If a customer or supplier has just asked whether you’re Cyber Essentials certified, you’re not the first SME owner to be caught off guard by the question. Cyber Essentials is becoming a de facto baseline in UK procurement, and more small businesses are encountering it through pressure from larger customers than through proactive choice.
This article is a plain-language guide to what Cyber Essentials actually involves: what the scheme is, why SMEs pursue it, what the five technical controls cover, what the certification process looks like, and what to expect in time and cost. Written for the SME owner who runs a small business well, has heard of Cyber Essentials in passing, and now needs to understand it properly without wading through 80 pages of NCSC documentation.
No vendor pitch, no jargon dumps. Just what you need to know to make an informed decision.
What Cyber Essentials is
Cyber Essentials is a UK government-backed certification scheme. It was launched in 2014 and is now overseen by the National Cyber Security Centre (NCSC), with IASME operating the certifications as NCSC’s delivery partner. IASME accredits independent Certification Bodies who carry out the actual assessments.
The scheme has two levels.
Cyber Essentials is a self-assessment certification with an independently-verified questionnaire. You complete the questionnaires, provide proof of your controls, then an assessor will review. This is what most SMEs aim for.
Cyber Essentials Plus is everything in Cyber Essentials plus a hands-on technical audit. An assessor remotely tests your devices, checks your firewalls, and verifies your controls actually work. SMEs typically only opt for Plus when a specific customer demands it: central government tenders frequently require it, some NHS supplier work and defence supply chain contracts mandate it, and a handful of cyber insurance policies require Plus rather than standard for cover. Outside those contexts, the additional cost and rigour of Plus rarely makes sense for a small business.
Why it matters
Three reasons SMEs typically pursue CE certification.
A customer requires it. This is the most common driver. Larger organisations like the government, NHS, and enterprise procurement teams increasingly ask SME suppliers to be CE certified as a condition of doing business. If you’re losing tenders or getting questioned about security in procurement, CE answers most of it.
You want to win larger work. Even when not explicitly required, CE certification on your supplier list moves you up the shortlist. It tells procurement teams that you are a serious operation.
You want to insure or reduce premiums. Many UK cyber insurance policies offer reduced premiums for CE-certified businesses or require certification for cover at all.
There’s a fourth reason that’s less talked about: it’s a forcing function. Going through CE makes you look at your own infrastructure properly, often for the first time. Most SMEs find one or two real issues during the readiness process. Outdated devices. Weak password policies. Missing software updates. Things that have been quietly creating risk for months.
What the assessment actually covers
Cyber Essentials checks five technical controls. None of them are exotic; all are foundational hygiene:
Boundary firewalls and internet gateways.
Are the connections between your network and the internet protected? Are firewalls configured to block by default and only allow what you need? Have administrator passwords on those firewalls been changed from defaults?
Secure configuration.
Are your computers, servers, and network devices configured with security in mind? This means turning off services you don’t need, enabling automatic updates, removing default accounts, and not running everyday work as an administrator.
User access control.
Who has admin rights on what? Most SMEs accidentally give too many people too much access. CE asks you to document who has admin privileges and ensure that they only have those privileges when they need them. Cloud services are expected to use multi-factor authentication.
Malware protection.
Do you have anti-malware in place on every device that accesses business data? This is the one most SMEs already have covered, but the question is whether it’s actually running and updating on every device, not just the office laptop.
Patch management.
Are your operating systems and applications up to date with the latest security patches? Are you running supported versions? CE specifically requires you to apply critical and high-severity patches within 14 days of release.
What’s not on this list: encryption certificates, intrusion detection, security information and event management (SIEM), 24/7 SOC monitoring. CE is the security floor, not the ceiling.
What the process looks like
The typical sequence for an SME going through Cyber Essentials for the first time:
-
Choose a Certification Body. There are many IASME-accredited Certification Bodies in the UK; pricing and turnaround vary. The certification fee itself is currently £320+VAT for micro businesses (under 10 employees and under £632k turnover).
-
Complete the IASME Question Set. A structured questionnaire covering the five control areas. Honest answers are essential, the assessor then verifies them.
-
Submit and wait for assessment. The assessor reviews your answers, may ask follow-up questions, and either certifies you or comes back with required remediation.
-
Certification or remediation. If you pass, you receive your CE certificate, valid for 12 months. If you fail on specific areas, you have a window to remediate and resubmit.
The whole process, including preparation, typically takes two to four weeks for an SME that’s reasonably organised.
How we help
To be direct: most SMEs don’t need a big consultancy contract for CE. They need someone who knows the requirements to walk through their setup, identify the gaps, fix them, and prepare a clean submission.
That’s what we do at Cyphral. Two-week intensive preparation: we scope your environment, analyse where you’re already compliant and where you’re not, guide you through any remediation, and prepare your submission. The IASME assessment fee is paid separately to the certification body, we don’t charge for it.
If a customer just asked you about CE, the right next step isn’t to panic. It’s to start the readiness work and aim for certification within the next month. Cyber Essentials isn’t actually difficult; it’s just specific. And once it’s in place, your security floor is meaningfully higher than most UK SMEs operating without it.