Cyber Essentials most frequently asked questions

What is the Cyber Essentials scheme?

Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). It helps businesses to put basic security controls in place to fight the most common cybersecurity threats. By achieving the certification your business shows the commitment to Cyber Security.

There are two types of Cyber Essentials (CE) Certifications. Cyber Essentials basic and Cyber Essentials Plus.

Who needs Cyber Essentials certification?

Any business that is tendering for government work is required to have the certification. By achieving Cyber Essentials your business is showing the commitment to Cyber Security. Your suppliers, partners, and clients feel more confident in sharing data with you. If you are tendering for Government projects you must have Cyber Essentials.

How do I get Cyber Essentials certification?

Find a Certification Body, purchase the package you are looking for, then the Certification Body will send you the Cyber Essentials Questionnaire and follow the process. You can find the list of Certification Bodies on the IASME website or simply get in touch with us. Check out the patching requirements and checklist for CE on our website.

How much does the Cyber Essentials cost?

It depends on the size of the business.

The CE basic certification cost start from £300 + VAT.

The CE Plus cost starts from £1,500 + VAT. CE plus include CE basic.

The costs are for Certification only. It will cost more if your IT systems are to be updated.

For new applications

Do certificates have an expiry date?

All new certificates issued by IASME will have a 12 month expiry date.

How much does it cost to get Cyber Essentials certification?

The cost of Cyber Essentials (verified self-assessment) start from £300 + VAT.

My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?

Yes, organisations overseas are able to get certificates.

Do I have to obtain the first level of Cyber Essentials before going on to Cyber Essentials Plus?

Yes, you will need to achieve Cyber Essentials self-assessment before progressing with CE plus. You will have 3 months from passing CE to upgrade to CE Plus.

How are Cyber Essentials assessments verified?

A board member from the organisation signs a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body then evaluates the responses.

In the event that you pass you receive a certificate.

If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your cyber security.

Do I need Cyber Essentials to bid for a Government contract?

Most Government contracts now require you to be Cyber Essentials certified or in some cases Cyber Essentials Plus certified. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.

For re-certification applications

My certificate was issued under the previous scheme before 30 June 2020, when will it expire?

All certificates issued under the existing scheme before 30 June 2020, will be valid until 30 June 2021.

Why am I no longer able to use my previous Accreditation Body?

From 1 April 2020 IASME Consortium took over the running of the Cyber Essentials scheme on behalf of the NCSC. Having a Cyber Essentials partner (rather than 5 Accreditation bodies) will ensure there's greater consistency in the way the scheme operates. It will ensure that Certification Bodies are all working to the same standard, and provide a more streamlined path to certification so we can ensure Cyber Essentials remains relevant.

From 1 April 2020 will I need to re-certify against a different technical standard?

At the moment, there are no plans to change the technical standard. However, NCSC and IASME will continue to review the technical controls and ensure they keep pace with the ever-changing cyber security landscape.

If certification is given by an Accreditation Body other than IASME, before 30 March 2020, will I need to be re-certified once IASME takes over the scheme on 1 April 2020?

All certificates issued prior to 1 April 2020 or before 30 June 2020 on the existing scheme are valid until 30 June 2021. This includes those issued by Accreditation Bodies other than IASME.

On 30 June 2021, any certificate issued under the old scheme will expire.

Coronavirus (COVID-19) pandemic

In light of the pandemic will IASME take over running the Cyber Essentials scheme as planned on 1 April 2020?

Yes, IASME will take up their new role of Cyber Essentials Partner on the 1 April 2020. Instead of the planned launch event there will be announcements made via the NCSC website.

Cyber Essentials certification during the pandemic

Cyber Essentials (verified self-assessment)

From 1 April, Cyber Essentials certification will be completed using IASME’s online portal. This can be accessed from your dining room table as easily as it would have been in the office. You may need to consult with your IT provider, but this is simple enough to do remotely via phone, email or chat software.

Cyber Essentials Plus

Cyber Essentials Plus certification involves some technical tests, which can be completed remotely by Certification Bodies without visiting an office or needing to have physical access to staff laptops.

With many staff working from home, some assistance and coordination from your IT team or IT provider maybe needed to give Certification Bodies access; this should be easily achievable for most organisations.

What if my Cyber Essentials is part of a contract agreement and expires during the pandemic/lock-down?

Any certificates issued before 1 April 2020 won’t have an expiry date, so they can't be extended. It will be up to the procurement department of any company that requires you to hold a Cyber Essentials certificate if they will accept an extended time-frame for their latest certificate to be completed.


Get certified today

Step 1: Organisation Size

Step 2: Pick Cyber Essentials Package

  • Cyber Essentials Basic - CEB001

    £300 + VAT


    2 Days for Remediation

    1 Day Turnaround

    £25k Cyber Insurance*

    The package explained

    *Insurance details are on IASME website

  • Guided Cyber Essentials - CEB002

    £500 + VAT

    Everything in CEB001 plus


    Online/Phone Support

    *Insurance details are on IASME website

  • Cyber Essentials Plus - CEP001

    £1500 + VAT

    Everything in CEB002 Plus

    30 Day Remediation

    Systems Audit (remote)

    *Insurance details are on IASME website

  • Guided CE Plus - CEP002

    £2500 + VAT

    Everything in CEP001 plus

    Pre- systems Audit

    Gap Analysis report



    *Insurance details are on IASME website

How long does Cyber Essentials certification last?

Certification is only valid for a year and needs to be renewed every year to keep the status. The process will be the same again but not as tedious as the first time as long as you are keeping up with security controls that were put in place.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a Self-Assessment certification where you would fill in a self-assessment form and the IAMSE Certification Body will assess the application. If all goes well you will pass. CE plus includes the self-assessment as well as an audit from the Certification Body. The audit includes the vulnerability scan of the systems, malware test, browser download test, email test and external scan. CE plus is the advanced certification and recommended.

How long does it take to get Cyber Essentials certification?

Cyber Essentials basic Certification can be achieved in a day or less. However, Cyber Essentials Plus depends on the availability of the assessor, your (client) availability and the outcome of the audit. If the audit finds gaps then you will have 30 days to fix them. If everyone is available and everything goes well then the certification can be done in a day as well.


What security controls are covered by Cyber Essentials?

Cyber Essentials Scheme covers these technical controls.

  • Firewalls and internet gateways
  • Secure configuration
  • User Access Controls
  • Administrative accounts
  • Password-based authentication
  • Security Update Management
  • Malware Protection

What Cyber Essentials certification should we get?

We would recommend you to go for Cyber Essentials Plus. It involves an onsite visit and testing from the Certification body and ensures that you have the required security controls in place. Although it costs more to achieve CE Plus certification it is worth it.

Cyber Essentials Level 1 is a straightforward exercise where you answer the questionnaire from the certification body and they will evaluate your answers then perform an external scan on your IP address. If all goes well you will pass and a certificate will be issued.

In layman terms, Cyber Essentials level 1 is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body testing if what you said is right.

What is the difference between Cyber Essentials and ISO 27001?

Cyber Essentials is a framework for Technical security controls focusing on IT infrastructure whereas ISO 27001 is a risk management framework for data Security and compliance wherever it is. WRT which one you want to achieve really depends on your business requirement.

Hope that answers most of the frequently asked questions about Cyber Essentials. Check out our blog post ‘Everything you need to know about Cyber Essentials’ to find out more about Cyber Essentials.

This blog was first published on 24th August 2020. Updated on 15th Nov 2022.

Related Articles


Back to start
aberdeen skyline graphic