Security · 5 min read
What is Cyber Essentials and does your organisation need it?
It's a short, practical security baseline, and increasingly, funders and clients expect it.
Cyber Essentials is a UK government-backed certification that confirms your organisation has a basic, well-implemented set of cyber security controls in place. It's run by IASME on behalf of the National Cyber Security Centre.
It's not a deep penetration test. It's a focused, practical baseline, the security equivalent of fitting locks, smoke alarms and a burglar alarm.
What it covers
Five technical control areas:
1. Firewalls, every internet-connected device has a properly configured firewall. 2. Secure configuration, devices and software aren't running with default passwords or unnecessary features. 3. User access control, people have only the permissions they need, and admin accounts are separated. 4. Malware protection, antivirus, app allow-lists or sandboxing on every device. 5. Security update management, operating systems and apps are patched within 14 days of a critical update.
You self-assess via a questionnaire, an external assessor reviews your answers, and you receive certification valid for 12 months.
Why bother?
Three increasingly common reasons:
- Funders ask for it. Many UK grant-makers and local-authority contracts now require Cyber Essentials.
- Clients ask for it. Especially in B2B work, professional services, or anything touching personal data.
- Insurers reward it. Some cyber insurance policies require or discount for it.
And the controls themselves genuinely reduce the risk of common attacks, phishing, ransomware, credential theft, which are the ones most likely to hit a small organisation.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials is self-assessed: you answer the questionnaire honestly and it's reviewed.
Cyber Essentials Plus adds a hands-on technical audit by an assessor, they verify the controls are in place on a sample of your devices. It's more rigorous, more expensive, and usually only needed when a specific client or contract demands it.
For most small organisations, standard Cyber Essentials is the right starting point.
What it costs
The certification fee is tiered by organisation size, for most small organisations it's around £320–£550 +VAT. The bigger cost is usually the time and any technical work needed to bring your setup up to the standard before you certify.
If you'd like a readiness assessment to see how close you are today, get in touch.
Need a hand with this?
I help small organisations across the UK with exactly this kind of work. Honest advice, plain English, no pressure.
Get in touch