How to get Cyber Essentials certification

Getting Cyber Essentials certification is one of the clearest, quickest ways a UK business can demonstrate basic cyber hygiene. For owners of companies with 10–200 staff it’s practical, affordable and often expected by buyers or public sector partners. This guide cuts through the jargon, explains the steps in plain English and focuses on business outcomes: less risk, easier procurement and a calmer IT team.

What Cyber Essentials actually proves

Cyber Essentials is not an advanced security badge for security teams to argue over — it’s a floor. It shows you have basic controls in place to stop the most common online attacks. That matters because most breaches against small and medium-sized businesses aren’t fancy; they exploit unpatched software, weak passwords or insecure internet-facing devices.

For many UK organisations it’s a tick-box for procurement, insurance and supply-chain confidence. It won’t stop every threat, but it reduces the chance of being punched in the face by easily prevented attacks.

Who should get it, and why

If your organisation bids for public-sector contracts, handles personal data, or simply wants to reduce insurance costs and reputational risk, Cyber Essentials is worthwhile. Even if you’re not obliged to have it, customers and partners increasingly expect vendors to show a baseline of cyber care. For firms across the UK — whether you’re in Glasgow, Cardiff or a smaller town — it’s credibility that helps win work and sleep better at night.

Step-by-step: how to get Cyber Essentials certification

1. Understand which scheme you need

There are two main routes: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently tested). Most SMEs start with the self-assessment to get the basic certification quickly; you can upgrade later if a buyer requires the Plus level.

2. Check your scope

Decide which systems are in scope: typically the devices and services you control that connect to the internet and store or process data. Keep the scope sensible. Trying to include every legacy test machine makes the process longer and more expensive.

3. Prepare the basics

There are five technical controls the assessment checks: boundary firewalls, secure configuration, access control (passwords and admin rights), patching, and malware protection. You don’t need to be a sysadmin to understand them — you need policies and simple, documented practices. Make sure you can show:

  • how internet access is protected (router/firewall settings);
  • that users don’t have admin rights on their everyday machines;
  • a clear patching routine for operating systems and apps;
  • a standard approach to anti-malware; and
  • password rules and multi-factor authentication where appropriate.

4. Complete the self-assessment

The Cyber Essentials questionnaire asks straightforward yes/no and explain questions. Answer honestly: if you say you patch weekly but can’t show evidence, you’ll need to fix that. Expect to involve whoever manages IT and whoever approves spend — it’s a business, not a purely technical, exercise.

5. Remediate the gaps

If the assessment highlights gaps, prioritise the fixes that reduce the most risk for the least cost. Patching and removing admin rights often deliver huge benefit quickly. You don’t need a full security overhaul to pass.

6. Certification and renewal

Once you submit the self-assessment and it’s accepted by an approved certification body, you receive the Cyber Essentials certificate. It lasts 12 months and then you’ll repeat the self-assessment to renew. Keep basic evidence handy throughout the year so renewal is quick.

Timeline and costs — what to expect

For many SMEs the process takes a few days of focused work: documenting settings, gathering screenshots and applying obvious fixes. If you need more substantial remediation it could take longer. Prices for the self-assessment vary depending on the certification body, but the exercise is generally affordable and proportionate for revenue-generating organisations.

Common pitfalls and how to avoid them

Business owners I’ve worked with often stumble over a few recurring issues:

  • Over-scoping. Including legacy or test systems needlessly increases complexity.
  • Evidence gaps. Saying something is done but having no logs, screenshots or emails to show it.
  • Delegation without oversight. Handing it all to an IT person and assuming it’s done without a short board-level review.

Manage the process centrally, keep the scope tight and insist on evidence — it keeps renewals painless.

Practical, cost-effective tips for passing

  • Inventory first: a short, accurate list of internet-facing systems is far more useful than a long, uncertain one.
  • Patching schedule: set a weekly or fortnightly patch window and stick to it. Record it.
  • Least privilege: remove local admin rights from standard users and log changes where necessary.
  • MFA: enable multi-factor authentication for remote access and admin accounts — it’s one of the fastest wins.
  • Standard images: use a baseline configuration for devices so you can show consistency across endpoints.

If you want a straightforward reference while you’re preparing, see our Cyber Essentials guide for a practical checklist and common evidence examples.

How to choose a certification body or partner

Some businesses manage the entire process in-house; others engage a local IT partner to speed things up. When choosing someone to help, pick a provider who understands UK procurement requirements and can explain business impact, not just technical minutiae. Ask for examples of similar-sized clients and a fixed-price scope for remediation work so you control costs.

When to aim for Cyber Essentials Plus

If a buyer or regulator requires proof of technical testing, you’ll need Cyber Essentials Plus. It involves an independent assessment of your systems. Treat this as a second step: get the self-assessment in order first, then address any remaining technical hardening before booking the Plus test.

FAQ

How long does Cyber Essentials certification take?

For most SMEs it can be done in a few days to a couple of weeks if you focus on the basics. If you have patching backlogs or undocumented systems, allow more time to remediate.

Does Cyber Essentials prevent all cyberattacks?

No. It significantly reduces exposure to common, opportunistic attacks (the ones most small businesses see), but it’s not a silver bullet. It’s a foundation to build on, not the whole security strategy.

Will Cyber Essentials help with procurement and insurance?

Yes. Many public-sector tenders and insurance providers either require or prefer Cyber Essentials. It’s a recognised indicator of basic cyber hygiene and can make a practical difference when bidding or negotiating premiums.

Can my in-house IT person handle it?

Often, yes. The self-assessment is written for non-experts. However, having someone with knowledge of network settings and device management helps speed things up and ensures the evidence is correctly collected.

Final thoughts and a soft call to action

Cyber Essentials is one of the best value investments a UK business can make: it lowers everyday cyber risk, helps with bids and procurement, and keeps insurance conversations simpler. Start with a clear scope, gather a few pieces of evidence, and treat it as a recurring business process rather than a one-off IT task. If you want to move quickly, focusing on the fixes that save you time and mitigate the biggest risks will usually deliver the benefits you need without a heavy price tag.

Ready for less risk and more credibility — with less time and stress? Make a plan, prioritise the obvious wins and you’ll have the certificate and the peace of mind to show for it.