Cyber Essentials certification: the 5 controls and the certification path.
Cyber Essentials is the UK government's baseline cyber-security certification, backed by the National Cyber Security Centre (NCSC) and delivered by IASME. This guide explains the five technical controls, the difference between Cyber Essentials and Cyber Essentials Plus, what certification costs, and how to get certified — and stay certified — without the annual fire drill.
Aligned to the IASME Cyber Essentials requirements (Montpellier question set, 2025).
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme that demonstrates an organisation has the five fundamental technical controls in place to defend against the most common internet-based cyber attacks. It was launched by the government in 2014, is owned by the NCSC, and is administered through a single delivery partner, IASME, and its network of accredited Certification Bodies.
The scheme is deliberately pragmatic. The NCSC estimates that the controls it mandates would stop the overwhelming majority of routine, untargeted attacks — phishing payloads, credential stuffing, and the opportunistic exploitation of unpatched software. It is not a substitute for ISO 27001 or a full information security management system, but it is the recognised UK floor: many central-government contracts that handle sensitive or personal information now require suppliers to hold Cyber Essentials, and a growing number of private-sector buyers and cyber-insurers ask for it before they will sign.
There are two levels. Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent, hands-on technical audit. Both certify the same five controls; Plus simply proves they are genuinely working.
The five Cyber Essentials controls.
Every Cyber Essentials assessment — at both levels — is built around these five control areas. They apply to all in-scope devices: desktops, laptops, servers, tablets, phones, firewalls and cloud services that hold or handle your organisation's data.
Firewalls
Every device that connects to the internet must sit behind a correctly configured firewall — a boundary firewall at the network edge or a host-based firewall on the device itself. Default administrative passwords must be changed, unauthenticated inbound connections blocked by default, and any open ports documented with a business justification.
Secure configuration
Computers and network devices ship with insecure defaults. You must remove or disable unnecessary software, accounts and services, change default passwords, and disable auto-run features. Where a password unlocks access to data, you need either multi-factor authentication or a minimum password policy that resists brute-force attacks.
User access control
Accounts must be assigned to named individuals, granted on the principle of least privilege, and removed promptly when someone leaves. Administrative accounts are used only for administrative tasks — never for day-to-day email and browsing — and special-access privileges are reviewed and documented.
Malware protection
You must defend against malware using at least one of three approaches: anti-malware software that is kept current, application allow-listing so only approved software can run, or sandboxing. The chosen mechanism must cover every in-scope device, including laptops, servers and mobile devices that access organisational data.
Security update management
All software must be licensed, supported, and patched. High-risk and critical security updates must be applied within 14 days of release. Software that is no longer supported by the vendor — out of its end-of-life — must be removed from scope or segregated, because unpatched legacy systems are the most common route to a breach.
Cyber Essentials vs Cyber Essentials Plus.
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| How it's assessed | Verified self-assessment questionnaire | Self-assessment plus independent technical audit |
| Evidence required | Your own attested answers | Vulnerability scans and a sampled device test by an assessor |
| Typical timeline | Days, once controls are in place | 2–4 weeks (audit must follow within 3 months of CE) |
| Assurance level | Self-declared | Independently verified |
| Validity | 12 months | 12 months |
You must hold a valid Cyber Essentials certificate before you can be assessed for Plus, and the Plus audit must take place within three months of it. Many buyers and government frameworks now specify Plus rather than the base level. We cover the audit, cost and timeline in depth on our dedicated Cyber Essentials Plus page.
The certification path and what it costs.
The route to certification is the same regardless of your size — only the effort behind each step changes.
Define your scope
Decide what your certification covers — the whole organisation or a defined sub-set (a business unit, a site, a network segment). The scope must be a meaningful boundary; you cannot exclude internet-connected devices simply to pass.
Self-assess against the five controls
Work through the IASME self-assessment questionnaire, answering honestly across firewalls, secure configuration, user access control, malware protection and security update management.
Close the gaps
Remediate every control that isn't yet met — enable MFA, remove unsupported software, tighten admin accounts, deploy patching SLAs. This is where most of the real work sits.
Submit and get verified
Submit your questionnaire to an IASME-accredited Certification Body. A qualified assessor marks it. For Cyber Essentials Plus, a technical auditor then independently verifies your controls with vulnerability scans and a sample of devices.
Recertify annually
Certification lasts 12 months. Threats and your estate change, so you reassess and recertify every year — which is why a living evidence system beats a once-a-year scramble.
What does Cyber Essentials cost?
Base Cyber Essentials certification is priced on organisation size, starting at around £320 + VAT for a micro organisation (up to 9 staff) and rising for larger headcounts. Cyber Essentials Plus is quoted separately by your Certification Body and depends on the size and complexity of your estate — expect a few thousand pounds for the technical audit. These are the certification fees only; the larger cost is the internal effort to get the five controls genuinely in place and keep them there.
Pass Cyber Essentials — and keep passing it.
The hard part of Cyber Essentials isn't the questionnaire — it's proving, every year, that your firewalls, patching, admin accounts and malware protection are still configured correctly across a changing estate. Matproof turns that from an annual scramble into a continuous, evidenced process.
- ✓A control library mapped directly to the five Cyber Essentials control areas and their underlying requirements.
- ✓Automated evidence from 100+ tools — endpoints, identity providers, firewalls and cloud accounts — so patch status and MFA coverage are pulled live, not screenshotted.
- ✓Continuous monitoring that flags an unsupported OS, a missed critical patch, or a stray local-admin account before your assessor does.
- ✓Audit-ready packs you can hand to your IASME Certification Body for both Cyber Essentials and the Plus technical audit.
- ✓One platform that also covers ISO 27001, GDPR and DORA — so Cyber Essentials becomes a baseline inside a wider GRC programme rather than a standalone effort.
Frequently asked questions about Cyber Essentials.
What is Cyber Essentials?+
Cyber Essentials is a UK government-backed certification scheme, owned by the National Cyber Security Centre (NCSC) and delivered by IASME, that shows an organisation has five fundamental technical controls in place: firewalls, secure configuration, user access control, malware protection and security update management. It is designed to stop the most common internet-based cyber attacks and is increasingly required to win government and supply-chain contracts.
What are the five Cyber Essentials controls?+
The five control areas are: (1) Firewalls — every device behind a correctly configured boundary or host firewall; (2) Secure configuration — remove insecure defaults, unused accounts and software; (3) User access control — least-privilege accounts, separate admin accounts, prompt removal of leavers; (4) Malware protection — anti-malware, application allow-listing or sandboxing on every device; (5) Security update management — licensed, supported software with critical and high-risk patches applied within 14 days.
What is the difference between Cyber Essentials and Cyber Essentials Plus?+
Both certify the same five controls. Cyber Essentials is a verified self-assessment — you complete the IASME questionnaire and a qualified assessor marks it. Cyber Essentials Plus adds an independent, hands-on technical audit: an assessor runs vulnerability scans and tests a sample of your devices to confirm the controls genuinely work. You must hold a valid Cyber Essentials certificate first, and the Plus audit must take place within three months of it.
How much does Cyber Essentials cost?+
Base Cyber Essentials certification is priced by organisation size, starting at around £320 + VAT for a micro organisation (up to 9 staff) and rising for larger headcounts. Cyber Essentials Plus is quoted separately by your Certification Body based on the size and complexity of your IT estate, typically running to a few thousand pounds for the technical audit. The certification fee is only part of the cost — the larger investment is putting the five controls in place and maintaining them.
How long does Cyber Essentials certification last?+
A Cyber Essentials or Cyber Essentials Plus certificate is valid for 12 months. Because your IT estate and the threat landscape both change, you must reassess and recertify annually. Maintaining live evidence of your controls throughout the year — rather than reconstructing it before each assessment — makes recertification far less painful.
Is Cyber Essentials a legal requirement?+
Cyber Essentials is not a general legal requirement, but it is mandatory for many UK central-government contracts that involve handling sensitive or personal information, and it is increasingly demanded by private-sector buyers and cyber-insurers. It also provides a credible baseline for demonstrating reasonable security measures under UK GDPR and the Data Protection Act 2018.
Do I need ISO 27001 if I have Cyber Essentials?+
Not necessarily — they serve different purposes. Cyber Essentials certifies five specific technical controls and is the recognised UK baseline. ISO 27001 certifies a full information security management system (ISMS) covering governance, risk, people and process. Many organisations start with Cyber Essentials and add ISO 27001 as larger clients and tenders demand it. Matproof supports both from a single control library.
Find out where you stand in 10 minutes.
Our free Cyber Essentials readiness self-assessment scores you against all five controls and tells you exactly which gaps to close before you submit to a Certification Body.