> series: cyber_essentials_demystified —— part: 01/10 —— scheme_version: danzell_v3.3 —— status: essential_reading<span class="cursor-blink">_</span>_
Cyber Essentials is the UK Government's cyber security certification scheme, backed by the National Cyber Security Centre (NCSC) and administered by IASME. It defines five technical controls that, when implemented correctly, protect organisations against the most common internet-based attacks. Certification proves to clients, regulators, insurers, and supply chain partners that your organisation meets a recognised baseline of security — and in an increasingly hostile threat landscape, that proof is becoming a prerequisite rather than a differentiator.
This is the first article in a ten-part series that takes you through every aspect of Cyber Essentials — from the five controls and what they require, through the differences between CE and CE Plus, to the new Danzell question set taking effect on 27 April 2026 and what it means for your certification. Written for business owners, not engineers. Practical, not theoretical.
Prepare for your Cyber Essentials certification with our practical checklist covering all five technical controls.
The overwhelming majority of successful cyberattacks against UK businesses exploit basic, preventable weaknesses — unpatched software, default passwords, missing firewalls, and the absence of multi-factor authentication. These are not sophisticated zero-day exploits or nation-state operations. They are commodity attacks, executed at scale by automated tools, against organisations that have not implemented fundamental security controls.
Cyber Essentials exists to address this. It defines five technical controls that, taken together, defend against approximately 80% of common cyber threats. The scheme was launched in 2014 by the UK Government and has been updated annually to reflect the evolving threat landscape. The latest version — Danzell, replacing the previous Willow question set — takes effect for all new assessments created after 27 April 2026 under version 3.3 of the NCSC Requirements for IT Infrastructure.
According to the Department for Science, Innovation and Technology (DSIT), businesses with Cyber Essentials certification file 92% fewer insurance claims than those without. Yet only 3% of UK businesses currently hold certification. The UK Government's Lock the Door campaign, launched in February 2026, is built entirely around the five Cyber Essentials protections. The gap between recognition and adoption represents both a risk and an opportunity.
Cyber Essentials is built around five technical controls. Each control addresses a specific category of threat, and together they create a layered defence that protects your organisation against the most common attack vectors. We will cover each control in depth in Parts 3 through 7 of this series — but here is the overview.
The scheme operates at two levels. Both certify against the same five controls, but the method of assessment differs significantly — and so does the level of assurance they provide.
| Level | Assessment Method | Assurance Level |
|---|---|---|
| Cyber Essentials (CE) | A verified self-assessment questionnaire (VSA). You answer questions about your security controls, and a qualified assessor reviews your answers for accuracy and completeness. No hands-on technical testing is conducted. | Confirms that you have declared the right controls are in place. Based on trust — the assessor verifies your assertions but does not independently test your systems. |
| Cyber Essentials Plus (CE+) | Everything in CE, plus an independent technical audit conducted by a qualified assessor. The assessor tests your systems directly — vulnerability scanning, configuration checking, and verification that the controls you declared in the self-assessment are actually implemented and effective. | Confirms that the controls are genuinely in place and working. The assessor independently verifies your security posture through hands-on testing. Provides significantly higher assurance than CE alone. |
We cover the differences between CE and CE Plus in detail in Part 9 of this series, including which level is right for your organisation and what the Plus assessment actually involves. For now, the key point is that CE is a starting point and CE Plus is the standard that provides real assurance — both to you and to anyone who relies on your certification.
Cyber Essentials was originally a voluntary scheme. It is rapidly becoming a de facto requirement for any UK business that wants to compete for contracts, satisfy regulators, or obtain affordable cyber insurance.
| Driver | Detail |
|---|---|
| Government contracts | Cyber Essentials certification has been mandatory for UK Government contracts involving the handling of certain sensitive and personal information since 2014. Many local authorities and public sector bodies extend this requirement to all suppliers regardless of contract value. |
| Supply chain requirements | Large enterprises and regulated organisations increasingly require Cyber Essentials (often CE Plus) from their suppliers as a condition of doing business. If you are in the supply chain of a financial services firm, defence contractor, or NHS trust, you will almost certainly be asked for evidence of certification. |
| Cyber insurance | Insurers recognise Cyber Essentials as evidence of baseline security hygiene. Certified organisations file 92% fewer claims, and many insurers offer reduced premiums or preferential terms for certified businesses. Some policies now require certification as a condition of cover. |
| Regulatory expectations | While GDPR does not name Cyber Essentials specifically, the ICO considers it a relevant indicator of whether an organisation has implemented 'appropriate technical measures'. The Cyber Security and Resilience Bill, currently progressing through Parliament, is expected to strengthen the role of Cyber Essentials in the UK's regulatory landscape further. |
| Competitive advantage | With only 3% of UK businesses currently certified, holding Cyber Essentials — particularly CE Plus — is a genuine differentiator in competitive tenders. It tells prospective clients that you take security seriously and have evidence to prove it. |
On 27 April 2026, the Cyber Essentials scheme introduces the Danzell question set, replacing the previous Willow version. This is version 3.3 of the NCSC Requirements for IT Infrastructure, and while the five core controls remain unchanged, the assessment criteria have been significantly tightened in three critical areas.
We cover the Danzell changes in comprehensive detail in Part 8 of this series. If your renewal falls after 27 April 2026, that article is essential reading.
| Misconception | Reality |
|---|---|
| 'We are too small for Cyber Essentials.' | Cyber Essentials is designed for organisations of all sizes — from sole traders to multinational corporations. The controls are proportionate and scalable. Small businesses benefit disproportionately because they are disproportionately targeted by automated attacks. |
| 'We already have antivirus — is that not enough?' | Antivirus is one component of one control (malware protection). Cyber Essentials covers five controls including firewalls, access management, patching, and secure configuration. Antivirus alone addresses a fraction of the threat landscape. |
| 'Cyber Essentials is the same as a penetration test.' | No. Cyber Essentials certifies that baseline controls are in place. A penetration test actively attempts to exploit your systems to find vulnerabilities. They are complementary — Cyber Essentials is the foundation; penetration testing is the stress test. We offer both. |
| 'Once certified, we are secure.' | Certification confirms baseline security at the point of assessment. Security is ongoing — threats evolve, configurations drift, and new vulnerabilities are disclosed daily. Cyber Essentials is the starting line, not the finish line. Continuous monitoring through a service like SOC in a Box provides the ongoing protection that sits above certification. |
| 'Certification is a one-off exercise.' | Certification is annual. You must renew each year with a fresh assessment. Under Danzell, the director declaration now includes a formal commitment to maintain Cyber Essentials controls throughout the certification period — not just at assessment time. |
Over the next nine weeks, we will work through every aspect of Cyber Essentials that a business owner needs to understand — from each of the five technical controls in depth, through the critical Danzell changes taking effect in April 2026, to the practical differences between CE and CE Plus and a step-by-step action plan for getting certified.
Next week, in Part 2, we provide an overview of all five technical controls — what each one requires, why it matters, and how they work together as a layered defence. This sets the foundation for the deep dives in Parts 3 through 7.
Whether you need Cyber Essentials, Cyber Essentials Plus, or our <a href="/cyber-essentials/concierge">Concierge service</a> that handles the entire process for you, we make certification straightforward. For organisations that want ongoing protection beyond certification, our sister service <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7 managed security monitoring from £335 per month — with Cyber Essentials certification support built in.
Prepare for your Cyber Essentials certification with our practical checklist covering all five technical controls.