Government-backed cyber certification (IASME / NCSC)
Cyber Essentials
Cyber Essentials is the UK government-backed scheme (delivered by IASME for the NCSC) that proves you have the five core technical controls in place. It is increasingly required to win NHS, local-government and supply-chain contracts.
What you get
- Certified against the five core controls
- Win tenders that require Cyber Essentials
- Free cyber insurance for eligible UK organisations
- A clear path on to Cyber Essentials Plus
Pricing: Request a quote
What Cyber Essentials is
Cyber Essentials is a UK government-backed certification scheme that helps organisations protect themselves against the most common internet-based cyber attacks. It is delivered by IASME on behalf of the National Cyber Security Centre (NCSC). The core scheme is a self-assessment: you answer a structured questionnaire about how your systems are configured, and a certification body reviews your answers against a clear technical standard.
The scheme is deliberately focused. Rather than trying to cover every conceivable threat, it concentrates on five technical controls that, when implemented properly, block the overwhelming majority of routine, opportunistic attacks — the kind that scan the internet looking for unpatched, misconfigured or poorly protected systems. A Cyber Essentials certificate is valid for 12 months, after which you recertify.
The five controls
Cyber Essentials is built around five control areas. Our guide to the five controls explains each in detail, but in summary:
| Control | What it covers |
|---|---|
| Firewalls | Boundary and device firewalls that control traffic in and out of your network. |
| Secure configuration | Removing or changing insecure default settings, unnecessary software and default passwords. |
| User access control | Giving people only the access they need, using unique accounts and protecting administrative privileges. |
| Malware protection | Anti-malware, application allow-listing or sandboxing to stop malicious software running. |
| Security update management | Keeping operating systems and software supported and promptly patched. |
These map onto everyday realities: laptops, desktops, mobile phones and tablets used for work, servers, cloud services and the accounts people log in with.
Who should get certified — and who it suits
Cyber Essentials is suitable for organisations of almost any size, and it is especially valuable for SMEs and care providers who want a credible, affordable baseline without the overhead of a full management system.
You should strongly consider it if:
- You want to reassure clients, commissioners or partners that you take security seriously.
- You are bidding for public-sector or NHS-linked contracts — many now require Cyber Essentials as a condition of tender.
- You handle personal or sensitive data and want a recognised baseline to sit alongside your UK GDPR obligations.
- You complete the DSPT and want to strengthen or evidence its technical assertions.
There is no formal exemption — the scheme is voluntary unless a contract or funder mandates it. But if none of your customers or regulators ask for it, you can weigh the reputational and security benefits against the cost yourself.
Why these five controls matter
It is easy to look at five controls and assume the scheme is trivial, but the design is deliberate and evidence-based. The vast majority of successful attacks on smaller organisations are not sophisticated, targeted operations — they are automated and opportunistic. Attackers scan huge ranges of internet addresses looking for a known weakness: an unpatched server, a default password left unchanged, a device with no malware protection, or an administrator account exposed to the internet. The five controls each close off one of those common routes in.
Think of them as five locked doors. A firewall controls what can reach your systems in the first place. Secure configuration removes the weak default settings that ship with new equipment and software. User access control limits the damage any one compromised account can do, and protects the powerful administrative accounts attackers most want. Malware protection stops malicious software from running even if it lands on a device. Security update management ensures that when a vulnerability is discovered and a fix released, you apply it promptly rather than leaving a known hole open for months. Individually each is simple; together they block the routine attacks that account for most real-world breaches.
How the assessment works
The core scheme is a verified self-assessment:
- Define your scope. Decide what is included — ideally the whole organisation. Scope covers your devices, servers, cloud services and the people who use them. A whole-organisation scope is the most credible and is often what contracts expect.
- Complete the questionnaire. You answer IASME’s question set describing how each of the five controls is implemented across your in-scope systems.
- Submit for assessment. A certification body reviews your answers against the standard.
- Address any queries. If something falls short or is unclear, you will be asked to fix it or clarify before the certificate is issued.
- Receive your certificate. Once your answers meet the standard, you are certified for 12 months.
Because it is self-assessed against a fixed technical bar, honest and accurate answers matter — the certificate reflects what you have genuinely put in place.
Evidence and information involved
You do not upload a large evidence pack for the core scheme, but you must be able to describe accurately:
- The makes and models (or operating systems) of laptops, desktops, servers and mobile devices in scope
- Your firewall and boundary arrangements
- How accounts and administrative privileges are managed
- Your anti-malware approach
- How and how quickly you apply security updates
- The cloud services you use and how they are secured
Pulling together an accurate asset picture is often the most time-consuming part, so it pays to start there.
What certification does and does not prove
It helps to be clear-eyed about what a Cyber Essentials certificate means. It confirms that, at the point of assessment, you had the five controls in place across your declared scope. That is genuinely valuable — it demonstrates a solid baseline and satisfies many contractual requirements. What it does not do is guarantee you will never be breached, or cover every advanced or targeted threat; it is a floor, not a ceiling. Nor does it stay true automatically: because it reflects a moment in time and is valid for twelve months, you need to keep the controls running and recertify each year. Treating certification as the start of good habits rather than a one-off box-tick is what turns the badge into real, lasting protection — and it is why the scheme pairs so naturally with the broader frameworks on this site.
Common mistakes
- Scoping too narrowly. Carving out “difficult” devices can make the certificate look weak and may not satisfy a contract that expects whole-organisation coverage.
- Overlooking cloud services. Cloud accounts and the security settings within them are firmly in scope.
- Unsupported software. Running an operating system or application that no longer receives security updates will fail the update-management control.
- Weak account separation. Everyday users working from administrator accounts, or shared logins, undermine user access control.
- Answering aspirationally. Describing how you intend to work rather than how you actually work.
How it relates to the other standards
Cyber Essentials is a natural foundation that connects to everything else we do:
- Cyber Essentials Plus builds directly on it, adding an independent technical audit that verifies the same five controls.
- It supports and evidences several technical assertions in the DSPT.
- It sits comfortably beneath ISO 27001 and IASME Cyber Assurance as a recognised technical baseline.
- It strengthens the “appropriate technical measures” expected under UK GDPR.
If some of the terminology is unfamiliar, our glossary defines the key terms in plain English.
How 360 Cyber Compliance helps
Cyber Essentials is designed to be accessible, but for a busy care or SME team the questionnaire can still raise awkward questions — is our scope right, are our cloud services covered, will our devices pass? We provide practical support throughout the assessment on a transparent fixed-fee basis, following a clear delivery process from initial scoping to a submitted self-assessment.
We help you build an accurate picture of your systems, interpret each control in the context of how you actually work, identify and prioritise any fixes needed before you submit, and complete the questionnaire clearly and honestly. If you are likely to want the audited version later, we will help you scope now with Cyber Essentials Plus in mind so you are not doubling up.
We do not guarantee a particular result — the certificate depends on your controls genuinely meeting the standard — but we make the process straightforward and give you honest, practical guidance at every step.
A sensible first step for most SMEs
For many care providers and small businesses, Cyber Essentials is the ideal place to begin a compliance journey. It is affordable, it is quick relative to the larger frameworks, and it delivers real security value rather than just a badge. Just as importantly, the work you do to achieve it — building an accurate asset inventory, tidying up user accounts, confirming your patching and backup arrangements — is exactly the groundwork that later feeds into the DSPT, IASME Cyber Assurance or ISO 27001. Getting Cyber Essentials right rarely feels like wasted effort; it usually turns out to be the foundation everything else is built on. Get in touch to talk through where you stand and what certification would involve.
What you'll receive
- A readiness review against the five controls
- Practical remediation guidance for any gaps
- Support completing the assessment questionnaire
- A pre-submission review of your answers
- Guidance on maintaining the controls year-round
On your own vs. with 360 Cyber Compliance
| On your own | With us |
|---|---|
| Interpret the five controls on your own | We translate them into plain actions for your setup |
| Guess whether your configuration passes | We review your answers before submission |
| Risk a failed assessment and re-fee | We fix gaps first to avoid re-work |
A typical timeline
- 1
Week 1
Scoping call and review against the five controls
- 2
Weeks 1–2
Close any gaps — MFA, patching, configuration
- 3
Week 2
Complete and review the assessment questionnaire
- 4
Weeks 2–3
Submit for assessment and address any queries
Indicative only — your timeline depends on your starting point, size and deadline.
Who we help with Cyber Essentials
Learn more about Cyber Essentials
Common reasons Cyber Essentials applications fail
The most frequent reasons Cyber Essentials self-assessments get marked as non-compliant — and practical steps to avoid each one before you submit.
The five Cyber Essentials controls explained
A plain-English guide to the five Cyber Essentials technical controls — firewalls, secure configuration, user access, malware protection and updates.
Cyber Essentials for care providers: a practical guide
Why Cyber Essentials matters for care homes and care providers, how it fits with the DSPT and CQC expectations, and how to work through the five controls.
Cyber Essentials MFA requirements explained
What Cyber Essentials expects for multi-factor authentication on cloud services, where MFA applies, the accepted methods and how to roll it out well.
Cyber Essentials patch management explained
How to meet the security update management control in Cyber Essentials — the 14-day rule, supported software, mobile and firmware updates and routines.
Cyber Essentials secure configuration explained
What secure configuration means under Cyber Essentials — default passwords, unnecessary accounts and software, device hardening and practical steps to comply.
Cyber Essentials across London
We support organisations in these boroughs — and remotely across the rest of the UK.
Why choose us for Cyber Essentials
Care & health specialists
DSPT, CQC expectations and NHS data flows are our day job, not a sideline.
Transparent fixed-fee engagements
A clear scope and price agreed up front — no open-ended day rates.
Remote delivery, UK-wide
Almost everything is done remotely, wherever you are in the country.
Award-winning expertise
Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.
Practical, plain-English support
Clear guidance and templates throughout the assessment — no jargon.
Ongoing support
Annual renewals, surveillance audits and everyday advice after you are certified.
Frequently asked questions
How much does Cyber Essentials cost?
The IASME certification fee depends on organisation size; we quote our fixed support fee up front with no surprises. (Figures confirmed with the client before publishing.)
What's the difference between Cyber Essentials and Plus?
Cyber Essentials is a verified self-assessment; Cyber Essentials Plus adds a hands-on technical audit of your systems.
Can it be done remotely?
Yes — Cyber Essentials is completed remotely.
Do we get cyber insurance?
Eligible UK organisations with a turnover under a set threshold get included cyber liability insurance with certification, provided the whole organisation is in scope.
How long is certification valid?
Certification lasts 12 months, after which you recertify to show the controls are still in place.
Why do assessments fail?
Common reasons include missing multi-factor authentication, unsupported software, default passwords and misconfigured firewalls — all of which we check first.
Get started with Cyber Essentials
Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.
- Plain-English, jargon-free advice
- Fixed-price quotes — no surprises
- Delivered remotely across the UK