Cyber Essentials
UK government-backed cybersecurity certification covering five baseline controls; mandatory for many NHS and central government contracts.
Definition
Cyber Essentials is a UK government-backed cybersecurity certification scheme that demonstrates a supplier meets baseline cybersecurity standards. Many central government and NHS contracts require Cyber Essentials or Cyber Essentials Plus as a mandatory condition. The scheme is operated by IASME on behalf of the National Cyber Security Centre (NCSC) and covers five technical controls: firewalls, secure configuration, access control, malware protection, and patch management. Certification is annual.
How it works in practice
Cyber Essentials (CE) is a self-assessment with independent verification: the supplier completes a structured questionnaire about how they implement the five technical controls, an IASME-accredited certification body reviews the responses, and (subject to passing) issues the certificate. Cyber Essentials Plus (CE+) adds an external technical assessment including authenticated vulnerability scans of a sample of user devices and a configuration review of internet-facing services. CE typically takes a small organisation one to two weeks of preparation plus a few days for the certification body review. CE+ takes longer because of the technical assessment and is usually six to eight weeks end-to-end. Cost ranges from a few hundred pounds for CE on a small estate up to several thousand pounds for CE+ on a larger one. For SMEs the CE+ requirement is the more onerous: it forces an honest look at patch cadence, MFA deployment, and endpoint configuration that many small businesses defer. Procurement Policy Note 09/14 (now PPN 03/23) mandates CE for many central government contracts handling personal information; the NHS Data Security and Protection Toolkit references CE for similar use cases. Letting the certification lapse during a live contract can be grounds for breach.
Common questions
When is Cyber Essentials mandatory in UK public procurement?
For central government contracts handling personal data or sensitive information at OFFICIAL level, CE is mandated by PPN 03/23 (formerly 09/14). NHS contracts above certain risk levels require CE+. Local government and broader public sector contracts increasingly require CE as a baseline expectation even where not strictly mandated.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
CE is a self-assessment verified by review of your written responses. CE+ adds an independent technical assessment including authenticated vulnerability scans and configuration checks of a sample of devices. CE+ provides higher assurance but takes longer and costs more.
Does Cyber Essentials replace ISO 27001?
No. CE covers a focused set of baseline technical controls; ISO 27001 is a comprehensive information security management system covering policy, governance, risk management, and operations. Buyers often request both: CE for baseline technical hygiene, ISO 27001 for organisational maturity.