Cyber Essentials most frequently asked questions

What is the Cyber Essentials scheme?

Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). It helps businesses to put basic security controls in place to fight the most common cybersecurity threats. By achieving the certification your business shows the commitment to Cyber Security.

There are two types of Cyber Essentials (CE) Certifications. Cyber Essentials basic and Cyber Essentials Plus.

Who needs Cyber Essentials certification?

Any business that is tendering for government work is required to have the certification. By achieving Cyber Essentials your business is showing the commitment to Cyber Security. Your suppliers, partners, and clients feel more confident in sharing data with you. If you are tendering for Government projects you must have Cyber Essentials.

How do I get Cyber Essentials certification?

Find a Certification Body, purchase the package you are looking for, then the Certification Body will send you the Cyber Essentials Questionnaire and follow the process. You can find the list of Certification Bodies on the IASME website or simply get in touch with us. Check out the patching requirements and checklist for CE on our website.

How much does the Cyber Essentials cost?

The CE basic certification costs £300 + VAT.

The CE Plus costs £1,900 + VAT. CE plus include CE basic.

The costs are for Certification only. It will cost more if your IT systems are to be updated.

For new applications

Do certificates have an expiry date?

All new certificates issued by IASME will have a 12-month expiry date.

How much does it cost to get Cyber Essentials certification?

The cost of Cyber Essentials (verified self-assessment) is £300 + VAT.

My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?

Yes, organisations overseas are able to get certificates.

Do I have to obtain the first level of Cyber Essentials before going on to Cyber Essentials Plus?

No, you can go for Cyber Essentials Plus without obtaining the first level of Cyber Essentials. Your Certification Body will work with you to complete the Cyber Essentials questionnaire and verify compliance as part the process of achieving Cyber Essentials Plus.

How are Cyber Essentials assessments verified?

A board member from the organisation signs a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body then evaluates the responses.

In the event that you pass you receive a certificate.

If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your cyber security.

Do I need Cyber Essentials to bid for a Government contract?

Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.

For re-certification applications

My certificate was issued under the previous scheme before 30 June 2020, when will it expire?

All certificates issued under the existing scheme before 30 June 2020, will be valid until 30 June 2021.

Why am I no longer able to use my previous Accreditation Body?

From 1 April 2020 IASME Consortium took over the running of the Cyber Essentials scheme on behalf of the NCSC. Having a Cyber Essentials partner (rather than 5 Accreditation bodies) will ensure there's greater consistency in the way the scheme operates. It will ensure that Certification Bodies are all working to the same standard, and provide a more streamlined path to certification so we can ensure Cyber Essentials remains relevant.

From 1 April 2020 will I need to re-certify against a different technical standard?

At the moment, there are no plans to change the technical standard. However, NCSC and IASME will continue to review the technical controls and ensure they keep pace with the ever-changing cyber security landscape.

If certification is given by an Accreditation Body other than IASME, before 30 March 2020, will I need to be re-certified once IASME takes over the scheme on 1 April 2020?

All certificates issued prior to 1 April 2020 or before 30 June 2020 on the existing scheme are valid until 30 June 2021. This includes those issued by Accreditation Bodies other than IASME.

On 30 June 2021, any certificate issued under the old scheme will expire.

Coronavirus (COVID-19) pandemic

In light of the pandemic will IASME take over running the Cyber Essentials scheme as planned on 1 April 2020?

Yes, IASME will take up their new role of Cyber Essentials Partner on the 1 April 2020. Instead of the planned launch event there will be announcements made via the NCSC website.

Cyber Essentials certification during the pandemic

Cyber Essentials (verified self-assessment)

From 1 April, Cyber Essentials certification will be completed using IASME’s online portal. This can be accessed from your dining room table as easily as it would have been in the office. You may need to consult with your IT provider, but this is simple enough to do remotely via phone, email or chat software.

Cyber Essentials Plus

Cyber Essentials Plus certification involves some technical tests, which can be completed remotely by Certification Bodies without visiting an office or needing to have physical access to staff laptops.

With many staff working from home, some assistance and coordination from your IT team or IT provider maybe needed to give Certification Bodies access; this should be easily achievable for most organisations.

What if my Cyber Essentials is part of a contract agreement and expires during the pandemic/lock-down?

Any certificates issued before 1 April 2020 won’t have an expiry date, so they can't be extended. It will be up to the procurement department of any company that requires you to hold a Cyber Essentials certificate if they will accept an extended time-frame for their latest certificate to be completed.


Get certified today

  • Cyber Essentials Basic - CEB001



    2 Days for Remediation

    1 Day Turnaround

    £25k Cyber Insurance*

    Price includes VAT

    *Insurance details are on IASME website

  • Guided Cyber Essentials - CEB002


    Everything in CEB001 plus


    Online/Phone Support

    Price includes VAT

    *Insurance details are on IASME website

  • Cyber Essentials Plus - CEP001


    Everything in CEB002 Plus

    30 Day Remediation

    Systems Audit (remote)

    Price includes VAT

    *Insurance details are on IASME website

  • Guided CE Plus - CEP002


    Everything in CEP001 plus

    Pre- systems Audit

    Gap Analysis report

    Price includes VAT



    *Insurance details are on IASME website

How long does Cyber Essentials certification last?

Certification is only valid for a year and needs to be renewed every year to keep the status. The process will be the same again but not as tedious as the first time as long as you are keeping up with security controls that were put in place.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a Self-Assessment certification where you would fill in a self-assessment form and the IAMSE Certification Body will assess the application. If all goes well you will pass. CE plus includes the self-assessment as well as an audit from the Certification Body. The audit includes the vulnerability scan of the systems, malware test, browser download test, email test and external scan. CE plus is the advanced certification and recommended.

How long does it take to get Cyber Essentials certification?

Cyber Essentials basic Certification can be achieved in a day or less. However, Cyber Essentials Plus depends on the availability of the assessor, your (client) availability and the outcome of the audit. If the audit finds gaps then you will have 30 days to fix them. If everyone is available and everything goes well then the certification can be done in a day as well.


What security controls are covered by Cyber Essentials?

Cyber Essentials Scheme covers 5 technical controls. They are

  • Firewalls
  • Secure configuration
  • User Access Controls
  • Patch Management
  • Malware Management

What Cyber Essentials certification should we get?

We would recommend you to go for Cyber Essentials Plus. It involves an onsite visit and testing from the Certification body and ensures that you have the required security controls in place. Although it costs more to achieve CE Plus certification it is worth it.

Cyber Essentials Level 1 is a straightforward exercise where you answer the questionnaire from the certification body and they will evaluate your answers then perform an external scan on your IP address. If all goes well you will pass and a certificate will be issued.

In layman terms, Cyber Essentials level 1 is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body testing if what you said is right.

What is the difference between Cyber Essentials and ISO 27001?

Cyber Essentials is a framework for Technical security controls focusing on IT infrastructure whereas ISO 27001 is a risk management framework for data Security and compliance wherever it is. WRT which one you want to achieve really depends on your business requirement.

Hope that answers most of the frequently asked questions about Cyber Essentials. Check out our blog post ‘Everything you need to know about Cyber Essentials’ to find out more about Cyber Essentials.

Related Articles


Back to startx