Cyber Essentials

Government-backed cybersecurity certification scheme that public sector organisations must achieve to demonstrate basic cyber hygiene and qualify for certain contracts.

What it is

Cyber Essentials is the UK government's flagship cybersecurity certification scheme, managed by the National Cyber Security Centre (NCSC). It provides a clear framework for organisations to demonstrate they have implemented basic cybersecurity controls to protect against common cyber threats.

Two certification levels

Cyber Essentials involves a self-assessment questionnaire covering five key technical controls: secure configuration, boundary firewalls and internet gateways, access control and administrative privilege management, patch management, and malware protection.

Cyber Essentials Plus includes the same assessment plus hands-on vulnerability testing by an independent certification body to verify the controls are properly implemented.

Public sector requirements

Since October 2014, all central government contracts involving handling of personal information and provision of certain ICT services require suppliers to hold valid Cyber Essentials certification. Many public bodies now mandate this certification in their procurement requirements, particularly for technology contracts.

Why it matters

For suppliers, Cyber Essentials certification demonstrates credible cybersecurity practices and is often a mandatory requirement to bid for public sector contracts. The scheme helps level the playing field by providing a standardised baseline that all suppliers must meet.

For contracting authorities, requiring Cyber Essentials helps ensure suppliers have implemented fundamental cybersecurity measures, reducing the risk of data breaches and cyber incidents that could compromise public services or citizen data.

Certification is valid for 12 months and costs typically range from £300-£600 for basic certification, making it accessible for organisations of all sizes.