Frequently Asked Questions

What is Cyber Essentials?

Cyber Essentials is a Government-backed, industry-supported scheme to help organisations protect themselves against the most common threats found on the internet. Most cyber attacks exploit basic weaknesses in software and IT systems: Cyber Essentials shows you how to fix those basics and get a good level of cyber security in place.

Why should I get Cyber Essentials?

45% of small businesses and 66% of medium/large businesses reported a cyber breach or attack in the past 12 months. Overall, nearly half of all businesses (46%) experienced a cyber attack or breach in the past year, causing thousands of pounds worth of costs and disruption to everyday operations. Most cyber attacks are relatively basic and it’s easy to use Cyber Essentials to get good basic protections in place to prevent them. Cyber Essentials is designed by Government to protect your organisation from the most common Internet threats. Don’t delay: start protecting your business now.

What are the five controls in Cyber Essentials?

Cyber Essentials requires your organisation to have five technical controls in place:

  1. Boundary firewalls [to prevent unauthorised access]
  2. Secure configuration [setting up systems securely]
  3. User Access control [restricting access to those who need it]
  4. Malware protection [i.e. using anti-virus software]
  5. Patch management [i.e. updating software]

There is a summary of the scheme here and the five controls are listed in more detail here.

How do I get a Cyber Essentials certificate?

Contact a supplier (a “Certification Body”) via one of the Accreditation bodies listed here

What is the process for getting a certificate?

What evidence is required?

The requirements for Cyber Essentials can be found in the requirements document. Each certification body assesses against the same requirements, but assists companies in their submission by providing prompts, usually by questionnaires or via online portals. You can see examples of the type of questions you will be asked in our quick self-assessment questionnaire.

How long does it take?

This depends on the size of your business, the complexity of your IT system and the extent to which you already have the technical controls in place. It might take anywhere from a few days or a few weeks for a small business, to several months for a large organisation.

How much does it cost?

Prices are set by the market, not by Government, and will vary from supplier to supplier depending on the level of service and support offered. The basic cost of a Cyber Essentials certificate for a small business is typically in the low hundreds of pounds (e.g. around £300 or £400) though can be higher if you request a higher level of service.

Will Cyber Essentials protect us against all cyber threats?

Cyber Essentials will protect you against the most common online threats. The scheme offers a basic level of protection and is a good place to start in protecting your company against cyber threats. If you require additional protection, the Government offers a range of further advice here

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

The requirements are the same for each certificate, however Cyber Essentials Plus offers a greater level of assurance that the controls are in place (e.g. by using a wider range of tools and techniques to test the controls.) Cyber Essentials Plus may be required by procuring organisations seeking a greater level of assurance.

Does Cyber Essentials Plus cost more?

Yes, Cyber Essentials Plus offers a greater level of assurance that the controls are in place (e.g. by using a wider range of tools and techniques to test the controls.) Please discuss costs with your supplier.

Does Cyber Essentials cover staff training?

No, it is a technical scheme. However the Government offers a range of free online cyber security training for staff and employers here.

How do I choose a supplier?

You can choose a supplier (a “Certification Body”) via one of the accreditation bodies listed here on the website. Suppliers offer different levels of service and support so you may want to shop around to find one which meets your particular needs.

I’m a charity / school / public sector organisation - can I apply for Cyber Essentials?

Yes, the scheme is suitable for all organisations of all sizes, in all sectors. This includes charities, voluntary organisations, schools, colleges, universities, local authorities, police forces and other public sector bodies.

How can I get further information on Cyber Essentials?

Contact one of the accreditation bodies listed here or email [email protected]

What else can I do to protect my business/organisation online?

A wide range of free guidance, support and training is available via Gov.UK and the National Cyber Security Centre.

What are the certification bodies?

Certification bodies are the suppliers you work with to assess whether your organisation complies with Cyber Essentials. Further details are set out in the Assurance Framework document here

What are the accreditation bodies?

Accreditation bodies are approved by the Government to assess and approve certification bodies’ to offer Cyber Essentials assessments. Further details are set out in the Assurance Framework document here.

How do I become a certifying body?

Accreditation bodies appoint certification bodies. Organisations wishing to become a certification body should contact one of the accreditation bodies APMG, CREST, IASME, IRM Security or QG Management Standards.

How do I become an accreditation body?

Interested organisations can read more on Becoming an Accreditation Body.

How do I bid for Government contracts?

Visit https://www.gov.uk/contracts-finder