Everything you need to know about Cyber Essentials

More than 80% of the cyber attacks happened on businesses in the UK could have been prevented with implementing some basic security controls and security systems. Hence the UK government introduced Cyber Essentials Certification scheme in 2014. It is run by the National Cyber Security Centre (NCSC, information security professionals who initiate certified information and assessments.

The Scottish Government has introduced a Cyber Essentials Voucher Scheme for SMEs. You can get up to £1000 towards achieving this security certification. Let’s look at what is it and how do you get the voucher. (Update: The voucher scheme is now put on hold)

1. What is Cyber Essentials?

Cyber Essentials certified scheme is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). The scheme was first launched on 05 June 2014 and from 1 October 2014, Government required all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme.

The scheme helps businesses to put basic security controls in place to fight most common cyber security threats. By achieving the certification your business shows the commitment to Cyber Security. There are two levels of Cyber Essentials (CE) Certification. CE and CE Plus.

2. Why do you need Cyber Essentials?

By achieving Cyber Essentials your business is showing the commitment for Cyber Security. Your suppliers, partners and clients feel more confident in sharing sensitive data and personal information with you. If you are tendering for Government projects you must have Cyber Essentials. Some of the MoD projects and Local Authorities are asking for a minimum of CE Plus. More organisations are now asking the suppliers especially small and medium enterprises to have the Cyber Essentials certification to tender for the project. Read our separate blog on why is Cyber Essentials important.


3. What is being tested in the process?

Cyber Essentials certification process involves testing the following 5 technical controls of your IT infrastructure.

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

4. What type of Cyber Essentials should you go for? What's the difference?

We would recommend you go and apply for the Cyber Essentials Plus certification. The reason being, this certification involves an onsite audit and testing the technical security controls from the Certification body. The certification process ensures that you have the required technical controls in place. Although it costs more to achieve CE Plus certification it is absolutely worth it.

On the other hand, CE is a straightforward exercise where you answer the self-assessment questionnaire from the certification body and they will evaluate your answers. If all goes well you will pass and certificate will be issued.

In layman terms, Cyber Essentials is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body auditing the technical controls.


5. How much does the certification cost?

    • The certificate cost for Cyber Essentials Level 1 is around £300 + VAT.
    • The certificate cost for Cyber Essentials Plus is around £1,900 + VAT.

    The costs are for certificates only. There will be an extra cost depending on your infrastructure and if you have security controls in place. If you are hiring an expert to help with this then costs will increase. In most cases, Cyber Essentials certification will cost you more than standard costs from the Certification body.

    Get certified today

    Step 1: Organisation Size

    Step 2: Pick Cyber Essentials Package

    • Cyber Essentials Basic - CEB001

      £300 + VAT


      2 Days for Remediation

      1 Day Turnaround

      £25k Cyber Insurance*

      The package explained

      *Insurance details are on IASME website

    • Guided Cyber Essentials - CEB002

      £500 + VAT

      Everything in CEB001 plus


      Online/Phone Support

      *Insurance details are on IASME website

    • Cyber Essentials Plus - CEP001

      £1500 + VAT

      Everything in CEB002 Plus

      30 Day Remediation

      Systems Audit (remote)

      *Insurance details are on IASME website

    • Guided CE Plus - CEP002

      £2500 + VAT

      Everything in CEP001 plus

      Pre- systems Audit

      Gap Analysis report



      *Insurance details are on IASME website

    6. Do I need Cyber Essentials Level 1 to get Cyber Essentials Plus?

    The short answer is no. You can apply for either Cyber Essentials or the Plus. Not both. CE Plus involves going through level 1 where you would do the self-assessment questionnaire then external scan and the onsite visit by the Certification Body. You don’t need to pay for the certification twice.

    UPDATE July 2020: Yes. Before April 2020, You can apply for either CE or the Plus but now with the latest changes and IASME consortium process is to achieve CE before you apply for CE Plus.

    7. What is the Voucher Scheme and how do you get it?

    The Scottish Govt has introduced the Cyber Essentials Voucher Scheme to help SMEs achieve the certification. You can claim up to £1,000 towards your certification. How do you do that? To register your interest click here, the Scottish Enterprise will send you the application form, choose a provider that can help you with the CE or CE Plus, complete and the form and send it back. You will then be notified of the outcome. Achieve the certification, pay for the invoice and send the evidence to the voucher scheme admins at the Scottish Enterprise. You will be paid in one instalment. It’s that simple.

    UPDATE 07 July 2020: The scheme is now put on hold.

    8. What is the criteria for Voucher Scheme?

    The criteria to claim the Cyber Essentials Voucher Scheme is simple. Here it is

    1. Your business must employ less than 250 people
    2. Business must be registered in Scotland
    3. You access the internet to perform business activities

    UPDATE 07 July 2020: The scheme is now put on hold.

    9. How long is the Cyber Essentials Certification is valid for?

    Certification is only valid for a year and the organisation needs to be re-certified every year to keep the status. The certification process will be same again but not as tedious as the first time as long as you are keeping up with technical controls that were put in place.

    10. Does it work for Mac's/Linux? How is the testing carried out?

    The way the testing works is, Certification body will pick a few devices per build [in laymen terms, sample] to audit. For example, if you use Mac, Linux, Windows 7 or 10, etc… you will need to pick one per build and they will be tested.

    Update July 2020: If you have legacy systems on your network likes of Windows 7 or older and Windows server 2008 R2 and older then it's a straight fail unless you can isolate these from the network.

    11. How about if we have multiple offices or remote workers?

    Any system or the user that is accessing the company’s data comes under the scope for Cyber Essentials. If you are going for Cyber Essentials Plus then the assessor might need to visit a few locations. There might be extra charges for expenses and extra days of work.

    12. If we fail, can we try again and how much does it cost?

    If you fail the Cyber Essentials certification you will have 3 days to fix the issues and re-submit the application. For Cyber Essentials Plus certification, you will have 15 days to rectify the issues and re-submit. However, we recommend you work with a CE consultant who makes sure you have the required controls in place and hence you will achieve the certification without any hiccups. TechForce is an Approved Cyber Essentials Practitioner and we can help with that [shameless plug]. We can perform pre-assessment and make sure you are ready before you submit the application. Unless your infrastructure really poor and you are not willing to update then chances are you will likely fail. In fact, why do go through the scheme when you don’t want to update your systems to be more secure?

    13. Why do I need a consultant? And how much do you cost/what money do you save me/value do you add?

    The need for a consultant depends on how good your infrastructure is and if you have internal resources to help. For example, if you are going for Cyber Essentials Level 1 it is a straightforward process for an internal IT literate person. You need to know what technical security controls you have in place for the company. If you don’t know or don’t have the required controls then you will benefit from having a consultant help you. The whole exercise is to make sure you have technical controls in place to ensure your business is not impacted by most common cyber threats. A good consultant will keep you right. If you do have an IT department and they need an extra hand or they don’t know where to start you will also benefit from a consultant service.

    If you are going for Cyber Essentials Plus I would definitely recommend bringing an approved practitioner/assessor onboard. They will help you save time, hassle and make sure you have the controls in place to achieve the certification. They will also help you with the pre-audit scan. It will save you from failing the certification and going through the process again.

    Consultancy services for CE Plus usually work on a day rate basis. Each company might have a different day rate but cheap is not always the best.

    14. What is the benefit of having Plus?

    Cyber Essentials Plus shows that you have proven technical security controls in place. Part of achieving CE Plus is an Assessor from Certification Body visiting the site and double checking and testing that the security controls are in place. It gives your customers assurance that their information shared with secured business.

    A few of the MoD contracts are now asking for CE Plus for the suppliers. Cyber Essentials Level 1 is not enough. We would always recommend going with the Plus.

    15. Do I need to buy extra software to go through Cyber Essentials?

    You shouldn’t need to. The scanning and testing tools are provided by the hired expert or the assessor as part of the process. However, if you do like the software they are using and see the benefits you can most certainly purchase for the company. It will help you stay on top of the technical Security controls we discussed.

    16. What do I get when I complete the certification process?

    You will receive the confirmation from the certification body about the result and certificate reference number. You will also have the Cyber Essentials badges to publish them on your website. Your company will be listed on NCSC's database of CE certified organisations.

    Do check out our other cybersecurity case studies:

    Also check out our blogs on Cyber Essentials & Cyber Essentials Plus certification:

    Get your Cyber Essentials Certification today!

    Same day certification.


    Related Articles


    Back to start
    aberdeen skyline graphic