Every few weeks a prospect asks us the same question. “Do we actually need Cyber Essentials?” And every few weeks we give the same answer. It depends on who is writing your next cheque.
What Cyber Essentials is, and is not
Cyber Essentials is a government-backed scheme run by the IASME consortium on behalf of the NCSC. It is a set of five technical controls that, done properly, stop most of the commodity attacks that target UK businesses. Firewalls, secure configuration, user access control, malware protection, and patch management.
It is not a comprehensive security framework. It does not replace ISO 27001, it does not cover your incident response, and it will not tell you whether your cloud tenant is configured sensibly. What it does is prove that the basics are in place.
There are two levels. Cyber Essentials is a self-assessment questionnaire, verified by a certifying body. Cyber Essentials Plus adds an external technical audit. Someone from the certifying body actually tests your controls rather than taking your word for it.
Who genuinely needs it
Three groups, in our experience.
The first is anyone bidding for UK government work. Central government contracts above the threshold require Cyber Essentials as a minimum, and a lot of local authorities and NHS trusts now require Plus. If you sell to the public sector, it is not optional.
The second is anyone in a supply chain that has been asked. Large corporates push Cyber Essentials down to suppliers as a way of managing third-party risk without running their own audit. If your largest client asks for it, you are getting certified.
The third is anyone who wants a clear, externally validated baseline. Even if nobody is asking for it, going through Cyber Essentials Plus forces you to patch the things you knew needed patching.
What actually trips people up
Patching. The certification requires critical and high-severity patches within 14 days of release. Most SMBs think they are doing this. Very few are. We find 90-day-old Chrome installs on sales laptops all the time.
Bring-your-own-device. If you let staff access email or SharePoint from personal phones, those phones are in scope. Which means they need a screen lock, they need to be running a supported OS, and they need malware protection. Intune and conditional access solve this cleanly. Nothing solves it.
Cloud services. A lot of people think that moving to Microsoft 365 took them out of scope. It did not. The questionnaire is explicit about cloud services being assessed.
How to actually pass
Patch the estate before you start. Run a baseline audit across endpoints and servers, close the gaps, then apply. Get MFA on everything, not just email. Write a short, honest acceptable use policy and make sure staff have actually seen it. Get your BYOD devices enrolled in Intune, or remove their access.
If you want help, we get clients through Cyber Essentials Plus on a fixed fee. We are certified ourselves, yearly, so the checklist is not theoretical.