How to get Cyber Essentials Certification

What is Cyber Essentials Certification?

Originally launched in 2014, Cyber Essentials is a UK government-backed scheme aimed at providing basic cyber security for organisations of any size. A Cyber Essentials certification is designed to help protect against common cyber threats, such as hacking, phishing, and malware. By achieving Cyber Essentials certification, a company demonstrates that it has taken the necessary steps to protect its information and systems.

Overseen by the National Cyber Security Centre (NCSC),, the certification requires organisations to undergo a self-assessment questionnaire that covers five key technical controls: boundary firewalls, secure configuration, access control, malware protection, and security update management. The questionnaire is reviewed by an independent certification body, which verifies the organisation's responses and awards the certification if standards have been met.

Beyond simply providing a basic level of protection against cyber threats, Cyber Essentials certification can also help organisations to comply with industry regulations and standards. For example, companies that handle sensitive information, such as financial or personal data, may be required to demonstrate their cyber security measures as part of their regulatory obligations.

Furthermore, Cyber Essentials can also help organisations to improve their overall security posture by providing a framework for implementing and maintaining effective security measures. By undergoing the self-assessment process and achieving certification, organisations can identify any gaps in their existing security measures and take steps to address them.

How to get Cyber Essentials Certified

The process of Cyber Essentials certification can be broken down into the following steps:

1. Prepare for the certification process

Before starting the certification process, organisations should ensure that they have the necessary resources and systems in place to meet the requirements of the Cyber Essentials scheme. This may involve making changes to their existing security measures, such as updating software, patching vulnerabilities, and implementing appropriate access controls.

2. Self-assessment questionnaire

The first step towards Cyber Essentials certification is to complete the self-assessment questionnaire. Covering five areas of technical control (boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management), organisations are required to answer questions about their existing security measures and provide evidence to support their responses.

3. External assessment

After completing the self-assessment questionnaire, organisations must undergo an external assessment. An independent certification body will review responses and carry out a vulnerability scan to check the organisation's system. The certification body will then verify if the organisation has met the necessary standards and, depending on their evaluation, award the certification.

4. Implement recommended improvements

If the certification body identifies any weaknesses in the organisation's security measures, it will provide recommendations for improvement. Organisations must implement these recommendations within a set timeframe to maintain their Cyber Essentials certification.

5. Annual certification

Cyber Essentials certification must be renewed annually. Organisations must complete the self-assessment questionnaire and undergo a new external assessment each year to ensure that their security measures are up to date with any changes, and thus remain effective.

The Cyber Essentials certification process is designed to be straightforward and accessible, even for organisations with limited technical expertise. The self-assessment questionnaire provides a clear framework for organisations to assess their own security measures, while the external assessment provides an independent check and the assurance that the necessary standards have been met.

Cost of Cyber Essentials Certification

Becoming Cyber Essentials certified involves several costs, including the cost of preparing for the certification process, the cost of the self-assessment questionnaire and external assessment, and the cost of implementing any recommended improvements.

The cost of preparing for the certification process can vary depending on the size of the organisation and the extent of its existing security measures. For example, organisations may need to update software, patch vulnerabilities, and implement access controls, which can incur additional costs.

The cost of the self-assessment questionnaire and external assessment can range from a few hundred to several thousand pounds, depending on the certification body chosen, and the size and complexity of the organisation.

Below is a pricing guide as provided by the NCSC:

Micro organisations (0-9 employees) £300 + VAT

Small organisations (10-49 employees) £400 + VAT

Medium organisations (50-249 employees) £450 + VAT

Large organisations (250+ employees) £500 + VAT

Additionally, the cost of implementing any recommended improvements will depend on the nature of the recommendations and the resources required to implement them. For example, organisations may need to purchase additional software or hardware, hire additional staff, or engage the services of a consultant to implement the changes.

Finally, organisations must also consider the ongoing cost of maintaining their Cyber Essentials certification. This includes the cost of renewing the certification each year and making any necessary updates to security measures.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials and Cyber Essentials Plus are both cyber security certification schemes provided by the UK government's NCSC. However, there are several key differences between the two schemes.

As we’ve seen, Cyber Essentials is a basic certification scheme that provides organisations with a framework to assess their own security measures and identify areas for improvement. The certification process involves completing a self-assessment questionnaire and undergoing an independent assessment by a government-accredited certification body.

Cyber Essentials Plus, on the other hand, is a more in-depth certification scheme that provides organisations with a higher level of assurance about their cyber security posture.

The certification process for Cyber Essentials Plus is similar to that for Cyber Essentials but includes a more detailed technical assessment. The assessment includes a vulnerability scan of the organisation's systems and infrastructure, which identifies any weaknesses or vulnerabilities that could be exploited by cyber criminals.

The certification body then provides recommendations for improvement, which the organisation must implement to maintain its certification.

Generally speaking, organisations should choose the certification scheme that best meets their needs, considering the level of assurance they require, the resources they have available, and their overall cyber security goals.

Useful Resources

NCSC Cyber Essentials -- Overview of Cyber Essentials

NCSC Cyber Essentials -- Frequently Asked Questions

What is Regulatory Compliance? Information & Cyber Security Compliance

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


5 Essential Steps for Security Awareness Training

Essential Steps for Security Awareness Training

Starting a security awareness training campaign? Here are 5 essential steps to help ensure information security success.

Malicious Insider Threats

Malicious Insider Threats - Meaning & Examples

Malicious insider threats can cause massive problems. Here we examine some of the motivations behind attacks and methods of detection organisations can use to reduce risk.

What are the Biggest Breaches of 2022 (So Far)

5 Biggest Breaches of 2022 (So Far)

Five of the biggest and most significant data breaches, hacks, and information security attacks of 2022 (so far).

How to Audit for GDPR Compliance?

Auditing for GDPR Compliance

Questions to consider when auditing your business or SME for General Data Protection Regulation (GDPR) compliance.

Ideas to Improve Employee Cyber Security?

Improving Employee Cyber Security

With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.

A Few Cyber Tips for your Organisation

5 Cyber Tips for your Business

Essential cyber tips for helping your business or SME improve information and cyber security.

Maintaining Compliance for Businesses

The Benefits Of Maintaining Compliance For Your Business

By maintaining compliance for your business you can ensure operational efficiency, reduce financial risk, enhance public trust, engage your employees and realise your mission.

5 of the Top Phishing Trends in 2022

Top 5 Phishing Trends in 2022

Insights, trends, and statistics from the world of phishing in 2022.

What are the 10 Steps to Cyber Security?

10 Steps to Cyber Security

The main concepts of the Nation Cyber Security Centre's '10 Steps to Cyber Security' guidance.

The Psychology of Behaviour Change: Optimisation

Cyber Awareness Part II: The Psychology of Behaviour Change

Part two in our blog series examining how the psychology of behaviour change will help us deliver effective awareness campaigns.

Speak to us about your Cyber Awareness