> certify --standard=CE --level=plus --pass=first-time_
The UK Government's baseline security certification, handled end-to-end. We guide you through the process, handle the audit, and get you certified — with minimal disruption to your day.
Cyber Essentials is a UK Government-backed certification scheme designed to help organisations protect themselves against the most common cyber attacks. It was developed by the National Cyber Security Centre (NCSC) and is administered by the IASME Consortium.
The scheme focuses on five key technical controls that, when implemented correctly, can prevent around 80% of cyber attacks. It's not about perfection — it's about getting the fundamentals right.
Cyber Essentials certification is mandatory for all UK Government contracts involving the handling of sensitive or personal data. It's also increasingly required by large enterprises as a minimum supplier standard. Beyond compliance, it demonstrates to customers, partners, and insurers that you take security seriously.
The scheme offers two levels of certification. Both assess the same five controls — the difference is how the assessment is conducted.
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Assessment type | Self-assessment questionnaire, verified by a qualified assessor | Hands-on technical audit conducted by a qualified assessor on your systems |
| What's tested | Your answers about your policies, configurations, and processes | Your actual systems — vulnerability scanning, configuration checks, and simulated attack scenarios |
| Assurance level | Good baseline. Demonstrates intent and awareness. | Higher assurance. Independently verified by technical testing. |
| Typical timeline | 1–2 weeks (with our guidance) | 2–4 weeks (including testing and any remediation) |
| Renewal | Annual | Annual (CE must be current before CE+ can be awarded) |
| Government contracts | Meets the minimum requirement for most contracts | Required for contracts with higher risk profiles or data sensitivity |
Not sure which level you need? Most organisations start with Cyber Essentials and progress to Plus. We'll advise based on your contracts, industry, and risk profile.
Cyber Essentials assesses your organisation against five technical security controls. Here's what each one covers and what we'll be looking for.
Whether you're going for CE or CE+, our process is designed to get you certified first time with minimal disruption.
We review your current security posture against the five controls. You'll receive a clear report showing what's already compliant, what needs work, and exactly how to fix it. No jargon, no ambiguity.
If gaps are found, we provide actionable, step-by-step remediation guidance. Need hands-on help? We can assist with configuration changes, policy drafting, and technical fixes to get you compliant quickly.
For CE: we guide you through the self-assessment questionnaire, reviewing every answer to ensure accuracy and completeness. For CE+: we conduct the hands-on technical audit ourselves, testing your systems against the standard.
Pass — and you receive your official Cyber Essentials certificate and badge, valid for 12 months. You'll be listed on the NCSC's certified organisations database and can display the badge on your website and marketing materials.
Certification is annual. We make renewal as painless as the first time — we'll remind you when it's due, handle the re-assessment, and ensure continued compliance as the standard evolves.
| Scenario | Recommendation |
|---|---|
| You bid on UK Government contracts | Required. Mandatory for contracts involving sensitive or personal data since 2014. |
| You're in a supply chain for a large enterprise | Increasingly required. Many enterprises now mandate CE or CE+ for all suppliers. |
| You handle personal data (GDPR) | Strongly recommended. Demonstrates "appropriate technical measures" under Article 32 of UK GDPR. |
| You want to reduce cyber insurance premiums | Beneficial. Many insurers offer reduced premiums or better terms for CE-certified organisations. |
| You want to win customer trust | Valuable. A recognised badge that demonstrates baseline security maturity to clients and partners. |
| You're a micro-business or sole trader | Yes, you too. The scheme is designed to be accessible to organisations of all sizes. Small doesn't mean safe. |
The IASME assessment fee depends on your organisation's size. Our consultancy fee is quoted on top based on the complexity of your environment and the level of support you need. We'll give you a clear, fixed-price quote after the initial scoping call — no surprises.
Our gap analysis is designed to prevent this. We identify and resolve all issues before the formal assessment begins. In the unlikely event that something is flagged during the assessment, we provide immediate remediation support and the assessor will allow a reasonable window to address it.
Yes. CE+ builds upon CE. You must hold a current Cyber Essentials certificate before the CE+ technical audit can take place. We can bundle both into a single engagement to streamline the process.
All user devices (desktops, laptops, tablets, phones), servers, cloud services, firewalls, and routers that access or process your business data. We help you define the scope boundary clearly during the gap analysis — this is often the area where organisations get confused, and it's where our experience adds the most value.
Absolutely. We offer ongoing advisory support to help you maintain the five controls year-round — not just at audit time. This includes guidance on new devices, software changes, and evolving standard requirements.
Whether you're starting from scratch or renewing an existing certificate, we'll get you across the line. Free scoping call, fixed-price quote, first-time pass.