Cyber Essentials myths, debunked.

Cyber Essentials does not mandate full-disk encryption on every device. Under v3.3, encryption is effectively expected on end-user devices that leave the office perimeter (laptops, phones) - achieved via BitLocker on Windows and FileVault on macOS. Servers and desktops that stay inside a controlled office network are not explicitly required to be encrypted by the scheme itself, though many organisations encrypt them anyway.

Under Cyber Essentials v3.3 (effective 28 April 2026), MFA is mandatory on every user account that accesses organisational data - not only admins. This includes end-user cloud accounts (Microsoft 365, Google Workspace), every SaaS tool that holds organisational data, and every remote-access path. There is no "most users have MFA" tolerance.

PPN 014/21 mandates CE for UK central government contracts handling sensitive data. However, CE is now widely required by private-sector buyers (SJP Partner Practices since May 2024, NHS framework suppliers, MSPs' enterprise clients, cyber insurers, many professional-services buyers) and is often a condition of procurement on large private-sector contracts.

For a prepared applicant, Fig Group issues a Cyber Essentials certificate within 6 working hours of a compliant submission made before midday on a UK business day. No IASME-licensed certification body publishes a longer-than-72-hour SLA, and Fig is the only body to publish a sub-day guarantee.

Cyber Essentials was specifically designed for UK SMEs. The Micro tier (1–9 staff) is priced at £299.99 + VAT with Fig Group - below the standard IASME certification body fee. More than 60% of Fig Group certifications are for organisations under 50 staff.

Cyber Essentials validates a foundational cyber hygiene posture across five technical control categories. It is not a guarantee against breach. The NCSC itself describes CE as a baseline that blocks the majority of commodity internet-borne attacks - not as a replacement for defence-in-depth, monitoring, detection, and incident response.

No. Cyber Essentials is a self-assessed questionnaire. Organisations complete it directly; the certification body reviews and issues the certificate. Fig Group's readiness checker is free and takes 15 minutes. Consultancy is an optional choice, not a requirement - and is typically only cost-effective for organisations with significant existing control gaps.

Under Cyber Essentials v3.3 (effective 28 April 2026), home routers used by remote workers are explicitly in scope as boundary devices unless the worker connects exclusively through a corporate VPN gateway that becomes the effective boundary. The admin password must be changed from default and firmware must be current.

Cyber Essentials (self-assessed) is a valid certification in its own right, listed on the NCSC register and widely accepted by insurers, PPN 014/21 contracts (for lower-risk data handling), and most UK enterprise buyers. CE Plus adds third-party technical verification and is required for specific higher-assurance contracts. Most organisations certify CE first, then add Plus when a specific contract demands it.

Cyber Essentials certificates are valid for twelve months from the assessment date. On the anniversary the certificate lapses with no grace period. Most organisations plan re-certification 14 days before expiry to maintain contract continuity.