Cyber Essentials 2026: The Complete Certification Guide

Cyber Essentials remains the UK's most widely-adopted cybersecurity certification scheme. Originally launched in 2014 by GCHQ and the NCSC, it has evolved into a foundational standard for businesses across every sector and size. In 2026, understanding Cyber Essentials is essential not just for compliance, but for vendor qualification, insurance pricing, and customer trust.

This guide walks you through the requirements, certification levels, costs, and practical path to achieving and maintaining certification.

What Is Cyber Essentials?

Cyber Essentials is a government-backed, IASME-administered certification scheme that defines five core security controls required to protect organisational IT systems against common cyberattacks:

1. Boundary firewalls and internet gateways

2. Secure configuration of IT infrastructure

3. User access control and privilege management

4. Malware protection and patch management

5. Security monitoring and incident response

The scheme is deliberately simple - not because cybersecurity is simple, but because these five controls prevent the vast majority of attacks that target UK organisations. Cyber Essentials doesn't certify advanced security or compliance with complex frameworks like ISO 27001. Instead, it certifies that you've implemented the hygiene basics.

This focus on fundamentals explains its rapid adoption:

Over 20,000 UK organisations hold Cyber Essentials certification

It's required by many government procurement contracts

Many insurers offer premium discounts for certified organisations

Customer due diligence increasingly demands it, even from small suppliers

Cyber Essentials v3.3: What Changed

The most recent version of Cyber Essentials (v3.3, released in 2025) made subtle but important changes to accommodate modern IT environments:

1. Cloud and Hybrid Environments

v3.3 explicitly addresses cloud and hybrid infrastructure. The controls now apply to:

Cloud platforms (AWS, Azure, GCP) using the Shared Responsibility Model

Hybrid setups where data and systems span on-premises and cloud

Software-as-a-Service (SaaS) applications with third-party data storage

Example: If your organisation uses Azure for critical workloads, you're now required to ensure Azure's security group configurations, network segmentation, and identity management meet the same standards as on-premises infrastructure.

2. Privileged Access and Modern Identity

v3.3 emphasises modern identity and access management beyond traditional Windows Active Directory:

Multi-factor authentication (MFA) required for all remote access and privileged accounts

Passwordless authentication (Windows Hello, FIDO2) explicitly supported

Service accounts and API tokens subject to the same access controls as user accounts

Regular review and deprovisioning of inactive accounts (at minimum, annual audits)

3. Third-Party and Supply Chain Risk

New language around vendor management:

Contracts must require suppliers to maintain compatible security standards

Regular security assessments of critical suppliers (annual minimum)

Incident notification requirements from suppliers

Supply chain mapping for critical dependencies

4. Data Handling and Privacy

v3.3 tightens data handling expectations:

Encrypted storage for sensitive data (at rest)

Encrypted transmission for sensitive data (in transit, using TLS 1.2 minimum)

Documented data classification and handling procedures

Clear data retention and destruction policies

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

Cyber Essentials comes in two certification levels:

Cyber Essentials (CE)

What it is: A self-assessment certification covering the five controls above.

How it works:

You complete a detailed questionnaire covering each control

Questions are specific and technical - not vague

You submit evidence of implementation (policies, screenshots, logs)

Certified assessors review your submission

Certification is awarded if you meet the standard

Cost: £500-£1,500 depending on organisation size and assessor choice

Time to certification: 4-8 weeks from application

Renewal: Annual (every 12 months)

Who needs it: Most organisations. CE is suitable if you can accurately self-assess your security posture and are comfortable with the responsibility of ongoing compliance.

Cyber Essentials Plus (CE+)

What it is: CE with an in-depth technical assessment and penetration test.

How it works:

You complete the CE questionnaire as above

An accredited assessor conducts a technical audit of your systems

This includes network scanning, configuration review, and limited penetration testing

The assessor interviews key staff (IT manager, network admin)

Certification is awarded if you meet the standard and pass the technical assessment

Cost: £2,500-£5,000 depending on organisation size and scope

Time to certification: 6-12 weeks from application

Renewal: Annual

Who needs it: Organisations handling sensitive data, critical infrastructure operators, government suppliers, and those managing complex IT estates. CE+ is increasingly required by large enterprises as part of vendor qualification.

How to Choose

FactorCECE+----------------**Budget tight?**✓**Simple IT setup?**✓**Selling to government?**✓**Handling sensitive data?**✓**Complex network?**✓**Need technical validation?**✓**Want cheaper insurance?**✓✓✓

Our recommendation: If you're uncertain, start with CE. It's significantly cheaper and serves most purposes. If you're selling to large enterprises, government, or managing sensitive data, invest in CE+ for the technical validation and deeper compliance assurance.

The Five Controls: Practical Requirements

1. Boundary Firewalls and Internet Gateways

What you need:

A perimeter firewall (hardware or cloud-based) filtering inbound/outbound traffic

Explicit allow-lists for outbound connections (rather than allow-all with block-lists)

VPN or other secure remote access mechanism

No direct internet access to internal systems from outside the organisation

Practical implementation:

Deploy a firewall appliance (Sophos, Palo Alto, Fortinet) or use cloud-native solutions (AWS Security Groups, Azure NSGs)

Configure rules to deny all inbound traffic except explicitly required services

Implement VPN for remote workers

Use web filtering to block malicious categories

Common mistakes:

Overly permissive firewall rules ("allow any to any")

VPN credentials stored insecurely

No regular firewall rule audits (drift over time)

2. Secure Configuration of IT Infrastructure

What you need:

Documented baseline configurations for all device types (Windows, macOS, Linux, network switches, firewalls)

Deviation from baselines tracked and remediated

Unnecessary services and ports disabled

Default credentials changed

Security updates applied

Practical implementation:

Use configuration management tools (Ansible, Puppet, Group Policy)

Document baselines in a change management system

Implement automated compliance monitoring (Tenable, Qualys)

Schedule monthly patch management windows

Track deviations and remediate within 30 days

Common mistakes:

Configuration drift - baselines exist but aren't enforced

Inconsistent patching across the estate

Default credentials left on appliances

No documentation of "why" configurations exist

3. User Access Control and Privilege Management

What you need:

User accounts with minimal required privileges (principle of least privilege)

Multi-factor authentication (MFA) for all remote access and all privileged accounts

Separate privileged accounts for administrative tasks (not using admin accounts for regular work)

Regular review and deprovisioning of unused accounts

Documented access control policy

Practical implementation:

Implement MFA platform-wide (Microsoft Authenticator, Duo, Okta)

Deploy PAM (Privileged Access Management) solution for privileged accounts

Use identity governance tools (Okta, Azure AD) to automate provisioning/deprovisioning

Conduct quarterly access reviews (who has what and why)

Audit privileged account usage logs weekly

Common mistakes:

MFA enabled but not enforced - users can skip it

Shared credentials or shared admin accounts

No regular access reviews (accounts accumulate)

Privileged accounts used for regular work

4. Malware Protection and Patch Management

What you need:

Antivirus or anti-malware installed on all devices

Regular malware scans (scheduled, automated)

Patch management process for OS, software, and firmware

Vulnerability scanning to identify unpatched systems

Clear policy for timely patch deployment

Practical implementation:

Deploy endpoint detection and response (EDR) solution (CrowdStrike, Microsoft Defender, Sophos)

Schedule automated full scans weekly

Implement software update management (Windows Update, third-party update managers)

Use vulnerability scanning tools (Nessus, Qualys) monthly

Define SLAs: critical patches within 7 days, other patches within 30 days

Common mistakes:

Antivirus running but not updated

Scanning scheduled but results not reviewed

Patching delayed due to "stability concerns" (this is fear, not risk management)

Legacy systems excluded from patching

5. Security Monitoring and Incident Response

What you need:

Logging enabled on all critical systems

Log aggregation into a central repository

Monitoring for security-relevant events (failed logins, privilege escalation, etc.)

Incident response plan documenting roles and escalation procedures

Regular incident response testing

Practical implementation:

Deploy a SIEM or centralised logging solution (Splunk, ELK Stack, Azure Sentinel)

Enable logging on firewalls, servers, domain controllers, and critical applications

Define alerts for high-severity events (multiple failed logins, privilege escalation)

Document incident response procedures (who to contact, what to do)

Run annual incident response tabletop exercises

Common mistakes:

Logs collected but never reviewed

Alert fatigue - so many alerts that real incidents are missed

Incident response plan gathering dust (never tested)

No clear ownership for incident response

The Certification Process: Step by Step

Step 1: Self-Assessment (Weeks 1-2)

Complete a detailed questionnaire covering all five controls. This isn't a checkbox exercise - each question has detailed supporting guidance. You'll need technical knowledge or support from your IT team.

Evidence required: policies, screenshots, configurations, audit logs.

Step 2: Find an Assessor (Week 2-3)

IASME maintains a list of accredited Cyber Essentials assessors. For CE, you can work with any accredited assessor. For CE+, you need assessors with technical certification privileges.

Cost varies significantly: small assessors (£500-£1,500 for CE) vs. larger firms (£2,000-£5,000). Get multiple quotes.

Step 3: Submit Your Application (Week 3-4)

Upload your questionnaire and evidence to your chosen assessor's portal. They'll review completeness and may request clarification on specific responses.

Step 4: Assessment Review (Week 4-8)

Assessors review your evidence against the v3.3 standard. If gaps exist, they'll request additional information or evidence. Back-and-forth can extend timelines.

For CE+, a technical assessment is scheduled during this phase.

Step 5: Certification Awarded (Week 8+)

Once approved, you receive your Cyber Essentials certificate (valid 12 months) and can use the Cyber Essentials badge in marketing and procurement documents.

Step 6: Annual Renewal (Month 11-12)

The process repeats annually. Most organisations find renewal faster than initial certification as baselines are already documented.

Costs Breakdown: What to Budget

ItemCost Range------------------**CE Assessment**£500-£1,500**CE+ Assessment**£2,500-£5,000**Remediation**£5,000-£50,000+ (depends on current state)**Tools (SIEM, EDR, PAM)**£10,000-£100,000+ annually**Internal resources**200-400 hours annually

Total year one investment: £20,000-£160,000 depending on starting position and organisation size.

Ongoing annual costs: £5,000-£20,000 (renewals, tool subscriptions, updates).

Getting Started in 2026

1. Self-assess your current posture against the five controls

2. Identify gaps and prioritise remediation

3. Get quotes from 2-3 accredited assessors

4. Plan remediation work in parallel with the assessment process

5. Engage your IT team early - they'll be heavily involved

6. Budget 3-4 months for the full process

7. Plan for renewal 12 months after certification

How Fig Supports Cyber Essentials

Fig Group's platform simplifies Cyber Essentials compliance through:

Automated Evidence Collection: Real-time gathering of logs, configurations, and system states required for the five controls

Assessment Readiness: Pre-assessment scans to identify gaps before formal assessment

Continuous Monitoring: Post-certification monitoring to ensure ongoing compliance

Renewal Readiness: Automatic evidence compilation for annual renewal assessments

With Fig, certification is an outcome of continuous security hygiene rather than a point-in-time audit.

The Bottom Line

Cyber Essentials in 2026 is no longer optional for most organisations. It's foundational. If you sell to government, seeking insurance discounts, or simply wanting to demonstrate security competence, Cyber Essentials certification is the baseline.

Start your assessment now. Most organisations can achieve certification within 8-12 weeks with proper planning and support.