Cyber Essentials is the most requested security certification in the UK, and the most misunderstood. Businesses put it off for months believing it demands a security team and a budget to match, then discover the real work was a fortnight of housekeeping. Others assume it is a formality, submit without preparing, and fail on something they could have fixed in an afternoon.
This guide explains what the scheme actually is, what the five controls require in plain English, where scope catches people out, and how to prepare properly. At the end there is a one-page cheat sheet you can download, print, and work through.
We write this as a licensed certification body: we assess these applications, so this is the preparation we wish every applicant did.
What Cyber Essentials is
Cyber Essentials is the UK government-backed certification scheme, overseen by the National Cyber Security Centre and delivered through IASME and its licensed certification bodies. It certifies that your organisation has five fundamental technical controls in place: the controls that stop the bulk of common, untargeted attacks.
It is deliberately not a full security framework. It does not audit your policies, your training, or your incident response. It answers one question: are the basics actually done? That narrowness is its strength. It is achievable for a two-person firm and meaningful for a two-hundred-person one.
There are two levels. Cyber Essentials is a verified self-assessment: you answer the question set, a board member or equivalent signs to confirm the answers are accurate, and a licensed assessor marks it. Cyber Essentials Plus adds independent technical verification: an assessor tests a sample of your systems, including vulnerability scans and malware protection checks, to confirm the declared controls actually hold.
Why bother? Certification is required for many government contracts and increasingly demanded in commercial supply chains, and certifying your whole organisation includes cyber liability insurance for UK organisations under £20 million turnover. But the honest answer is simpler: the five controls are the highest-value security work a small business can do, certificate or not.
One warning before the detail. The scheme moved to version 3.3 (“Danzell”) on 27 April 2026 and the bar rose: several gaps that were once survivable are now automatic failures. If you last looked at the requirements in 2024, look again.
The five controls in plain English
1. Firewalls
Every device and your internet connection must sit behind a correctly configured firewall. In practice: your router or firewall must not use its default password, must not expose management interfaces to the internet without good reason and protection, and software firewalls must be enabled on devices. This is mostly a checking exercise, not a buying one.
2. Secure configuration
Devices and software must be configured to reduce what an attacker can reach. Default passwords changed everywhere. Unused accounts removed. Unused software uninstalled. Auto-run disabled. Device locking enabled with a PIN or password. The theme is subtraction: every account, app and open service you do not need is attack surface you are carrying for nothing.
3. Security update management
All software must be licensed, supported, and updated: high-risk and critical security updates applied within 14 days of release, with automatic updates turned on where possible. Software the vendor no longer supports must be removed or moved out of scope. This is the control that matters more in 2026 than ever: as we noted in our half-year review, exploiting unpatched software has overtaken stolen passwords as the most common way attackers get in.
4. User access control
People should have the access their job needs and nothing more. Accounts must be individual, not shared. Administrator accounts must be separate from day-to-day accounts, and never used for email or browsing. Leavers’ accounts must be disabled promptly. Password rules apply (a minimum of 12 characters where a password is the only protection, or 8 with additional safeguards such as multi-factor authentication or throttling), and multi-factor authentication must be enabled on cloud services.
Under v3.3 Danzell, if any in-scope cloud service supports multi-factor authentication and it is not enabled for your users, the assessment fails automatically. Check every cloud service you use, including the ones only one person logs into, before you submit anything.
5. Malware protection
Every in-scope device needs a malware protection mechanism: anti-malware software kept up to date, or an approved application allow-list approach. On most modern estates this is largely built in; the failures come from devices nobody checked, not products nobody bought.
Scope: where good applications go wrong
More applications stumble on scope than on any single control. The rules that surprise people:
Home workers are in scope. Devices used by staff working from home count, wherever those devices are.
Personal devices are in scope if they touch organisation data. A personal phone that accesses work email is in scope for the controls that apply to it. “But it’s their own phone” is not an exemption.
Cloud services are in scope. Microsoft 365, Google Workspace, your accounting platform, your CRM: if your organisation’s data or services live there, the service is in scope and multi-factor authentication on it is your responsibility, not the provider’s.
Everything unsupported must go or be segregated. The old machine running an unsupported operating system in the corner of the workshop either gets removed, upgraded, or properly separated onto a sub-set network that is documented as out of scope. Pretending it is not there is the fastest route to a failed Plus audit.
Whole-organisation scope is the default and the strongest certificate. A narrower scope is possible but must be a genuinely segregated sub-set, and it weakens what the certificate says about you.
How to prepare: the cheat sheet
Work through this in the two to three weeks before you apply. None of it requires specialist tools; all of it requires someone to actually do it.
- Build the asset list first. Every laptop, desktop, phone and server, with operating system and version. Every cloud service the business uses, and be exhaustive here: the accounting platform, the CRM, the file storage, and the social media accounts everyone forgets are cloud services too. Every piece of network kit with an internet connection. You cannot answer the question set honestly without this, and building it usually surfaces the problems on its own.
- Kill anything unsupported. Check every operating system and application version against the vendor's support dates. Upgrade, remove, or properly segregate anything out of support.
- Turn on automatic updates everywhere, and verify the stragglers. Confirm nothing is more than 14 days behind on high-risk or critical security updates.
- Sweep your cloud services for multi-factor authentication. Every service, every user, no exceptions left over from "temporary fixes". Check for legacy sign-in methods that bypass it.
- Audit accounts. Disable leavers. Remove shared logins. Review who has access to what against what their job actually needs.
- Separate administrator accounts, everywhere. On every device and in every cloud service, administrator accounts must be separate from the accounts people work in day to day, used only for administrative tasks, and never for email or browsing. One person doing everything as an administrator is one phishing email away from an attacker doing the same.
- Change every default password on routers, firewalls, printers and anything else with a login. Confirm your router's management page is not reachable from the internet.
- Check device basics: screen lock with PIN or password on every device including phones, malware protection present and updating, auto-run disabled.
- Decide scope deliberately. Whole organisation unless you have a documented, segregated reason otherwise.
- Assign the signature. A board member or equivalent must sign the declaration. Brief them on what they are signing before assessment week, not during it.
Work through the list top to bottom and you will walk into the assessment knowing the answer to every question before it is asked. The asset list comes first for a reason: everything else on the list is checked against it.
For the mistakes that most commonly sink applications, including the ones that became automatic failures under Danzell, read our companion piece: why businesses fail Cyber Essentials.
What happens when you apply
With preparation done, the assessment itself is an anticlimax, which is exactly how it should be. You complete the question set, your board signatory confirms it, and a licensed assessor marks it. For Cyber Essentials Plus, an assessor then tests a sample of your systems within an agreed window. Certificates arrive with a verifiable digital badge you can show customers, insurers and tender panels the same day.
If you would rather not do the preparation alone, or you want a scoping call to confirm what is in scope before you spend anything, get in touch or read about our Cyber Essentials service. We will tell you plainly whether you would pass today, and if not, exactly what to fix first.