionnaire answers. You need basic CE before you can do CE Plus.

With us, there are no hidden fees for "pre-assessment consultancy" or "remediation support." We support you until you pass as part of the assessment fee. That's how it should work, in my opinion. You shouldn't have to pay extra for help understanding a question.

You can see our full CE pricing and CE Plus pricing on the website.

Where startups go wrong

Most startups I certify are already in reasonable shape. Modern cloud services do a lot of the heavy lifting. Microsoft 365 and Google Workspace both have MFA built in. macOS and Windows both update automatically, and your broadband router has a firewall built in.

The problems tend to be specific and fixable. (referenced in the strategic assurance benchmarking report).

MFA not turned on. Available on pretty much every cloud service a startup uses. Often not enabled by default. You have to go into each service and switch it on. It takes 10 minutes per service, but nobody does it until they have a reason to. This assessment is your reason to do it.

Shared accounts are everywhere. The "company Slack" account is a common example. A shared email for a service nobody remembers signing up for. A single Canva login passed around the team. Three people logging into the same Trello account with the same password and no MFA is a pattern I see regularly. "We all work on the same projects anyway" is the usual justification. It's still a fail.

Personal devices that nobody's thought about. If your co-founder checks work email on their personal phone, that phone is in scope. Under Danzell, any BYOD device used for anything beyond basic calls, texts, or MFA tokens is in scope. You don't need to buy company phones, but those personal devices need a screen lock, up-to-date software, and malware protection.

The cloud service sprawl nobody mapped. I keep seeing this pattern: a startup signs up for eight or nine different SaaS tools in its first year. Each one holds some slice of business data. Nobody's made a central list. When the questionnaire asks "what cloud services does your organisation use," the founder stares at the screen for 20 minutes trying to remember.

Default router password still on the sticker. Your ISP installed the router, you plugged it in, you connected to Wi-Fi, you never touched the admin settings again. That default password needs changing. It takes two minutes and it's one of the most common assessment failures I see, not just in startups but across all company sizes.

Remote and hybrid teams

Most startups don't have a dedicated office. Your team works from home, co-working spaces, coffee shops, wherever. That's completely fine for Cyber Essentials, because the scheme handles remote working without any special complexity.

Home routers are out of scope entirely. You don't need to audit your co-founder's BT Hub or your developer's Virgin Media router. But the devices themselves (laptops, phones used for work) must have software firewalls enabled and must meet all five controls regardless of location.

If you're using a VPN, the VPN service might be in scope depending on your setup. Most small cloud-first startups don't use one, and don't need to. Your cloud services and endpoint devices are the scope. Keep them patched, keep MFA enabled, and you're covered.

Co-working spaces are worth thinking about briefly. When your staff connect to shared Wi-Fi networks, their devices need proper firewall protection. The built-in firewalls on Windows and macOS handle this, as long as they're actually turned on. I checked "as long as they're turned on" because I've assessed environments where someone turned off the Windows firewall to fix a printer issue six months ago and never turned it back on.

Contractors and freelancers

This comes up in nearly every startup assessment, because startups rely on freelancers more heavily than established businesses.

If a contractor uses your systems or accesses your data, their devices may be in scope. The test is whether those devices access organisational data or services. A freelance designer logging into your Figma account from their own laptop? That laptop is potentially in scope for the assessment.

In practice, the approach I recommend is this: require MFA on any account that gives a contractor access to your systems. Beyond that, the scope depends on the level of access. Talk to your assessor during scope definition, because every startup's contractor setup is slightly different.

The thing most founders miss is account hygiene. Track which contractor accounts exist and disable them when the engagement ends. I've seen startups with active accounts for freelancers who finished their work eight months ago. Nobody revoked access because nobody remembered the account existed. That's an assessment risk, and honestly, it's a real security risk too.

The advantage you don't realise you have

Startups have a genuinely easier time with CE than established businesses. That's not a sales line, it's just the maths.

Your estate is small and manageable at this stage. Three laptops and eight cloud tools can be audited in an afternoon. A company with 200 devices and 30 cloud services needs weeks to map their scope properly.

Your infrastructure is modern by default, which helps. You set up your business recently, so you're running current operating systems and current software. You're not dealing with a legacy application from 2015 that only runs on Windows 8.

Your team is small enough to manage directly. Fewer people means fewer accounts to manage, fewer permissions to check, fewer chances for someone to install something they shouldn't have.

Use that advantage while you have it. Get certified now while your setup is straightforward. As you grow, maintaining certification is far easier when you've built the habits early rather than trying to retrofit security controls onto 50 devices and a team that's never had to think about it.

How long it takes

For a typical startup with under 10 employees and cloud-based infrastructure, here's what a realistic timeline looks like.

First week. Run through your devices and cloud services. Update everything. Turn on MFA across every service. Change default passwords on your router. Make sure everyone has their own accounts, no shared logins.

Second week. This is when you complete the self-assessment questionnaire. It asks specific questions about each of the five controls, and you answer based on what you've actually got in place. Gather any evidence you need and submit.

Assessment. The assessor reviews your submission and either certifies you or comes back with clarifying questions. For straightforward startup environments, this is usually quick.

Most startups go from "we should probably do this" to certified in about two weeks. I've seen some do it in less, particularly sole traders whose scope is a laptop and a broadband connection. And our Fast Track service can have you certified within 12 hours if you're in a rush. But two weeks is a comfortable pace for most.

Growing beyond basic CE

At some point your startup stops being a startup. More devices, more cloud services, more people with access to sensitive data, more clients asking harder questions about your security.

CE Plus is the natural next step. It adds a technical audit where an assessor tests your controls directly, rather than just reviewing your documentation. For startups selling to larger clients or handling sensitive data, CE Plus carries more weight in procurement conversations.

Beyond CE, the Cyber 365 programme bundles vulnerability scanning, patching, and ongoing CE and CE Plus certification into a managed service. It's built for growing businesses that want to maintain compliance continuously without building an internal security team. CE is the starting point, covering one of six security functions, while Cyber 365 covers all six.

But start with basic CE and get the five controls in place to build the habits. The rest follows naturally once you've got the foundation right.

---

Need help with your startup's Cyber Essentials assessment? Get in touch or request a quote. You can also see the full question set before committing to anything.

---

Related articles

• How Do You Know If You're Ready for Cyber Essentials?
• Cyber Essentials 30-Day Preparation Plan
• BYOD and Cyber Essentials: What's in Scope
• Cyber Insurance and Cyber Essentials: The Full Picture

netsec-canary-42d901915a44.