How to get Cyber Essentials: a practical guide for UK SMEs
If you run a business in the UK with a few dozen staff, you’ve probably heard of Cyber Essentials. It’s become a baseline expectation from buyers, insurers and procurement teams — not because it’s flashy, but because it reduces the chance of an embarrassing, expensive breach. This guide explains, in plain English, how to get Cyber Essentials, what it will (and won’t) do for your business, and how to avoid the common traps that cost time and money.
What Cyber Essentials actually is — and why your board will care
Cyber Essentials is a government-backed scheme that checks basic cyber hygiene: things like secure configuration, access controls, and keeping software up to date. It won’t make you invincible, but it does lower risk and demonstrates to customers and insurers that you take security seriously. For most SMEs this is about minimum acceptable standards, not military-grade security.
Step-by-step: how to get Cyber Essentials
1. Decide which level you need
There are two common levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently tested). If you’re bidding for public sector contracts or are under pressure from larger customers, the basic certificate is often enough. If you want the extra assurance and to show a higher commitment, Cyber Essentials Plus is worth the extra cost and effort.
2. Complete the self-assessment questionnaire
The scheme asks straightforward questions about your devices, firewalls, user access and patching. Be honest — it’s better to fix small issues now than fail a check. The questionnaire doesn’t demand technical reports; it asks whether policies and controls are in place and being followed.
3. Get your systems in order
Practically, this means: ensure firewalls and antivirus are active, keep operating systems and apps patched, remove or disable unnecessary admin rights, and control remote access. For a 10–200 person business, these are policies and routines rather than one-off projects. Small improvements here often reduce support calls and downtime as well as risk.
4. Evidence and sign-off
Someone with authority in your business needs to confirm the answers — usually an IT manager, director or external supplier. Keep simple records: dates of updates, who has admin rights, and a basic inventory. The assessor wants reassurance that the answers are truthful and repeatable, not a shelf of glossy reports.
5. Submit and (if needed) arrange testing
Submit your self-assessment to an accredited certification body. If you opt for Cyber Essentials Plus, you’ll arrange a follow-up technical test. Many organisations handle the whole process internally, but plenty use accredited suppliers to save time and reduce stress — for practical assistance, see the natural anchor. Using help isn’t cheating; it’s sensible delegation when your people are busy running the business.
Costs, timing and realistic expectations
Expect the basic Cyber Essentials to take a few days of effort spread over a couple of weeks if you’re organised; for Cyber Essentials Plus allow additional time for testing. Costs vary: the certification body charges a fee, and you may need modest spend to fix issues (updates, licensing, or an hour or two of consultancy). Compared with the cost of a supply-chain failure or ransomware incident, the outlay is small.
Common pitfalls and how to avoid them
Don’t treat the certification as a one-off. The worst outcomes come from complacency: people pass the test, then processes slip. Make patching and rights reviews part of monthly or quarterly routines. Another trap is over-complication — documentation should reflect what you actually do, not an idealised version. If staff answer to different systems, standardise and simplify.
Business benefits beyond the certificate
Getting Cyber Essentials often has positive side effects that matter to boardroom conversations: fewer support tickets due to patching, lower insurance premiums, and improved confidence among customers and partners. For procurement teams the certificate shortens checklists and speeds up deals. For operations it reduces the chance of disruptive incidents that cost time and money.
Practical tips from the coalface
- Start with a short inventory: which devices and accounts matter most? Focus effort there first.
- Make patching a named responsibility with a simple log — it’s the single most effective defence against common attacks.
- Limit admin rights. Fewer admins equals fewer mistakes and fewer privileged accounts to secure.
- Keep your evidence tidy but minimal: a dated screenshot or a signed note is often enough.
- If someone else manages your IT, make sure they’re clear on whose responsibility what is — supplier gaps are common and expensive.
When to aim for Cyber Essentials Plus
If you handle payment data, firm client IP, or if larger customers require it, the Plus level makes sense. The extra testing picks up things a questionnaire can miss. It’s also useful when you want an objective, technical check to reassure an insurer or a nervous board.
FAQ
How long is the Cyber Essentials certificate valid for?
The certificate lasts 12 months. It’s designed that way because the threat landscape and software updates move fast — annual renewal keeps you honest and current.
Will Cyber Essentials prevent all cyber attacks?
No. It reduces the risk from common attacks by addressing basic hygiene. Think of it as locking the front door and installing a sensible alarm, not building a fortress. Higher-risk organisations will need additional controls.
Can I complete the process without an IT department?
Yes. Many small businesses use an external provider or a trusted adviser to help with the questionnaire and remediation. The important part is clear ownership — someone must be able to sign the declaration truthfully.
Does Cyber Essentials include data protection requirements?
It overlaps with good data protection practice but doesn’t replace GDPR responsibilities. You’ll still need to ensure lawful processing, appropriate retention and secure handling of personal data under Data Protection law.
Is Cyber Essentials recognised outside the UK?
It’s a UK government-backed scheme and is widely recognised by organisations dealing with UK supply chains. Some international partners understand its value, but other countries may prefer different standards.
Getting Cyber Essentials is largely about sensible routines and clear ownership. It won’t add glamorous features to your product, but it will save you time, reduce risk, and make procurement and insurance conversations easier. If you approach it practically, most businesses reach certification quickly and with minimal fuss — and enjoy fewer interruptions to the day job.
Ready for the benefits — less downtime, lower risk, and better credibility? Make a short plan this week: pick an owner, do a quick inventory, and schedule the questionnaire. That small investment buys time, money and calm down the line.
