Cyber Essentials is the UK government-backed scheme that gives an SME a defensible baseline against the most common internet-borne attacks. It is also increasingly non-optional: more public-sector contracts, more enterprise procurement teams and more cyber-insurance policies expect to see the badge before they will sign. The good news is that the scheme is deliberately practical and the controls are things a well-run business should be doing anyway. The bad news is that the self-assessment questionnaire is unforgiving — vague answers fail.
The five controls, in plain English
- Firewalls and routers — every device that connects to the internet must sit behind a properly configured firewall, with the default admin password changed and unused services switched off.
- Secure configuration — devices and software ship with permissive defaults; you have to lock them down (no default accounts, no unused apps, auto-lock enabled, BitLocker on laptops).
- User access control — least privilege. Standard users do day-to-day work; separate admin accounts are used only when needed; multi-factor authentication on every cloud service.
- Malware protection — modern endpoint protection on every workstation and server (Microsoft Defender for Business, SentinelOne, CrowdStrike or similar), kept up to date.
- Security update management — operating systems, browsers and apps must be patched within 14 days of a high-severity update being released. No exceptions for the boss’s laptop.
The gotchas that fail first-time applicants
In our experience the same handful of issues sink most first attempts. Personally-owned (BYOD) phones that access company email are in scope and must meet the controls — most people forget this. Unsupported operating systems anywhere in the estate (a Windows 10 PC after October 2025, an old Server 2012 box quietly running a line-of-business app) are an automatic fail. MFA must be enforced, not just available — a tenant where users can still log in without MFA does not pass. And the scope statement matters: applying for a narrow scope is fine, but everything inside that scope must comply.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials is a self-assessed questionnaire verified by an external assessor. Cyber Essentials Plus is the same controls, but independently tested by an assessor who will run a vulnerability scan against a sample of your devices and your external infrastructure. Plus is what most serious procurement processes and insurers actually want. If you are aiming for Plus, do not book the test until your patching, endpoint and MFA picture is genuinely tidy — failures are expensive to re-test.
How we approach it with clients
We treat Cyber Essentials as a side-effect of doing good IT, not as a project in its own right. For managed-service clients we keep an evidence pack that maps each control to the relevant tooling — Microsoft 365 conditional access policies, Intune compliance, Defender posture, patch reports from our RMM — so when renewal comes around the answers are already documented. If you have an upcoming tender, a renewal deadline, or a cyber-insurance question asking whether you are Cyber Essentials certified, talk to us early; the lead time to fix the typical findings is a few weeks, not a few days.
