How much does Cyber Essentials certification cost?

Cyber Essentials self-assessment certification costs from around £300 for smaller organisations (under 10 employees), rising to around £500 for larger SMEs. These are the certification body fees. Cyber Essentials Plus costs significantly more — typically £1,500–£5,000 — because it involves an independent technical audit. AMVIA's support service (gap analysis, remediation, questionnaire guidance) is charged separately and depends on the complexity of your environment.

How long does Cyber Essentials take to achieve?

Most UK SMEs achieve Cyber Essentials certification within two to six weeks from starting the process. The timeline depends on how many remediation actions are needed to bring your environment up to the required standard. If your IT is already in reasonable shape, you can complete the process in as little as two weeks. Cyber Essentials Plus takes an additional two to four weeks for the independent technical audit.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both certifications verify the same five security controls. Cyber Essentials is a self-assessment questionnaire that the certification body reviews. Cyber Essentials Plus involves an independent technical audit where an assessor tests your actual systems — scanning your devices, checking firewall configurations, and verifying patch levels — rather than relying on your self-reported answers. CE Plus carries more weight with government clients and insurers.

Does Cyber Essentials cover all cyber risks?

No. Cyber Essentials covers five baseline technical controls that protect against common, commodity cyber threats. It does not address advanced persistent threats, insider risks, physical security, or complex social engineering attacks. Businesses in regulated sectors or with elevated risk should layer additional controls — such as SOC monitoring, penetration testing, and ISO 27001 — on top of Cyber Essentials.

How do I renew my Cyber Essentials certification?

Cyber Essentials certification expires after 12 months and must be renewed annually. The renewal process involves repeating the self-assessment questionnaire (and the technical audit for CE Plus), reviewing any changes to your IT environment, and submitting to the certification body again. AMVIA tracks renewal dates for all clients and proactively initiates the process to avoid gaps in certification.

Cyber Essentials

Cyber Essentials Certification for UK Businesses

Cyber Essentials is a UK Government-backed certification that verifies your business has five key security controls in place. AMVIA guides UK businesses through Cyber Essentials and Cyber Essentials Plus — from gap analysis and remediation through to certification and annual renewal.

Call 0333 733 8050

3%of UK businesses are currently Cyber Essentials certified — yet it is required for all government contracts involving data handling

£300+typical cost of Cyber Essentials self-assessment certification, depending on organisation size

1,200+UK businesses managed by AMVIA, many supported through CE and CE Plus certification

Last updated: March 2026

Cyber Essentials is a UK Government-backed certification that verifies five key security controls: firewalls, secure configuration, user access control, malware protection, and patch management. It takes most businesses two to four weeks to achieve, costs from £300 for self-assessment, and is required for any contract involving UK government data handling.

What Is Cyber Essentials?

Cyber Essentials is a UK Government certification scheme, developed by the National Cyber Security Centre (NCSC), that verifies five fundamental security controls: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. Achieving certification demonstrates that your business has the basic protections in place to defend against the most common internet-based cyber threats — and is a prerequisite for winning government contracts that involve handling personal data or sensitive information.

How AMVIA Supports Your Cyber Essentials Certification

AMVIA handles every stage of the Cyber Essentials process — so you can focus on running your business while we ensure you achieve certification first time.

Cyber Essentials Gap Analysis

We assess your current IT environment against all five Cyber Essentials controls, identifying gaps that would prevent certification and providing a prioritised remediation plan.

Remediation and Technical Support

Our engineers implement the technical changes required — firewall configuration, patch management policies, access control — to ensure your environment meets the certification requirements.

Self-Assessment Support (Cyber Essentials)

We guide you through the IASME questionnaire for Cyber Essentials self-assessment, ensuring every answer accurately reflects your environment and maximises your chance of passing first time.

CE Plus Audit Preparation and Support

Cyber Essentials Plus requires an on-site or remote technical audit. AMVIA prepares your environment, manages the auditor relationship, and resolves any findings before the final assessment.

Certification Management

We manage your certification on your behalf — tracking expiry dates, initiating renewal, and ensuring your certificate remains valid for insurance, procurement, and compliance purposes.

Annual Renewal

Cyber Essentials certification expires after 12 months. AMVIA initiates your renewal assessment, reviews any changes to your environment, and ensures continuous certification.

The Five Cyber Essentials Controls

Cyber Essentials verifies these five technical controls. AMVIA assesses and remediates each one as part of our certification support service.

Boundary firewalls and internet gateways configured and actively managed

Secure configuration — default passwords changed, unnecessary services disabled

User access control — least privilege, no shared admin accounts

Malware protection — anti-malware software deployed and up to date

Patch management — operating systems and software kept up to date within 14 days of release

Annual renewal completed to maintain active certification status

What Is Cyber Essentials and Who Needs It?

Cyber Essentials is a UK Government-backed certification scheme developed by the National Cyber Security Centre (NCSC). It defines five technical controls that, when implemented, protect organisations against the most common internet-based cyber attacks — the kind that cause the majority of cyber incidents reported to the NCSC each year.

The scheme has two levels: Cyber Essentials, which is a self-assessed questionnaire reviewed by a certification body; and Cyber Essentials Plus, which involves an independent technical audit of your systems. Both result in a certificate that is valid for 12 months.

Who Is Required to Have Cyber Essentials?

Cyber Essentials is mandatory for any UK business bidding for central government contracts that involve handling personal data or providing certain technical products and services. It is also increasingly required by large private sector organisations and regulated industries as a baseline security requirement in their supply chain.

Beyond contractual requirements, Cyber Essentials certification signals to customers, insurers, and partners that your business takes information security seriously. Some cyber insurance providers offer reduced premiums or better terms for businesses holding current Cyber Essentials certification.

The Five Cyber Essentials Controls Explained

The five controls that Cyber Essentials verifies are not arbitrary — they are the NCSC's assessment of the minimum technical measures that would prevent the vast majority of commodity cyber attacks.

1. Boundary Firewalls and Internet Gateways

Your network must have a firewall at its perimeter that controls which traffic is allowed in and out. Default configurations from your router manufacturer are not sufficient — the firewall must be actively managed, with a documented ruleset that blocks unnecessary inbound connections. This applies to office networks and, since 2023, to home worker devices as well.

2. Secure Configuration

All devices — laptops, desktops, servers, smartphones, tablets, and network equipment — must be configured securely. This means: changing default passwords before deployment, disabling unnecessary services and software, removing unused user accounts, and applying a documented configuration baseline. Many breaches exploit devices left on factory settings.

3. User Access Control

Access to systems and data must be limited to what each user needs to do their job (least privilege). Shared accounts are not permitted. Administrative privileges must be restricted to users who genuinely require them for their role. Multi-factor authentication is required for all cloud-based services since the 2023 update to the scheme.

4. Malware Protection

All devices must have anti-malware software installed and active. For Windows devices, Microsoft Defender (included with Windows 10 and 11) is acceptable if kept up to date and configured correctly. Application controls — allowlisting or sandboxing — can be used as an alternative to traditional anti-malware for organisations with tightly controlled device estates.

5. Patch Management

Operating systems, browsers, and all third-party software must be updated to the latest vendor-supported version within 14 days of a patch being released. Software that is no longer supported by its vendor (Windows 7, Office 2016, etc.) must be removed from scope or replaced. This control catches out many businesses that have never implemented a formal patch management process.

Cyber Essentials vs Cyber Essentials Plus: What Is the Difference?

Both certifications verify the same five controls. The difference lies in how verification is conducted.

Cyber Essentials: A self-assessment questionnaire completed by the business and reviewed by an IASME-accredited certification body. Costs from around £300 for smaller organisations. Takes most businesses 2–4 weeks to complete once the technical controls are in place.
Cyber Essentials Plus: The same questionnaire, plus an independent technical audit carried out by a certification body assessor. The audit tests your devices and network against the five controls rather than relying solely on your self-reported answers. Costs more — typically £1,500–£5,000 depending on organisation size — and requires your environment to be in good shape before the auditor visits.

Many government contracts require Cyber Essentials (the self-assessment level), while defence and classified contracts increasingly require Cyber Essentials Plus. If you are unsure which level you need, AMVIA can advise based on your target contracts and sector.

Does Cyber Essentials Cover All Cyber Risk?

No. Cyber Essentials is a baseline certification that addresses the most common, commodity cyber threats. It does not cover advanced persistent threats, insider risks, social engineering attacks, physical security, or complex incident response. Organisations in regulated sectors or with elevated risk profiles should also consider ISO 27001, SOC monitoring, penetration testing, and a full cybersecurity programme alongside Cyber Essentials.

Think of Cyber Essentials as the equivalent of fitting a lock and alarm on your front door — it stops opportunistic attacks, but a determined adversary targeting your organisation specifically will require more comprehensive defences.

How Long Does Cyber Essentials Take?

For most UK SMEs, the process from initial gap analysis to certification takes between two and six weeks, depending on how many remediation actions are needed. The self-assessment questionnaire can be completed in a day once your environment meets the requirements. Cyber Essentials Plus audits typically require an additional two to four weeks after the self-assessment, for the technical audit to be scheduled and completed.

AMVIA's typical timeline:

Week 1: Gap analysis and remediation planning
Weeks 2–3: Technical remediation (firewall changes, patch management, access control)
Week 4: Self-assessment questionnaire completion and submission
Week 5–6: Certification body review and certificate issuance

For Cyber Essentials Plus, add two to four weeks for the technical audit after the above process.

How to Renew Cyber Essentials

Certification is valid for 12 months. AMVIA tracks your renewal date and initiates the process 8 weeks before expiry, reviewing any changes to your IT environment that may affect your answers and ensuring continuous certification. Gaps in certification can cause issues with government contract compliance and insurance policies.