Cyber Essentials is a UK government-backed cyber security certification scheme designed to help organisations protect themselves against common online threats. It is recommended by the UK Government as a minimum cyber security standard for organisations of all sizes and sectors.
Cyber Essentials is suitable for organisations of any size, in any sector, including businesses, charities, schools, local authorities and other public sector bodies. It is especially useful for organisations that want to demonstrate good cyber hygiene to customers, suppliers, insurers, or public sector buyers.
Cyber Essentials helps demonstrate that your organisation takes cyber security seriously. It provides practical protection against the most common types of cyber attack, strengthens trust with customers and suppliers, and supports bids for contracts where certification is required or preferred.
The National Cyber Security Centre (NCSC), which oversees Cyber Essentials, also highlights that certification is increasingly becoming a supply chain requirement. A growing number of organisations now expect suppliers to hold Cyber Essentials before they can bid for work, particularly where services involve handling data, accessing systems, or supporting critical business operations. Achieving certification can therefore help organisations meet buyer expectations, reduce procurement barriers, and show that they have taken recognised steps to manage cyber risk.
Cyber Essentials is required for many UK central government contracts, particularly where suppliers handle personal information, financial information, or sensitive data.
It is also increasingly used in supply chain assurance outside government.
Cyber Essentials is based on five core technical controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management
These controls are designed to reduce the risk of the most common internet-based cyber threats.
No certification can guarantee complete protection. Cyber Essentials is designed to help protect against the most common online threats by ensuring that key security controls are in place. It should be seen as an important baseline, not the whole of your cyber security programme.
The scope usually includes the IT systems, devices, networks, cloud services and software that your organisation uses to handle business data. Getting the scope right is important because your answers must accurately reflect the systems being certified. If you would like to discuss the scope of your assessment before beginning the assessment, please contact info@keysigma.co.uk to arrange a free 30 minute scoping call.
Once you submit your answers, we carry out a gap analysis and provide clear feedback to help you address any areas that need attention.
We aim to mark your submission within one working day. The overall length of the process will depend on the maturity of your systems and the amount of work needed to implement the controls required to meet the Cyber Essentials standard.
Once you apply, you have six months to complete and submit your Cyber Essentials assessment. After that, your assessment account may be closed and you may need to apply again.
The first stage of the assessment process is the gap analysis. During this stage, a KEYSIGMA consultant will review your answers and assess the gap between your current systems and the Cyber Essentials standard.
If any gaps are identified, you will receive clear feedback explaining what needs to be addressed, along with guidance to help you implement the required changes and become Cyber Essentials compliant.
You can keep resubmitting your answers, and we will continue reviewing and marking them until your organisation meets the Cyber Essentials standard. Once compliance has been achieved, your Cyber Essentials certificate will be issued.
This ongoing support is a key differentiator of choosing KEYSIGMA as your certification body, as some other certification bodies may limit the number of submission attempts.
Cyber Essentials is reviewed annually to ensure it continues to reflect current cyber threats and good security practice. The 2026 update introduces the new Danzell question set, which replaces the previous Willow standard for new assessments from 27 April 2026.
The Danzell update introduces stricter assessment criteria, including automatic failure for certain key controls where requirements are not met, such as multi-factor authentication and timely security updates. These changes are designed to improve consistency, reduce ambiguity, and ensure Cyber Essentials continues to provide robust assurance against common cyber threats.
More information about the new standard can be found on our website at: Danzell | Key Sigma.
Cyber Essentials does include automatic fail questions under the latest Danzell question set. These relate to key security controls such as enabling multi-factor authentication for cloud services and applying high-risk or critical security updates within the required 14-day timeframe. If these requirements are not met, the assessment may result in an automatic failure, regardless of performance in other areas.
While you cannot pass your certification with an automatic failure, you will still have the chance to get feedback from your assessor and re-submit your answers without occurring additional assessment costs, as long as these issues are remediated within the timeframe given.
No. KEYSIGMA will provide you with detailed feedback and tailored guidance on how to bring your organisation into compliance with the standard. This differentiates KEYSIGMA’s Cyber Essentials service from many of our competitors who charge for each attempt.
Cyber Essentials certificates are valid for 365 days from the date of issue.
KEYSIGMA will provide you with comprehensive answers to any questions that you may have in the certification process.
Yes, organisations overseas are able to get certificates and we are fluent in many languages.
KEYSIGMA are one of the select few, elite certification bodies who are also an National Cyber Security Centre (NCSC) approver cyber advisory, meaning that we are qualified, capable and authorised to give you advice on how to comply with the Cyber Essentials standard.
You can display the Cyber Essentials badge on your website and/or in your email signatures.
Yes. Eligible UK organisations that achieve Cyber Essentials certification may be entitled to included cyber liability insurance, arranged through IASME. To qualify, your organisation must be UK-domiciled, have an annual turnover under £20 million, and certify the whole organisation within the scope of the assessment. The included cover provides a total liability limit of £25,000, subject to the scheme terms.
Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment questionnaire but also includes a technical audit of the organisation’s systems to verify that the Cyber Essentials controls are in place.
The controls for Cyber Essentials and Cyber Essentials Plus are exactly the same but the level of assurance is different. Cyber Essentials Plus offers a higher level of assurance as the controls have been checked by a third party to ensure they are correctly implemented.
No. The Cyber Essentials Basic assessment is a verified self-assessment and does not include a vulnerability scan.
Cyber Essentials Plus includes technical testing, including internal and external vulnerability scanning as part of the audit process.
Yes. You need to complete the assessment each year. This helps ensure your certification reflects your current IT environment and gives you an annual opportunity to review your cyber security controls.
You can use your previous answers as a starting point, but they should be reviewed and updated to reflect your current systems, users, cloud services, admin access, patching, MFA, and any changes to the Cyber Essentials requirements.
As an NCSC assured Cyber Advisor and Certification Body, we can assess your Cyber Essentials application and provide consultancy to help you achieve certification.
Reach out to KEYSIGMA, who will initiate the process by setting you up on the assessment portal.
info@keysigma.co.uk.
Cyber Essentials Plus is the higher assurance version of Cyber Essentials, where our assessors actively test a sample of your systems to confirm the five technical controls have been implemented correctly.
It can give customers and partners greater confidence than the basic self-assessment, because it includes independent technical testing, vulnerability checks, device sampling, and evidence review.
Cyber Essentials is a verified self-assessment.
Cyber Essentials Plus includes the same controls, but adds a hands-on technical audit of your systems. This gives a higher level of assurance because the controls are independently tested by a third party.
Yes. Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment. The Cyber Essentials Plus assessment must be conducted and completed within 90 days of the Cyber Essentials certificate being issued. If it is outside the 90-day window, you will need to retake the Cyber Essentials assessment before proceeding with Cyber Essentials Plus.
Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. A full description of the Cyber Essentials Plus tests can be found here.
The Cyber Essentials question set is part of the Cyber Essentials Plus certification process. If you have achieved the verified self-assessment Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage.
As the Cyber Essentials Plus assessment now considers your entire estate rather than a sample of devices, the only way to be confident in your compliance is to conduct regular vulnerability management and remediation aligned with the Cyber Essentiasls requirements.
Some larger organisations may choose to purchase vulnerability scanning licenses and conduct this in-house, but this may be impractical to smaller organisations, which is why we have developed the KEYSIGMA Vulnerability Management Service – to find out more pelase contact us at info@keysigma.co.uk.
Following a review of the major breaches from the last few years, the NCSC has decided to update the Cyber Essentials Plus vulnerability testing process.
Previously, a vulnerability scan would be conducted on a sample of your devices, with any vulnerabilities needing remediation before certification. Under the new standard, if any vulnerabilities are identified within the first sample, they must be remediated across all devices within your estate. A second vulnerability scan will then be performed on a new random sample of your devices to confirm this.
For more information on the new vulnerability testing process, please visit our website Cyber Essentials Plus | Key Sigma.
An initial vulnerability scan will be carried out on a sample of your devices. If vulnerabilities are identified, these must be remediated across your full device estate, not only on the devices included in the sample.
Remediation must be completed within the 30-day remediation window, in line with the Cyber Essentials Plus requirements.
Once you have confirmed that the vulnerabilities have been addressed across all applicable devices, a second vulnerability scan will be conducted. This will include both the original sample and a new randomly selected sample to confirm estate-wide compliance.
If the second vulnerability scan identifies the same vulnerabilities found during the initial scan, either on the original sample or the new random sample, this indicates that the vulnerabilities have not been remediated across the wider estate. In this situation, Cyber Essentials Plus certification cannot be awarded, and this may also result in the revocation of your Cyber Essentials certificate.
If the second vulnerability scan identifies new vulnerabilities that were not present during the initial scan, Cyber Essentials Plus certification may still be awarded. However, these new vulnerabilities will be noted as advisory comments, and you should remediate them as soon as possible.
No. You must demonstrate that multi-factor authentication has been deployed across all of your cloud services.
Need Help?
