Skip to content
Cyber Essentials Requirements: Complete Guide for 2026
Cyber Essentials certification requires organisations to implement five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. These controls form the backbone of the UK government’s baseline cybersecurity standard, and getting them right determines whether you pass or fail the assessment.
Dealing with a ransomware attack? Our expert team can guide you through every step of the recovery process. Regain control with Zensec – trusted support when it matters most.
This guide covers exactly what each control involves, how to prepare for certification, the differences between basic and Plus levels, and the common mistakes that cause organisations to fail.
What is Cyber Essentials certification?
Cyber Essentials is a UK government-backed cybersecurity certification scheme that focuses on five core technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. The National Cyber Security Centre (NCSC) administers the scheme, and it’s designed to help organisations of all sizes protect themselves against the most common cyber attacks, things like phishing emails, ransomware, and hackers scanning the internet for easy targets.
The scheme comes in two levels. Basic Cyber Essentials involves completing a self-assessment questionnaire about your security practices, while Cyber Essentials Plus adds hands-on technical testing by a cyber advisor or certified assessor. Both certifications last for one year before requiring renewal.
What makes Cyber Essentials particularly useful is its focus. Rather than throwing hundreds of complex requirements at you, it zeroes in on the controls that actually stop most attacks. Think of it as the security equivalent of locking your doors and windows, basic, but surprisingly effective.
Who needs to be Cyber Essentials certified?
Certification isn’t legally required for most organisations, but certain situations make it essential in practice:
Government suppliers: If you’re bidding for central government contracts that involve handling sensitive or personal information, Cyber Essentials certification is a prerequisite.
Regulated industries: Many sector bodies now require certification as proof that you have baseline security measures in place.
Supply chain partners: Larger organisations increasingly ask their suppliers to hold certification before sharing data or granting system access.
Cyber insurance applications: Some insurers offer better terms or reduced premiums for certified organisations.
Even when certification isn’t strictly required, following a Cyber Essentials checklist can uncover security gaps. When you implement a checklist, it ensures cyber essentials compliance for businesses that need to build trust.
Larger organisations may benefit from appointing a data protection officer to maintain a comprehensive approach to identifying cyber security risks and mitigating cyber threats.
The five Cyber Essentials controls
At the heart of Cyber Essentials are five technical controls. Each one targets a specific way that attackers commonly break into systems, and together they form a solid foundation for basic cyber hygiene and supply chain security.
Implementing these security controls can help you achieve Cyber Essentials status.
Firewalls and internet gateways
A firewall acts as a barrier between your internal network and the internet, filtering traffic and blocking unauthorised connections. The Cyber Essentials requirements specify that every device connecting to the internet must have firewall protection, either a hardware device at your network boundary or software firewalls running on individual machines.
One detail that trips up many organisations: default passwords on routers and firewall interfaces. The requirements are clear: these defaults must be changed. All unauthenticated inbound connections are blocked by default under this control, meaning nothing gets through unless you’ve explicitly allowed it.
Secure configuration
This control is about reducing your attack surface, the number of potential entry points an attacker could exploit. The principle is straightforward: if you don’t use it, remove it.
In practice, secure configuration means:
Removing unnecessary software: Applications you don’t use create vulnerabilities you don’t need.
Changing default passwords: Factory-set credentials are publicly known and easily exploited.
Disabling auto-run: Stopping removable media, such as USB drives, from automatically executing code prevents a common malware delivery method.
User access control
Every person using your systems gets their own unique account, no shared logins. This might sound obvious, but shared accounts remain surprisingly common, especially for administrative access.
Administrative privileges receive particular attention in the requirements. Admin accounts carry significant power, so they’re limited to people who genuinely require them. Even then, those individuals use separate standard accounts for everyday tasks like email and web browsing. The logic here is simple: if an attacker compromises an account, you want to limit the damage they can do.
Password policies and multi-factor authentication (MFA) also fall under this control. MFA adds a second verification step beyond just a password, and the requirements increasingly emphasise its importance wherever it’s available.
Malware protection
Anti-malware software is required on all devices within scope. This software detects and blocks malicious programs, such as viruses, trojans, and ransomware, before they can cause harm.
The configuration matters as much as the software itself. Signature updates, the database of known threats, must update automatically, and regular scans run on schedule. Application whitelisting, where only pre-approved software can run, is recognised as a valid alternative approach for organisations that prefer it.
Security update management
Software vulnerabilities are discovered constantly, and vendors release patches to fix them. This control ensures that all software on in-scope devices is licensed, supported by the vendor, and kept up to date.
The requirements set a specific timeline: critical and high-risk security patches are applied within 14 days of release. This 14-day window is one of the most common areas where organisations struggle, particularly those with complex IT environments or stretched IT teams. Unsupported software (anything the vendor no longer provides updates for) either gets upgraded or removed entirely.
Cyber Essentials requirements for IT infrastructure
Mapping your network involves creating a detailed IT infrastructure document. This process is essential for managing cloud services and ensuring security teams can implement effective cybersecurity advice at every endpoint.
Knowing what falls within scope is often trickier than implementing the controls themselves. Get the scope wrong, and you’ll either miss critical systems or waste time on devices that didn’t need to be included.
Devices and endpoints in scope
Any device that can access organisational data or services falls within scope. This includes the obvious candidates desktops, laptops, and servers, but also tablets, mobile phones, thin clients, and virtual desktops.
The question of personal devices catches many organisations off guard. If staff use their own phones to check work email, those devices are in scope. The same applies to personal laptops used for remote work. This “bring your own device” reality means the scope often extends further than organisations initially expect.
Cloud services and software as a service
Cloud services introduce what’s called a shared responsibility model. Your cloud provider handles the security of the underlying infrastructure, but you remain responsible for how you configure and access your accounts.
The division of responsibility shifts depending on the service type. With infrastructure as a Service (IaaS), you manage more of the security stack. With Software as a Service (SaaS), the provider handles most of it, but you’re still accountable for user access control and configuration settings. You’re never completely off the hook, regardless of what you’re using.
Home working and remote access requirements
Remote and hybrid working arrangements bring additional considerations. Devices used for home working fall within scope, and if your organisation provides routers to home workers, those devices have to meet the firewall requirements too.
Remote access typically runs through a Virtual Private Network (VPN) or equivalent secure connection. The goal is to ensure that data travelling between home workers and company systems stays protected, even over residential internet connections.
How to get Cyber Essentials certification
The certification process follows a logical sequence, though the time required varies considerably based on your starting point. Once verified, achieving Cyber Essentials certification lets you display the badge with pride.
For those needing practical guidance, the Cyber Essentials scheme provides a clear roadmap to success.
1. Define your assessment scope
First, you’ll determine which systems, devices, and users fall within scope. This involves mapping your network boundaries and documenting your decisions. Getting the scope wrong leads to either an incomplete assessment or unnecessary work on systems that didn’t need inclusion.
2. Implement the five technical controls
Next comes a gap analysis, comparing your current security practices against the five controls. Most organisations find at least a few areas requiring attention. Common gaps include outdated software, overly permissive admin access, or missing MFA on key systems.
3. Complete the self-assessment questionnaire
The assessment itself is a detailed questionnaire completed through an online portal. You’ll work with an IASME-approved certification body, answering questions about how each control is implemented in your organisation. The questions are specific, so vague answers won’t pass muster.
4. Submit for verification and certification
Once you submit the questionnaire, an assessor reviews your responses. They may come back with clarification questions on certain points. After successful verification, you receive your certificate, a digital badge for your website, and a listing on the NCSC’s public directory of certified organisations.
Cyber Essential Certification vs Cyber Essentials Plus
Aspect | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
Assessment type | Self-assessment questionnaire | Technical audit by certified assessor |
Verification method | Review of written responses | Hands-on testing of actual systems |
Typical cost | From approximately £300 | From approximately £1,500 |
Assurance level | Basic | Enhanced |
Prerequisite | None | Current Cyber Essentials certificate |
The Plus certification provides stronger assurance because an independent assessor actually tests your systems rather than relying solely on your answers. For organisations handling particularly sensitive data or working with security-conscious clients, the additional credibility often justifies the higher cost.
Additional requirements for Cyber Essentials Plus
Cyber Essentials Plus builds on the basic certification by adding independent technical verification. You’ll already hold a valid Cyber Essentials certificate before pursuing the Plus level, it’s a prerequisite, not an alternative.
External vulnerability scan
A certified assessor conducts an external vulnerability scan of your internet-facing infrastructure. This scan looks for exploitable weaknesses that an attacker scanning the internet might find and target.
For example, an attacker might target unpatched services, misconfigured servers, or exposed administrative interfaces.
Internal vulnerability assessment
The assessor also tests a sample of internal systems, typically including workstations and servers. This internal assessment verifies that controls like patching and secure configuration are actually working as you described in your questionnaire, not just documented on paper.
The vulnerability assessment can check how susceptible your organisation is to common cyber threats, and enhance the entire team’s security awareness.
On-site or remote technical audit
Through direct system inspection, a cyber advisor or assessor confirms that malware protection, patching, and configuration controls function as stated.
This audit can happen remotely, which works well for organisations with distributed teams or multiple locations. The assessor connects to systems and runs checks rather than physically visiting your premises.
Common reasons organisations fail Cyber Essentials assessment
Understanding where others stumble helps you avoid the same mistakes and helps your security team implement effective cybersecurity measures.
Incomplete asset and device discovery
Organisations frequently miss devices that fall within scope. Personal devices used for work, forgotten servers running in a corner, or “shadow IT” that someone set up without telling the IT team, all of these create gaps that lead to failure.
Misconfigured administrator accounts
Using admin accounts for everyday tasks like browsing the web or checking email is a common failure point. So is sharing admin credentials among multiple staff members. The requirements are clear: admin accounts are for admin tasks only, and each person gets their own.
Outdated software and missing patches
Running unsupported operating systems or applications results in automatic failure. Windows 7, for example, no longer receives security updates from Microsoft, so it can’t meet the requirements. Inconsistent patching that allows critical vulnerabilities to remain unaddressed beyond 14 days causes similar problems.
Weak password and authentication policies
Insufficient password complexity, shared user accounts, or missing MFA, when available, all lead to failures. The requirements have evolved to place greater emphasis on MFA, so organisations relying solely on passwords increasingly find themselves falling short.
Cloud services scope misunderstandings
Assuming your cloud provider handles all security responsibilities is a common mistake. So is incorrectly excluding SaaS applications from the scope when staff use them to access organisational data. If your team uses Microsoft 365 or Google Workspace for work, those services are in scope.
When your organisation needs expert cyber security support
Large organisations and small and medium enterprises may need expert cybersecurity support in the following situations:
Complex IT environments
Tight certification deadlines
Limited internal expertise
Previous assessment failures
As an NCSC Assured Service Provider, Zensec helps organisations work through the certification process while building genuine security capabilities.
Gaining a piece of paper from an accredited certification body is just one piece of a broader security posture. The controls you implement for Cyber Essentials form the foundation for more advanced protections.
Why Cyber Essentials is just the starting point for cyber resilience
Achieving certification demonstrates that you’ve implemented baseline security controls, and those controls do stop a significant proportion of common attacks. However, determined attackers with specific targets can still breach well-defended organisations.
This reality is where incident response capabilities become critical. What happens when preventative measures fail? Having a plan and access to experts who can execute it, makes the difference between a contained incident and a catastrophic breach.
Zensec’s 24/7 ransomware recovery and incident response services represent the next step beyond compliance. When an attack occurs, rapid expert intervention minimises damage and accelerates recovery. Contact us immediately for urgent ransomware recovery support.
Frequently asked questions about Cyber Essentials requirements
What happens if your organisation fails the Cyber Essentials assessment?
You’ll receive feedback from the assessor identifying which controls didn’t meet requirements. Most certification bodies offer a limited window (typically around 30 days) to fix the issues and resubmit without paying the full assessment fee again.
If the problems are more fundamental, you may need to restart the process. Strengthening your organisation’s security posture means you’re less likely to experience a cyber incident or can recover more swiftly from one.
How long does Cyber Essentials certification last before renewal is required?
When you achieve certification, it is valid for exactly one year from the date of issue. To maintain certified status, organisations complete a fresh assessment annually. The requirements do evolve, so each renewal involves checking up-to-date resources for the current version of the standard.
Is Cyber Essentials mandatory for UK government contracts?
Cyber Essentials is mandatory for central government contracts that involve handling sensitive or personal information. However, it’s not required for all public sector work, local government and NHS contracts may have different requirements depending on the nature of the work involved.
Can organisations achieve Cyber Essentials certification while running legacy systems?
Legacy systems that cannot meet the technical controls, unsupported operating systems that can’t be patched, for example, either get upgraded or completely isolated from the assessment scope. Isolation means the legacy system has no connection to the network or devices being assessed. Having old systems doesn’t automatically disqualify you, but they can’t remain connected to your main environment.
How long does the Cyber Essentials assessment process typically take?
If all controls are already in place and properly configured, the self-assessment questionnaire can be completed in a few days. However, most organisations discover gaps during preparation that require remediation work. Depending on the complexity of the issues, preparation can extend to several weeks or even months for organisations starting from scratch.