What is Cyber Essentials and does your UK business need it?

Cyber Essentials is a UK government-backed certification that proves your business has basic cyber security controls in place.
If you handle customer data, bid for contracts, or want cheaper cyber insurance, you probably need it.

Here's what it actually involves, what it costs, and how to tell if it applies to you.


What is Cyber Essentials, exactly?

Cyber Essentials is a certification scheme run by IASME on behalf of the National Cyber Security Centre (NCSC). It checks that five basic technical controls are in place across your business:

  • Firewalls — a security barrier between your network and the internet

  • Secure configuration — devices set up properly, not left on default settings

  • User access control — the right people have the right level of access, and no more

  • Malware protection — software that catches viruses and malicious code before they cause damage

  • Security update management — patches applied promptly, so known vulnerabilities get closed

Get these five right and you block the vast majority of common, opportunistic cyber attacks. The kind that don't target you specifically, just anyone with a gap.

There are two levels. Standard Cyber Essentials is a self-assessment questionnaire, checked by an assessor. Cyber Essentials Plus adds an independent technical audit, including vulnerability scans and hands-on device checks. Most SMEs start with the standard certification.

Does my business actually need it?

If any of the following apply, yes:

  • You're bidding for UK central government contracts (it's been a requirement for many of these since 2014)

  • A customer or supply chain partner has asked you for it — increasingly common in procurement and onboarding

  • You hold customer data you'd rather not lose, or be fined over

  • You want cheaper cyber insurance, or the free cover that comes bundled with certification

  • You want a simple way to show customers and investors you take security seriously

It's not a general legal requirement. But it's becoming a default expectation, and it's a lot easier to have in place before a customer or insurer asks for it than to scramble afterwards.

What does it cost?

The certification fee itself is paid to IASME and is based on your organisation's size:

Micro (1-9 staff) ~ £320.00 +VAT
Small (10-49 staff) ~ £400.00 +VAT
Medium (50-249 staff) ~ £450.00 +VAT
Large (250+ staff) ~ £500.00 +VAT

That fee only covers the assessment itself.

The real cost for most SMEs is getting the five controls actually in place first;
Multi-factor authentication properly enabled, a mobile device management setup, endpoint protection on every device, patching brought up to date. For a typical small business, that first-year total (fee plus remediation) usually lands somewhere between £1,500 and £3,500 minimum.

If you fail your first attempt, you get one free re-submission. After that, you pay again.

How long does certification last?

Twelve months. It's not a one-off tick-box exercise, you renew annually, and the questionnaire gets checked against your current setup each time.
Most businesses find the renewal easier than the first pass, since the groundwork is already in place.

If you let it lapse, any bundled cyber insurance lapses with it.

What happens if I get it wrong or let it slip?

Nothing dramatic happens overnight - Cyber Essentials isn't enforced like a legal obligation. But the practical consequences show up elsewhere:

  • Contracts and tenders that require it become unavailable to you

  • Cyber insurance premiums tend to be higher without it

  • If you're breached without basic controls in place, it's harder to demonstrate you took reasonable precautions

The five controls it checks are also, not coincidentally, the ones that stop the most common attacks reaching your business in the first place.
Certification is really just proof that you've done what you should be doing anyway.

Can I do this myself, or do I need help?

You can self-certify without support. In practice, most SMEs without an in-house IT team find the questionnaire harder than expected as it assumes a level of technical detail about your own network that non-technical business owners often don't have to hand.

There's also a gap that catches people out after certification, not before it - passing today doesn't mean you're still compliant in three months.
A new laptop arrives without the right configuration, a starter gets more access than they need, an update gets missed, and nobody notices until the renewal questionnaire is back in front of them.

How RefynIT can help

Every RefynIT client on either tier is running on the same security-first baseline, regardless of what they pay.
We don't think basic security should be something you pay extra to unlock.

That baseline puts you ahead of most businesses starting from scratch. But it isn't the same as being aligned to the Cyber Essentials accreditation specifically; that takes mapping what's in place against the exact controls the assessor is checking, and closing whatever gap is left.

That's what our Compliance Manager service is built for. It's not a one-off "get you certified and we're done" job - it's ongoing readiness:

  • An agent runs on every device, checking it against the Cyber Essentials baseline 24/7 - not just at renewal.

  • New devices are picked up automatically, so if a new starter's laptop introduces a gap, it gets flagged and fixed long before your next assessment is even due.

  • A co-managed portal gives your team direct visibility, with access scoped to what each person actually needs — your Accounts team or Office Manager can answer the questions relevant to them without wading through (or seeing) the full technical questionnaire.

  • An evidence collector pulls supporting evidence together against each question as you go, so by the time your assessor looks at it, everything's already in one place instead of being chased down at the last minute.

Compliance Manager starts at £149/month for businesses under 20 users, and £185/month for businesses over 20 users.

Get in touch and we'll tell you exactly where you stand.

Previous
Previous

What is the difference between antivirus and edr?