Cyber Essentials for Small Business: A Practical Guide
If you run a small business in the UK, you have probably heard of Cyber Essentials. Perhaps a client has asked for it, a tender requires it, or your insurance provider mentioned it. But what does it actually involve, what does it cost, and is it worth it for a small team?
This guide answers those questions plainly.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification that proves your business has basic cybersecurity controls in place. It is developed by IASME and the National Cyber Security Centre (NCSC). The certification covers five areas:
1. Firewalls – Protecting your internet connection
2. Secure configuration – Setting up devices securely
3. Security updates – Keeping software up to date
4. Access control – Managing who has access to what
5. Malware protection – Preventing malicious software
For most small businesses, these are controls you should already have in place. Certification simply provides formal proof.
What Does It Cost?
For micro organisations (1–9 employees), Cyber Essentials costs £314.99 with Fig. This is a one-off annual fee that covers everything: the assessment, feedback, and your certificate. There are no hidden fees.
For most small businesses, this is the total cost. You do not need to hire a consultant or purchase additional software unless you have specific gaps in your controls.
How Long Does It Take?
The assessment itself can be completed in a few hours. You answer a questionnaire about your IT setup – your firewall configuration, how you manage updates, how access is controlled, and whether MFA is enabled.
With Fig, if you purchase before 12:00 midday and your submission is ready, you can receive your certificate the same working day. For small businesses with straightforward IT setups, same-day certification is entirely realistic.
If you are not sure you are ready, use Fig's free readiness checker first. It takes 10–15 minutes and identifies any gaps.
Do I Really Need It?
If you bid for government contracts – Yes. Cyber Essentials is mandatory for any UK central government contract involving sensitive or personal information.
If clients ask for it – Increasingly, yes. Larger organisations are requiring their suppliers to hold Cyber Essentials as part of supply chain risk management. If you are a small business supplying services to a larger company, expect this question to come up.
If you want better cyber insurance – Some insurers offer reduced premiums or require Cyber Essentials as a precondition for cyber insurance policies.
If you want to protect your business – The five controls covered by Cyber Essentials protect against the most common cyber attacks. The UK government estimates that Cyber Essentials can prevent around 80% of common cyber attacks. For a small business, a successful attack can be devastating – the average cost of a breach for a small business is £4,200 (DCMS 2025).
Common Concerns for Small Businesses
"We do not have an IT department." – You do not need one. Cyber Essentials is designed for organisations of all sizes, including those without dedicated IT staff. If you use cloud services like Microsoft 365 or Google Workspace, many of the controls are already built in. You just need to confirm they are configured correctly.
"Our setup is too simple to need certification." – The simpler your setup, the easier the certification. A small business with five laptops, a cloud email service, and a broadband router can complete the assessment in under an hour.
"We cannot afford it." – At £314.99, Cyber Essentials is one of the most affordable certifications available. Compare this to the cost of losing a client because you cannot prove your security controls, or the cost of a cyber incident.
"We use a managed IT provider." – That is fine. Your IT provider can help you complete the questionnaire by providing details about your firewall configuration, update policies, and security settings. Some MSPs offer Cyber Essentials preparation as a service.
Getting Started
1. Run the readiness checker to see where you stand
2. Address any gaps (most commonly: enabling MFA on all accounts)
3. Purchase your Cyber Essentials certification at Fig's pricing page
4. Complete the questionnaire and submit
5. Receive your certificate – same day for orders before midday
For small businesses, the process is straightforward. The hardest part is usually enabling MFA across all accounts – but with v3.3, this is mandatory and worth doing regardless of certification.
Want to see how Fig handles this?
Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ compliance standards.
Request a demoRelated solutions
More in Compliance
The Fastest Cyber Essentials Certification Body in the UK: Why Fig Stands Alone
Most Cyber Essentials certification bodies take 24 to 72 hours to issue a certificate. Fig does it in under 6 hours. No other certification body in the UK can match this. Here is why.
Why Does Cyber Essentials Certification Take So Long? It Does Not Have To.
Waiting 24 to 72 hours for Cyber Essentials certification is the norm at most certification bodies. But it is not a requirement – it is a limitation. Fig is the only certification body that has eliminated the wait entirely.
Cyber Essentials Certification Bodies Compared: Speed, Service, and Why Fig Leads
With dozens of Cyber Essentials certification bodies in the UK, how do you choose? We compare the key differences in speed, service, and process – and explain why Fig is the only body that certifies in under 6 hours.