Cyber security for business

Cyber Essentials scheme

Guide

Cyber Essentials is a government-endorsed scheme that encourages organisations and businesses across the UK to adopt cyber security best practices. The scheme has been in operation since 2014. It was set up to fulfil two needs:

  • to define a set of security controls organisations should use to reduce cyber risks
  • to provide an assurance framework organisations can certify to

The scheme and certification are suitable for all businesses, of any size and in any sector.

UK Cyber Essentials

The scheme sets out technical security controls that, when implemented correctly, can prevent around 80 per cent of cyber attacks.

These controls are:

  • boundary firewalls and internet gateway
  • secure configuration
  • access control and administrative privilege management
  • malware protection
  • patch management

From 24 January 2022, the scheme has been updated with additional requirements in the area of: 

  • home working
  • cloud services and web applications
  • bring your own device (BYOD)
  • thin clients
  • password management
  • multi-factor authentication
  • security updates and more

Read about the changes to the Cyber Essentials scheme.

Cyber Essentials certification

Under the scheme, there are two levels of Cyber Essentials certification available to your organisation:

  • Cyber Essentials - awarded on the basis of a verified cyber security self-assessment
  • Cyber Essentials Plus - on top of the self-assessment, this requires a further external testing and on-site assessment of cyber security practices

Find out about the different levels of certification with Cyber Essentials.

Cyber Essentials cost

Certification is not free. From 24 January 2022, the assessment charge for micro-businesses and organisations is £300 + VAT. Small, medium and large organisations pay more on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations. Read about the new pricing structure for Cyber Essentials.

For specific advice and guidance around costs and certification, contact IASME Consortium which delivers the scheme.

All new certificates issued by IASME have a 12-month expiry date.

Benefits of Cyber Essentials certification

Cyber Essentials certification raises your overall level of protection by putting security firmly into focus, which can:

  • provide you with a competitive selling point
  • help differentiate you from your competitors
  • enable you to say that your business follows government-endorsed standards
  • raise your profile with insurers, investors and auditors

Cyber Essentials scheme is also mandatory for central government contracts which involve:

  • handling of personal and sensitive information
  • provision of certain technical products and services

Read the procurement policy note on the Cyber Essentials scheme.