Cyber Essentials is a UK government-backed certification that demonstrates basic cybersecurity controls. Most central government contracts handling personal data require it, NHS and MoD contracts typically require Cyber Essentials Plus, and certification takes 3–4 weeks at £300–£500 for standard or £1,500–£3,000 for Plus.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme that demonstrates your business has basic cybersecurity controls in place. It was introduced in 2014 by the National Cyber Security Centre (NCSC) to give buyers — including the public sector — a simple, recognisable signal that a supplier takes data security seriously.
The scheme covers five technical control areas: firewalls, secure configuration, user access control, malware protection, and patch management. None of it is technically complex — most of what it asks for is what any well-run small business should already be doing. The certificate is essentially proof that you are doing it.
For UK SMEs targeting government contracts, Cyber Essentials is one of the most commonly requested certifications. Plenty of tenders fail SMEs at PQQ stage purely because they do not hold it. Getting certified removes that blocker for the rest of the year — your certificate is valid for 12 months.
Cyber Essentials vs Cyber Essentials Plus
There are two tiers. Standard Cyber Essentials is a self-assessment questionnaire reviewed by an accredited certification body. You answer the questions, they verify your answers, you receive your certificate. Cyber Essentials Plus is the same questionnaire plus an independent technical test where the assessor checks your systems directly.
Most central government contracts accept standard Cyber Essentials. NHS contracts and Ministry of Defence contracts typically require Cyber Essentials Plus. Local authority contracts vary — some accept the standard tier, others require Plus, especially anything involving personal data.
The practical advice: start with standard Cyber Essentials. If a specific tender requires Plus, upgrade then. Going straight to Plus without a clear reason adds cost and time you may not need.
Which government contracts require Cyber Essentials?
Since 2014, all central government contracts that involve handling personal information or providing certain ICT products and services have required Cyber Essentials as a minimum. That covers a huge range of work — anything from cloud hosting to social care record systems to managed IT support.
NHS contracts almost always require it, with Cyber Essentials Plus typically required for anything touching patient data. Crown Commercial Service frameworks like G-Cloud and Digital Outcomes and Specialists make it mandatory for entry. Local authority contracts vary by buyer and contract value, but most digital and IT services tenders ask for it.
The honest answer is that requirements differ from buyer to buyer and tender to tender. Rather than guessing, ENKII checks each live tender you match against and tells you exactly which certifications it requires — including whether standard or Plus is needed.
How to get Cyber Essentials: step by step
Step 1: Choose your certification body
The Cyber Essentials scheme is delivered exclusively through IASME, the official partner for NCSC. You cannot self-certify or buy the certificate directly — you go through a certification body accredited by IASME. There are around 300 accredited certification bodies across the UK, ranging from large names like CyberSmart and Cyber Tec Security to smaller regional specialists.
The certification body guides you through the process, reviews your answers, and issues your certificate. Prices and turnaround times vary, so it is worth getting two or three quotes. Many assessors offer first-time consultancy support if you want help completing the questionnaire.
ENKII recommends IASME-accredited assessors based on your postcode and business sector — local assessors who already work with similar SMEs in your area.
Step 2: Complete the self-assessment questionnaire
The questionnaire covers the five control areas: firewalls and routers, secure configuration of devices and software, user access control, malware protection, and security update management. For most small businesses with a fairly standard IT setup, working through it takes one to three working days.
Things that catch SMEs out: cloud services (Microsoft 365, Google Workspace, Xero) all count as part of your scope and need to be documented. If staff use their own laptops or phones for work, you need a formal bring-your-own-device policy. If you use a managed service provider for IT, you need to confirm what they cover and what is your responsibility.
You submit through your assessor's online portal. They review your answers and either confirm you have passed or come back with questions. Most submissions go through cleanly if you have prepared properly.
Step 3: Get your certificate
Once your assessor approves your submission, you receive the certificate within a few days. It is valid for 12 months. Your business is added to the official IASME register, which buyers can search to verify your certification when you bid for contracts.
For Cyber Essentials Plus, after the questionnaire stage your assessor conducts an independent technical verification. This usually involves a remote scan of a sample of your devices and a short call to walk through your setup. If the test passes, you receive the Plus certificate.
How much does Cyber Essentials cost?
For micro and small businesses, standard Cyber Essentials typically costs between £300 and £500 plus VAT. The exact price depends on your assessor and the size of your organisation. IASME runs a subsidised scheme for micro-businesses with fewer than 10 employees that brings the cost down to around £250 plus VAT.
Cyber Essentials Plus typically costs between £1,500 and £3,000 depending on organisation size, number of devices, and complexity of your setup. Some assessors bundle in consultancy support for first-time applicants — useful if you have never been through the process before but adds cost.
NCSC publishes free resources on its website that walk through the requirements at no cost — worth reading before you choose an assessor so you can ask informed questions and avoid paying for support you do not need.
How long does it take?
For standard Cyber Essentials, most well-prepared SMEs can achieve certification within three to four weeks from start to finish. The actual questionnaire takes one to three days of focused work. The rest of the time is back-and-forth with your assessor and any remediation needed before you can pass.
Cyber Essentials Plus typically adds another two to four weeks for the technical verification. If your assessor finds issues during the scan, you fix them and re-test, which can extend the timeline.
The most common reason certification takes longer than expected is unmanaged gaps — for example, no formal patch management process or unsupported software still in use. If you know you have gaps, allow time to close them before starting the formal application.
How ENKII helps you get Cyber Essentials ready
ENKII shows you exactly which of your matched tenders require Cyber Essentials, estimates the readiness score increase you'd get from achieving it, and recommends IASME-accredited assessors local to your business.
Once you're certified, add it to your ENKII profile and your readiness score updates automatically — unlocking new tender matches you weren't eligible for before.
Frequently asked questions
Do I need Cyber Essentials for all government contracts?
No, but you need it for more than you might think. Any central government contract handling personal data requires it. NHS and MoD contracts usually require Plus. Local authority contracts vary. The fastest way to check is to look at the specific tenders you are targeting — ENKII flags the cert requirements per tender so you only chase certifications you actually need.
Can I apply for a government tender while my Cyber Essentials is pending?
Some buyers accept "working towards Cyber Essentials" at the expression of interest or PQQ stage, with the certificate required before contract award. Others require it from day one. Always check the specific tender wording. If you are mid-application when a relevant tender appears, do not delay bidding — note your expected certification date and apply.
How do I renew Cyber Essentials?
Cyber Essentials needs renewing every 12 months. The process is the same as the initial certification — questionnaire, review, certificate. ENKII tracks your certification expiry dates and alerts you 60 days before renewal is due so you do not get caught out mid-tender.
Is Cyber Essentials enough for ISO 27001?
No — they are different schemes. Cyber Essentials covers the basics; ISO 27001 is a full information security management system standard, with formal policies, risk assessments, and ongoing internal audits. Most SMEs start with Cyber Essentials and add ISO 27001 later if larger contracts require it. Read our ISO 9001 guide for the related quality management standard most public sector contracts also ask for.
Where do I find Cyber Essentials assessors?
The full register of accredited certification bodies is on the IASME website. For sector-specific advice — for example, IT services suppliers bidding for NHS work — see our IT services sector guide which covers the typical cert stack public buyers expect.