The UK government's baseline cybersecurity certification, explained step by step. The five controls, the self-assessment, what trips most applicants up — and how to certify in a fortnight.
What Cyber Essentials is
Cyber Essentials is a UK government–backed certification scheme operated by IASME on behalf of the National Cyber Security Centre (NCSC). It certifies that your organisation has implemented five fundamental technical controls that, according to NCSC, protect against around 80% of common internet-borne attacks.
It is a verified self-assessment: you complete a questionnaire, an assessor reviews it, and a pass earns a one-year certificate. It is the entry-level scheme — Cyber Essentials Plus adds an independent audit.
The five technical controls
Firewalls — boundary and host-based firewalls on all in-scope devices
Secure configuration — no default passwords, unnecessary services removed
User access control — least privilege, MFA on cloud and admin accounts
Malware protection — anti-malware, application allow-listing, or sandboxing
Security update management — patches applied within 14 days of release for high-severity vulnerabilities
The two-week path to certification
Step 1
Days 1–2: Define scope
Decide whether the certificate covers the whole organisation or a defined subset (network-segregated). Inventory every laptop, desktop, server, mobile device, cloud service and BYOD device in scope.
Step 2
Days 3–5: Gap-scan against the five controls
Walk the questionnaire. Most fails are: missing MFA on Microsoft 365 / Google Workspace admin, unsupported Windows or macOS, default router passwords, no formal patch SLA, BYOD without device management.
Step 3
Days 6–10: Close the gaps
Enable MFA on every cloud service. Decommission or upgrade unsupported software. Set and document a 14-day patch SLA for high-severity updates. Configure malware protection on every in-scope device.
Step 4
Days 11–12: Complete the assessment
Submit the questionnaire through an IASME Certification Body. Be honest — assessors are experienced and will challenge implausible answers.
Step 5
Days 13–14: Pass, fix or resubmit
Most submissions get one round of clarifying questions. Answer promptly and the certificate is issued. If you fail, you have 48 hours to resubmit at no cost; after that, a full reassessment fee applies.
Cyber Essentials as a stepping stone to ISO 27001
Every control in Cyber Essentials maps directly to ISO 27001 Annex A. If you're aiming for ISO 27001 within the next 12 months, doing Cyber Essentials first is a low-cost way to validate the technical baseline before the bigger audit.
ISO-STANDARD.app ships a ready-to-adopt Cyber Essentials workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
How long does Cyber Essentials take?
Most organisations get certified in 1–3 weeks once controls are in place. The self-assessment itself takes a few hours; the lead time is fixing the gaps the questionnaire surfaces (usually unsupported software, missing MFA on cloud services, or out-of-date firmware).
Is Cyber Essentials mandatory for UK government contracts?
Yes for many. Any central government contract involving the handling of personal information or the provision of certain ICT products and services requires Cyber Essentials certification of the supplier. Many local government and NHS contracts also require it.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent hands-on technical audit, including vulnerability scans and a sample of user devices. Both cover the same five controls.
How long is the certificate valid?
12 months. You must recertify annually to keep the certificate active. Most listings (Crown Commercial Service, government suppliers' lists) require an in-date certificate.