Cyber Essentials is the UK government-backed cybersecurity certification scheme designed to help organisations protect themselves against the most common cyber threats. Launched by the National Cyber Security Centre (NCSC), it has become increasingly important — not just as a security baseline, but as a commercial requirement for businesses working with the UK government, NHS, and many large enterprises.

This guide covers everything you need to know about Cyber Essentials in 2025: what it covers, the two certification levels, how to prepare, what it costs, and how long it takes.

Why Cyber Essentials Matters in 2025

Cyber Essentials is no longer optional for many UK businesses:

  • Government contracts: All suppliers bidding for UK central government contracts involving the handling of personal data or sensitive information must hold Cyber Essentials certification.
  • NHS supply chain: NHS Digital requires all suppliers to hold Cyber Essentials Plus as part of the Data Security and Protection Toolkit (DSPT) requirements.
  • Insurance: Many UK cyber insurance providers now offer premium discounts for Cyber Essentials certified businesses, and some require it as a condition of cover.
  • Enterprise procurement: Large UK enterprises increasingly require Cyber Essentials from their supply chain as part of third-party risk management programmes.

The Two Levels of Cyber Essentials

Cyber Essentials (Self-Assessment)

The base level involves completing a self-assessment questionnaire covering five technical controls. The questionnaire is reviewed and verified by a certifying body. It is suitable for smaller organisations with straightforward IT environments.

Cost: £300 + VAT for the assessment fee (certifying body fees vary, typically £400–£600 total).
Time to achieve: 2–6 weeks depending on your current security posture.

Cyber Essentials Plus

Cyber Essentials Plus includes everything in the base certification plus an independent technical audit conducted by an assessor. They will test your systems to verify that the controls you have described in your self-assessment are actually in place and working correctly.

Cost: £1,500–£5,000+ depending on organisation size and complexity.
Time to achieve: 4–12 weeks.

The Five Technical Controls

Cyber Essentials focuses on five core areas. Here is what each requires:

1. Firewalls

All devices must be protected by a properly configured firewall. For internet-facing services, only necessary ports should be open. Default passwords must be changed. This applies to both network firewalls and host-based firewalls on individual devices.

2. Secure Configuration

Devices and software must be configured securely. This means: removing or disabling unnecessary software and services, changing default credentials, enabling automatic screen lock, and ensuring only authorised software can run.

3. User Access Control

User accounts must have only the permissions they need to do their job (principle of least privilege). Standard user accounts should be used for day-to-day work; administrator accounts should only be used when necessary. Multi-factor authentication (MFA) is required for all cloud services and remote access.

4. Malware Protection

All devices must have malware protection in place. This can be achieved through anti-malware software, application allowlisting (only approved software can run), or sandboxing. The 2023 update to the scheme requires MFA for cloud services, which significantly raises the bar here.

5. Patch Management

All software must be kept up to date. High-severity patches must be applied within 14 days of release. Software that is no longer supported by the vendor (and therefore no longer receiving security updates) must be removed or isolated from the internet.

Common Reasons Organisations Fail

  • Unsupported software: Windows 10 reaches end of life in October 2025. Any organisation still running it after that date will fail Cyber Essentials.
  • MFA not enforced on cloud services: The 2023 update made MFA mandatory for all cloud services. Many organisations have MFA available but not enforced for all users.
  • Overly permissive firewall rules: Rules added for temporary purposes and never removed are a common failure point.
  • Default credentials: Network devices, printers, and IoT devices still using manufacturer default passwords.
  • Scope creep: Organisations that try to exclude parts of their environment from scope often find assessors push back.

How to Prepare: A Practical Checklist

  1. Inventory all devices in scope (laptops, desktops, servers, mobile devices, network equipment)
  2. Identify and upgrade or remove any unsupported operating systems or software
  3. Enforce MFA on Microsoft 365, Google Workspace, and all other cloud services
  4. Review and tighten firewall rules — remove anything that is not actively needed
  5. Change all default passwords on network devices, printers, and IoT equipment
  6. Verify that automatic updates are enabled and that patches are being applied within 14 days
  7. Review user accounts — remove accounts for leavers, reduce admin privileges to only those who need them
  8. Ensure anti-malware is deployed and active on all in-scope devices

How Long Does It Take?

For an organisation that has reasonable IT hygiene already in place, Cyber Essentials can typically be achieved in 3–4 weeks. For organisations starting from a lower baseline — particularly those with legacy systems, unsupported software, or no MFA in place — allow 8–12 weeks to remediate issues before attempting the assessment.

How Baycop Can Help

We provide end-to-end Cyber Essentials support: gap assessment against the five controls, remediation of identified issues, preparation for the self-assessment questionnaire, and support through the Cyber Essentials Plus technical audit. We have helped over 30 UK businesses achieve certification, including NHS supply chain partners and government contractors.

Book a free Cyber Essentials gap assessment — we will tell you exactly where you stand and what needs to be done to achieve certification.