If you’re considering getting Cyber Essentials certified, you’re taking an important step towards fundamental cyber security preparedness. This UK government-backed scheme can help every size of organisation achieve a minimum standard of cyber security.
This comprehensive Cyber Essentials requirements guide comes from our Head of Security, Jake Ives, who regularly helps businesses achieve certification. Below, Jake gives an overview of the scheme and its requirements, answers some of the most frequently asked questions and talks about the latest 2025 updates.
What is Cyber Essentials?
Cyber Essentials is the UK government’s way of helping businesses protect themselves from hackers. Think of it as a cyber security MOT for your company.
It comes in two tiers. For basic Cyber Essentials, you fill out a detailed questionnaire about your security setup, and an assessor checks your answers. Cyber Essentials Plus includes everything from the basic level, plus hands-on technical testing where assessors actually scan and audit your systems to verify the controls are working in practice.
If you pass the Cyber Essentials requirements, you get a certificate that’s valid for a year. It’s become more or less essential for winning government contracts and shows clients you take cyber security seriously.
You can attempt the certification process yourself or get help from a provider such as Intersys, which offers a Cyber Essentials Assessment Service.
How effective is Cyber Essentials?
The scheme has a proven track record of enabling cyber resilience – organisations that have Cyber Essentials controls make 92% fewer insurance claims. It’s also a reliable supply chain tool that can bolster cyber security across entire supply chains and assure organisations of the cyber security standards of their suppliers.
While it doesn’t make an organisation bulletproof, it mandates a foundational level of security that every UK business should have in place to ensure that they are protected from common threats. Without the controls in place, a business is at risk from even the most basic of threats.
The Cyber Essentials framework is well known, trusted and, when completed in full and with accuracy, will improve your security posture and provide your customers with peace of mind.
How long does it take to complete Cyber Essentials?
It varies and depends if a foundational layer of security already exists and how well the IT estate is configured.
We’d recommend first logging what devices, software and cloud apps your business uses. Then, come to a Cyber Essentials assessment expert such as Intersys for an in-depth audit.
In our case, the combined knowledge of our infrastructure and security teams will put you in the best place to pass quickly. We can also explain everything to you in plain language and provide cost-effective, smart solutions.
How hard is it to get a Cyber Essentials certification?
The Cyber Essentials requirements in the framework are achievable for businesses of all sizes. However, an initial gap analysis engagement is always recommended to ensure you’re ready to take the assessment.
For example, if you can’t centrally manage your devices, or report on the status of those devices, you cannot guarantee the presence of important controls such as BitLocker or password policies – or verify if those controls are implemented in a consistent manner across devices. Also, if you don’t know your assets or can’t properly track your user accounts that exist across the systems in your IT estate, you’ll struggle to provide comprehensive answers. In these scenarios, achieving Cyber Essentials is going to be difficult and will require some work.
For non-technical users taking the assessment, knowing how and where to start is easier said than done. This is why I’d recommend involving an IT partner to help you prepare.
What are the components of Cyber Essentials?
There are five areas:
Firewalls: Firewalls block unauthorised access to and from private networks, but they’re only effective when firewall rules are correctly configured to control who can access your systems and where users can browse.
Secure configuration: Secure configuration involves setting up computers and network devices to reduce vulnerabilities and provide only necessary services, which prevents unauthorised actions and ensures devices reveal minimal information to potential attackers.
Security update management: Regular patching and updating of all software including third party software and applications is essential because once vulnerabilities are discovered and made public, threat actors can rapidly exploit them to gain unauthorised access.
User access control: Access control restricts system and data access on a “need-to-know” basis, which minimises the risk of information misuse and limits the damage an attacker can cause if they compromise a legitimate user account.
Malware protection: Anti-malware software or whitelisting defends against malicious software that can steal sensitive data, corrupt files or deploy ransomware, potentially saving organisations significant money and protecting their reputation from cyber attacks.
How can I know if I am ready to get assessed?
If you agree that the following statements are correct for your organisation, you could meet the Cyber Essentials requirements and consider taking an assessment.
- I have technical controls in place or manually update third-party software across all the devices in the organisation within 14 days. (Remember: third-party software updates are not rolled out in the updates provided by your operating system.)
- I am aware of all of the computers that exist in the business and know they all conform to a policy that ensures new updates are installed within 14 days. (You’ll need a mobile device management (MDM) solution such as InTune or Group Policy to be able to answer yes.)
- I can generate a report that tells me exactly what mobile devices connect to business email, and have the mechanism in place to prevent devices from being able to connect if they are not updated within 14 days of a new OS release. (This may be a yes if you mandate MDM enrolment, or roll out conditional access policies and application protection policies.)
- I know who installed firewalls, switches and other equipment in our IT estate and can confirm that the default login credentials were changed on devices, prior to the device being put into production.
- I know exactly what systems / ports are published to the internet and have business justification in place for each.
- I can confirm that multi-factor authentication (MFA) is enabled on all systems and cloud applications that support it.
- Users who operate on their device do so under a ‘standard / non admin’ context and cannot install software to their devices without providing a separate admin username and password.
How to prepare for Cyber Essentials?
The Cyber Essentials framework adapts to the current IT threat landscape and is therefore always changing. What’s important is to distinguish between written policies and actual technical controls.
It is true that some of the Cyber Essentials requirements can be satisfied by creating written policies. However, IT leads in an organisation need to ask themselves, ‘Do I really have the time to be going around to every machine every day to validate that updates are installing, users are not running as an administrator, and that Adobe Reader and other software is up to date?’ Technical controls are a must if an organisation wants to comply with the framework without requiring too much manual labour.
How do I apply for Cyber Essentials?
First, choose between basic Cyber Essentials or opt for both Basic & Plus. Once you have the basic certification, you may then take the Cyber Essentials Plus certification within three months of passing the basic. Then, find an IASME-approved certification body – or a cyber security provider working with an IASME-approved body – and register and pay. You then need to complete the online self-assessment questionnaire covering the five security controls.
The assessment takes about an hour if you come prepared. (You can download a free question set in advance from the IASME website to prepare answers before applying.) You receive results within three days and the certificate is valid for 12 months.
Why should I use a professional Cyber Essentials assessment service?
UK government statistics reveal that 44% of British enterprises struggle with fundamental and advanced technical competencies. These organisations don’t possess the assurance needed to execute the essential procedures outlined in the government-backed Cyber Essentials framework.
This matches up with our experience. Numerous companies abandon the Cyber Essentials application before completion. As a result, they exceed the three-month completion deadline – forcing them to restart the entire process or abandon their certification efforts entirely. Also, many organisations struggle to understand the technical expertise required to implement Cyber Essentials Plus assessors’ guidance. Their certification attempts subsequently stagnate.
While it may seem obvious, countless businesses also overlook renewal deadlines and forfeit their certification status. This is precisely why engaging our expert team to oversee the entire process through our Cyber Essentials evaluation service delivers genuine value.
We’ve helped many organisations prepare for and pass Cyber Essentials by providing thorough gap analysis and suggesting cutting-edge tools and mechanisms to achieve compliance without breaking the bank.
For organisations with a good foundational layer of security in place already, we typically recommend just a day of consultancy to have our security team assess your organisation. Further to this, we then help you fill out your questionnaire and answer any questions you have before submitting your answers.
What happens if I fail Cyber Essentials?
If an organisation does fail to meet Cyber Essentials’ requirements, you are allowed two working days to examine the feedback from an assessor, fix the identified issues, update your answers and resubmit your application without additional cost. If you fail the resubmission, you’ll need to start the entire process again with a new application and payment.
It’s always better to be prepared and not fail – Intersys helps organisations of all sizes get ready for the assessment by running a mock audit and suggesting ways to improve security and mitigate vulnerabilities.
I’ve worked with organisations that previously took the assessment and failed due to not having many of the controls in place. They subsequently reached out to us for assistance, and we conducted a one-day assessment to get them to a better place and ultimately pass.
Why do Cyber Essentials keep updating?
The Cyber Essentials framework keeps changing because it needs to accurately reflect the current cyber landscape. As new threats emerge, it’s important that organisations are prepared to deal with them. Sometimes threats become so prevalent that a framework will include it as a standard.
What is the Cyber Essentials 2025 Update?
For Cyber Essentials Basics
The changes are quite minor and most of the focus is on modernising the terminology and definitions. For example, the word ‘plugins’ is changing to ‘extensions’ for better accuracy.
References to home working have been changed to home and remote working, because working from home is more or less the same as working from a café, or airport, where you’re not going to be able to confirm if the router adheres to Cyber Essentials standards, just as you wouldn’t be able to confirm it for every employee’s home router either.
There is a new reference to passwordless authentication standards, as this has become more commonplace in the last 12 months. Passwordless authentication is a way of securely logging into your accounts without using a password. This technology uses other entry points such as passkeys, fingerprints or face scans. What this does potentially suggest is that one day the framework will favour this method over a password, and may introduce stronger complexity requirements on passwords.
The reference to patches fixes will change to ‘Vulnerability Fixes.’ Vulnerability fixes will also include ‘registry fixes, configuration changes and running scripts’ if the vendor of software is unable to provide official patches within the mandated 14-day period. This means that IT professionals need to spend more time on the lookout for emerging threats and remediations published by third parties, since the vendor themselves may not publish the remediation officially within the 14-day period. The rule is basically saying, ‘Fix it somehow within 14 days, even if the vendor hasn’t.’
For Cyber Essentials Plus
1. Evidence must be kept all year
Auditors now have to keep all their evidence and documentation for the full 12 months your certificate is valid, not just during the assessment. This means your questionnaire answers better be spot-on because there’s a permanent paper trail that could be reviewed at any time.
2. Partial scope gets stricter checking
If you’re only certifying part of your business (not the whole company), auditors must now verify that the excluded parts are properly isolated from the certified areas. They need to confirm your IT networks and systems are genuinely separated – no more taking your word for it.
3. One-size-fits-all approach
The assessment guidelines used to say procedures were “illustrative” (meaning flexible). That word’s gone. Now every business gets exactly the same rigorous assessment process whether you’re a two-person startup or a 200-person company – auditors can’t adapt or go easier on smaller businesses anymore.
Basically, Cyber Essentials Plus just got more thorough and less forgiving across the board.
Intersys is a cyber security provider with almost three decades in the industry and a track record helping organisations achieve Cyber Essentials Basic and Cyber Essentials Plus. As part of a comprehensive service, we can guide you all the way through your assessment, undertake any remedial action and handle document submission. See our Cyber Essentials Assessment Service page for more on our process and costs – or contact us now.