how to get cyber essentials certified: a practical guide for UK businesses
If you’re running a business in the UK with 10–200 staff, you’ve probably been asked for Cyber Essentials before winning a contract, renewing insurance, or calming a nervous board member. It’s short, practical and focused on the basics that stop most opportunistic attackers. This guide explains how to get Cyber Essentials certified in straightforward terms, focusing on business outcomes: lower risk, better chances of winning work, and less time firefighting.
Why bother? The business case in plain English
Cyber Essentials isn’t about being bulletproof. It’s about demonstrating you take basic security seriously. That matters because many supply chains — public and private — now expect it. Certification reassures buyers and insurers that you have simple controls in place: firewalls, secure configuration, access controls and patching. For a small or mid-sized firm, the upside is tangible: fewer interruptions to billing, reduced risk of fines under UK GDPR, and a clearer position when tendering for work.
Who certifies it and which route to choose?
The scheme is overseen by the UK’s National Cyber Security Centre (NCSC). There are two main routes:
- Self-assessment (Cyber Essentials): you complete an online questionnaire and an accredited body reviews it.
- Assessed (Cyber Essentials Plus): includes scanning and/or on-site checks for a deeper level of assurance.
Most businesses start with self-assessment. It’s cheaper and quick to complete. If you handle particularly sensitive data or face stringent client demands, consider the Plus route later.
A simple step-by-step to get certified
1. Get the right people involved
This is a business process, not an IT-only job. Involve someone who understands operations, a person who can make decisions about devices and access, and your IT lead — whether that’s an internal colleague or an external supplier. From experience across industries from retail to professional services in towns up and down the UK, projects stall when decisions are left to email chains.
2. Take a pre-check of the basics
Before touching the questionnaire, check these five areas: boundary firewalls, secure configuration, user access control, patching/updates, and malware protection. Most firms already satisfy several controls; the aim is to prove it. Keep a simple record — dates, who made changes, model numbers — so you can answer questions accurately.
3. Gather evidence
Evidence needn’t be thick folders. Screenshots, succinct notes, and change logs are fine. For example: a screenshot of your firewall rules, a list of users with admin accounts, patch dates for a sample of machines, and confirmation that anti-malware is centrally managed. Practical tip: capture evidence during normal working hours — it’s faster and shows how systems behave day to day.
4. Complete the questionnaire honestly and clearly
The online form asks clear yes/no questions with supporting fields. Be precise. If a practice is in place for 90% of devices but not all, state that and explain how remaining devices are being addressed. Certifiers are more comfortable with transparent, timebound remediation plans than with optimistic answers that aren’t believable.
5. Submit and resolve any follow-up
The assessor will review your answers and evidence. Sometimes they ask for clarification — that’s normal. Respond promptly and keep a named contact so queries don’t bounce between people. For many small teams this is the longest part, but it’s usually days rather than weeks.
Common pitfalls and how to avoid them
From experience, here are the usual stumbling blocks:
- Assuming every device is covered when some legacy kit is offline. Do an inventory sweep first.
- Weak password practices or shared admin accounts. Move to individual accounts and consider multi-factor authentication.
- Patching gaps: servers are often on schedules that lag behind user machines. Make a pragmatic plan and document it.
- Poor evidence: saying something is done is different from proving it. Capture screenshots or logs during the work.
How long and how much?
Costs vary by assessor and whether you choose the Plus route. Time is the bigger variable: many businesses can complete the self-assessment in a few days if they prepare, while others take a couple of weeks as they tidy up devices and policies. Consider the time saved later with fewer incidents and smoother tendering — it often pays back quickly.
A word on suppliers and outsourcing
If you use a managed IT supplier, they can help execute controls and gather evidence. If they’re part of daily ops, ask for clear deliverables and a timeline. If you’re using external consultants, make sure they work with your internal people; otherwise knowledge doesn’t stick and you’ll be back at square one when the next update arrives.
For a step-by-step toolkit and templates to speed things up, see our Cyber Essentials breakdown — it’s the sort of practical checklist teams in Leeds, London and the South West have found useful when a tender deadline looms.
Maintaining certification
Certification runs for a year. Treat it like an annual health check: review your inventory, confirm patch schedules, and update evidence. The work to stay certified should be lightweight if the controls are embedded into routine IT operations.
FAQ
How long does the Cyber Essentials self-assessment take?
That depends on preparation. If you have a basic inventory and routine patching, the form can be completed in a day or two. If you need to gather evidence from several teams, allow a week or two.
Do I need Cyber Essentials Plus?
Not always. Plus gives higher assurance because it includes testing. Consider Plus if you handle sensitive data, or if clients explicitly ask for it.
Will certification protect us from all cyber attacks?
No. It reduces common risks and stops many opportunistic attacks, but it isn’t a silver bullet. Think of it as essential hygiene — necessary, measurable and cost-effective.
What if we fail the assessment?
Failing simply means you haven’t demonstrated a control yet. Assessors will explain gaps; most firms fix a few items and resubmit or reapply after making the changes.
Next steps (a practical close)
Start with a quick inventory and a short meeting with your IT lead and operations manager. Focus on evidence you can gather this week: firewall screenshots, user lists and patch logs. The quicker you treat Cyber Essentials as a business process rather than a one-off IT task, the faster you’ll win tenders, lower your risk and sleep easier. If you’d like to turn this into a tidy, time-boxed project, you’ll save time and money and bolster your credibility in the marketplace.
