The UK Government's baseline standard for cyber security. A verified self-assessment that proves your organisation has the five core technical controls in place — protecting you, your clients, and your supply chain from the most common internet-based threats.
Cyber Essentials is a UK Government-backed certification scheme, developed by the National Cyber Security Centre (NCSC), that helps organisations of any size protect themselves against the most common internet-based cyber attacks.
The scheme is built around five technical controls that, when implemented correctly, prevent the vast majority of commodity attacks — the digital equivalent of a thief trying your front door to see if it's unlocked.
Certification is achieved through a verified self-assessment: you complete an online questionnaire, a board-level representative signs a declaration confirming accuracy, and a qualified assessor reviews your answers. There is no on-site audit — the entire process is completed online.
Your certificate is valid for 12 months and is publicly listed on the IASME portal. You receive a digital badge with the Crown & Tick mark for use on your website, proposals, and email signatures.
Control incoming and outgoing network traffic
Reduce attack surface on all devices and software
Restrict access to authorised personnel only
Defend against viruses and malicious software
Apply critical security updates within 14 days of release
Cyber Essentials has been required for central government contracts involving personal data since 2014. The MOD and NHS mandate it. Private-sector supply chains increasingly expect it.
UK organisations with turnover under £20 million that certify their entire organisation receive automatic cyber liability insurance through IASME — including 24/7 incident response up to £25,000.
Government research confirms that Cyber Essentials certification is linked to a measurable reduction in successful attacks and insurance claims. The five controls address the most common vectors.
An independently verified baseline of security controls is evidence to regulators, auditors, and clients that your organisation is taking cyber security seriously and acting responsibly.
A valid Cyber Essentials certificate is the prerequisite for Plus — the hands-on technical audit that provides a higher level of assurance. You have 90 days to progress from CE to CE+.
Display the government-backed trust mark on your website, email signatures, and proposals. A visible, verifiable signal that your defences meet the national baseline.
From 27 April 2026, all new assessments use the v3.3 "Danzell" question set. The five controls are unchanged, but verification is stricter. Our assessors are trained and ready.
The board-level declaration now explicitly commits the organisation to maintaining controls throughout the 12-month certification period — not just at the point of assessment.
If any cloud service offers MFA and you haven't enabled it for all users, you will automatically fail — no exceptions, even if MFA requires a paid upgrade.
Any service accessed via credentials that stores or processes your data is now explicitly in scope. Cloud services can no longer be excluded.
All legal entities within scope must be declared. Exclusions must be justified. Scope descriptions now appear on the certificate itself.
High-risk and critical patches must be applied within 14 days. This applies to operating systems, applications, and network devices including routers and firewalls.
Self-assessment answers can no longer be amended after the Plus technical audit begins. Declarations must be complete and accurate upfront.
The entire process is completed online. Most organisations achieve certification within one to two weeks of starting their self-assessment.
Set up your assessment account and pay the fee for your organisation size.
Review the five controls. Assess your current position. Use IASME's free readiness tool.
Answer the self-assessment questionnaire. A board-level representative signs the declaration.
A qualified assessor reviews within 3 working days. You can update and resubmit if needed.
On success, your certificate is issued instantly. Publicly registered. Valid for 12 months.
Fees are set by IASME and scaled to your organisation's size. The price covers the assessment, assessor review, certificate, and public listing.
Need help with the self-assessment? We offer expert support packages. Contact us for details.
Both cover the same five technical controls. Cyber Essentials is a verified self-assessment — you answer questions and an assessor reviews your answers. Plus adds a hands-on technical audit where an assessor tests your actual systems, providing a higher level of assurance. You must pass CE before attempting Plus, and the Plus audit must be completed within 90 days.
Twelve months. We send a reminder before expiry to arrange renewal. If you do not renew, your organisation is removed from the certified organisations list.
Not legally, but it is required for many UK Government contracts involving personal data. The MOD, NHS, and an increasing number of private-sector organisations require it of their suppliers. Regulated sectors — legal, financial, healthcare — increasingly reference it as a baseline expectation.
Yes. The scheme is available to organisations of all sizes, including sole traders. Micro organisations (0–9 employees) pay £320 + VAT.
As an IASME-accredited Certification Body, we help you understand the assessment questions and how they apply to your organisation. We offer support packages ranging from basic guidance through to dedicated advisory sessions. Our assessors review your submission within three working days and provide detailed feedback if clarification is needed.
If your answers don't meet the standard, our assessor provides specific feedback explaining what needs to change. You have the opportunity to update and resubmit. Each resubmission is reviewed within three working days.
The main changes in v3.3 (Danzell) are: MFA is now mandatory on all cloud services that offer it — failure is an automatic fail. Cloud services are formally defined and cannot be excluded from scope. Scoping rules are tighter with mandatory legal entity declarations. The board-level declaration now commits to maintaining controls for the full 12-month period.
Yes. Cyber Essentials is available to organisations globally. The entire process is completed online.
Start your Cyber Essentials certification today — or talk to our team about
preparing for the April 2026 changes and choosing the right level for your organisation.
Suit 7 2nd Floor,The Atrium, 31 Church Road, Ashford, Middlesex,TW152UD United Kingdom
UK : +44-7904664589
UAE : +971-0526909311
