Cyber Essentials most frequently asked questions
What is the Cyber Essentials scheme?
Cyber Essentials is a government-backed cybersecurity certification developed by the National Cyber Security Centre (NCSC), part of the UK’s GCHQ. It provides a clear framework for businesses of all sizes to implement basic but essential cybersecurity controls that protect against the most common online threats.
Achieving Cyber Essentials certification shows your organisation’s commitment to cybersecurity and helps build trust with customers, partners, and stakeholders. It's also a key requirement for many public sector contracts and supply chain partnerships.
There are two levels of Cyber Essentials certification:
Cyber Essentials (self-assessment)
Cyber Essentials Plus (self-assessment with an independent technical audit)
Whether you're just starting your cybersecurity journey or looking to strengthen your defences, Cyber Essentials is a proven and cost-effective first step.
Who needs Cyber Essentials certification?
Cyber Essentials is required for businesses bidding on certain UK government contracts, particularly those involving sensitive data or IT services.
However, it's also valuable for any organisation looking to strengthen cybersecurity and build trust with clients, suppliers, and partners. Certification shows you’ve implemented essential protections against common cyber threats and are serious about safeguarding data.
How do I get Cyber Essentials certification?
To get certified, start by selecting an accredited Certification Body and choosing the Cyber Essentials package that fits your needs. The Certification Body will provide you with the Cyber Essentials questionnaire to complete and guide you through the certification process.
You can find a list of official Certification Bodies on the IASME website or contact us directly for assistance. Don’t forget to review the patching requirements and checklist available on our website to prepare effectively.
How much does the Cyber Essentials cost?
The cost of Cyber Essentials certification varies depending on your organisation’s size and needs.
Cyber Essentials Basic starts from £300 + VAT.
Cyber Essentials Plus, which includes the Basic certification plus an in-depth technical assessment, starts from £1,500 + VAT.
These prices cover certification only. Additional costs may apply if your IT systems require updates or remediation to meet the scheme’s requirements.
For new applications
Do Cyber Essentials certificates expire?
Yes, all certificates issued by IASME are valid for 12 months and must be renewed annually.
How much does Cyber Essentials certification cost?
Certification costs start from £300 + VAT for the verified self-assessment (Cyber Essentials Basic).
Can organisations outside the UK obtain Cyber Essentials certification?
Yes, Cyber Essentials certification is available to organisations worldwide.
Do I need to complete Cyber Essentials Basic before pursuing Cyber Essentials Plus?
Yes, you must first achieve the Cyber Essentials self-assessment. After passing, you have 3 months to upgrade to Cyber Essentials Plus.
How are Cyber Essentials assessments verified?
A senior representative from your organisation signs a declaration confirming the accuracy of your assessment. A qualified assessor from a Certification Body then reviews your responses. If successful, you receive certification. If not, you’ll get feedback to address any gaps before reapplying or improving your cybersecurity.
Is Cyber Essentials required to bid for government contracts?
Most UK government contracts require Cyber Essentials or Cyber Essentials Plus certification. However, requirements may vary by department, so it’s important to confirm specific expectations with the relevant government body for each contract.
For re-certification applications
My certificate was issued under the previous scheme before 30 June 2020. When does it expire?
All certificates issued under the old scheme before 30 June 2020 remain valid until 30 June 2021.
Why am I no longer able to use my previous Accreditation Body?
From 1 April 2020 IASME Consortium took over the running of the Cyber Essentials scheme on behalf of the NCSC. Having a Cyber Essentials partner (rather than 5 Accreditation bodies) will ensure there's greater consistency in the way the scheme operates. It will ensure that Certification Bodies are all working to the same standard, and provide a more streamlined path to certification so we can ensure Cyber Essentials remains relevant.
Why can’t I use my previous Accreditation Body anymore?
Since 1 April 2020, the IASME Consortium has taken over running the Cyber Essentials scheme on behalf of the NCSC. This change from multiple Accreditation Bodies to a single Cyber Essentials partner ensures greater consistency, a streamlined certification process, and uniform standards across all Certification Bodies.
Will I need to re-certify against a different technical standard after 1 April 2020?
Currently, there are no plans to change the technical standard. However, the NCSC and IASME regularly review and update the controls to keep pace with evolving cybersecurity threats.
Get certified today
Step 1: Organisation Size
Step 2: Pick Cyber Essentials Package
Cyber Essentials Basic - CEB001
£800 + VAT
*Insurance details are on IASME website
Guided Cyber Essentials - CEB002
£950 + VAT
Everything in CEB001 plus
Pre-assessment
Online/Phone Support
*Insurance details are on IASME website
Cyber Essentials Plus - CEP001
£2,900 + VAT
Everything in CEB002 Plus
30 Day Remediation
Systems Audit (remote)
*Insurance details are on IASME website
Guided CE Plus - CEP002
£3250 + VAT
Everything in CEP001 plus
Pre- systems Audit
Gap Analysis report
-
MOST POPULAR
*Insurance details are on IASME website
How long does Cyber Essentials certification last?
Certification is only valid for a year and needs to be renewed every year to keep the status. The process will be the same again but not as tedious as the first time as long as you are keeping up with security controls that were put in place.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a Self-Assessment certification where you would fill in a self-assessment form and the IAMSE Certification Body will assess the application. If all goes well you will pass. CE plus includes the self-assessment as well as an audit from the Certification Body. The audit includes the vulnerability scan of the systems, malware test, browser download test, email test and external scan. CE plus is the advanced certification and recommended.
How long does it take to get Cyber Essentials certification?
Cyber Essentials Basic (Level 1) certification can often be completed in a day or less. Since it mainly involves completing a self-assessment questionnaire and an external vulnerability scan, the process is straightforward and quick, ideal for organisations seeking rapid certification.
Cyber Essentials Plus, however, requires a more thorough approach. The timeline depends on factors such as the availability of your assessor, your organisation’s readiness, and the results of the audit. During the onsite or remote assessment, the Certification Body will test your security controls in detail.
If the audit identifies any gaps or issues, you will typically have up to 30 days to address and fix them before certification can be granted.
DOWNLOAD CYBER ESSENTIALS QUESTIONNAIRE FOR FREE.
What security controls are covered by Cyber Essentials?
Cyber Essentials Scheme covers these technical controls.
- Firewalls and internet gateways
- Secure configuration
- User Access Controls
- Administrative accounts
- Password-based authentication
- Security Update Management
- Malware Protection
What Cyber Essentials certification should we get?
We recommend pursuing Cyber Essentials Plus certification for stronger assurance and greater credibility. Unlike the basic level, Cyber Essentials Plus includes an onsite or remote technical assessment performed by an accredited Certification Body. This testing verifies that your organisation has the required cybersecurity controls effectively implemented, providing higher confidence to customers, partners, and stakeholders.
While Cyber Essentials Plus involves a higher cost than the basic certification, the added value and rigorous validation make it a worthwhile investment for organisations serious about robust cyber defence.
Cyber Essentials Basic (Level 1) certification is a simpler process where you complete a detailed questionnaire about your security controls. The Certification Body then reviews your answers and performs an external vulnerability scan of your public-facing IP addresses. If your responses and scan pass, you receive the certification.
In simple terms:
Cyber Essentials Basic is your organisation self-declaring that the necessary security measures are in place.
Cyber Essentials Plus involves the Certification Body testing and verifying that your claims are accurate through technical assessments.
Choosing the right level depends on your organisation’s security needs, budget, and how much assurance you want to provide to your clients and partners.
What is the difference between Cyber Essentials and ISO 27001?
Cyber Essentials is a technical framework focused specifically on implementing key cybersecurity controls to protect your IT infrastructure from common cyber threats. It is designed to help organisations quickly demonstrate basic cyber hygiene.
ISO 27001, on the other hand, is a comprehensive information security management system (ISMS) standard that covers risk management, policies, processes, and compliance for protecting all types of sensitive data across the entire organisation—not just IT systems.
Which certification is right for your organisation depends on your specific business needs, regulatory requirements, and the level of cybersecurity maturity you want to achieve. Many organisations use Cyber Essentials as a foundational step before pursuing ISO 27001.
Hope that answers most of the frequently asked questions about Cyber Essentials. Check out our blog post for more detailed information, check out our blog post: ‘Everything you need to know about Cyber Essentials’.
This blog was first published on 24th August 2020. Updated on 30th June 2025.
Related Articles
Cyber Essentials Plus Checklist
The UK government introduced the Cyber Essentials accreditation/certification in 2014 to protect the businesses being a victim of cyber attacks.
More
Cyber Essentials Plus Certification Explained
The article dives deep into what Cyber Essentials Plus accreditation/certification is, the requirements for the certification, cost and the process to achieve it.
More
Why do you need Cyber Essentials?
More often than not customers ask us the question ‘Why is Cyber Essentials important?’ or ‘Why do we need Cyber Essentials Certification?’
More
How To Pass Cyber Essentials Plus Certification
To be Cyber Essentials Plus certified, you will need to pass the base level process first then a remote/on-site audit will be performed by the Certification ...
More
Related Articles
CONTACT US TODAY:
