// Certification

CYBER
ESSENTIALS

The UK Government-backed certification that demonstrates your business has the essential cyber security controls in place. Guided support throughout. Remote. Jargon-free. Need the independently audited level? Explore Cyber Essentials Plus →

5
Core Security Controls
1yr
Certificate Validity
100%
Remote Assessment
IASME Approved Body

Up to 80% of common cyber attacks are mitigated by the five CE controls (NCSC)

Mandatory for UK Government contracts involving personal data or sensitive technical services

🔐

Free cyber insurance up to £25,000 included for eligible UK organisations - automatically with certification

UK office environment - Cyber Essentials certification support for businesses by Vincent Cyber Defence
// What Is It

WHAT IS CYBER ESSENTIALS?

Cyber Essentials is a UK Government-backed cyber security certification scheme, developed by the NCSC, that helps organisations demonstrate they have essential protections in place against the most common cyber threats.

Certification is increasingly required for UK Government contracts - any contract involving the handling of personal data or certain technical products and services will require it. It also provides a strong signal of trust to clients, partners, and the supply chain.

As an IASME Approved Certification Body, Vincent Cyber Defence can assess and certify your organisation directly, with a focus on getting you through first time.

Who Needs It?

  • Businesses tendering for UK Government contracts
  • Organisations in regulated supply chains
  • SMEs wanting to demonstrate cyber maturity to clients
  • Any business handling personal or sensitive data

Some contracts - particularly in the MOD supply chain and enterprise sector - require Cyber Essentials Plus, which adds an independent technical audit on top of the self-assessment. Find out if you need CE Plus → or compare CE and CE Plus →

THE 5 CONTROLS

Cyber Essentials focuses on five technical controls that protect against the vast majority of common cyber attacks. Under the current v3.3 (Danzell) standard, all controls apply across every in-scope system - including cloud services. Platforms such as Microsoft 365 and Google Workspace cannot be excluded from scope if used for business purposes.

  • 🔥

    FIREWALLS

    Boundary firewalls and internet gateways to control network traffic.

  • ⚙️

    SECURE CONFIGURATION

    Ensuring systems are configured securely and unnecessary features disabled.

  • 👤

    ACCESS CONTROL

    User accounts managed and limited to what's needed for the role.

  • 🔐

    MALWARE PROTECTION

    Protecting against viruses and other malicious software.

  • 🔄

    SECURITY UPDATE MANAGEMENT

    Keeping devices and software up to date with the latest security updates within 14 days of release.

// The Process

HOW WE CERTIFY YOU

Our streamlined process is designed to get you certified quickly, accurately, and first time.

1

SCOPE

We help you define what's in and out of scope for your Cyber Essentials assessment - your devices, software, and cloud services - so you know exactly what needs to be covered.

2

REVIEW

We review your current security controls against the five Cyber Essentials requirements and identify any gaps to address before you submit - so there are no surprises.

3

SUBMIT

We walk you through each question and check your responses before you submit. The self-assessment declaration is completed and signed by you - keeping your certification accurate and defensible.

4

ASSESSED & CERTIFIED

We formally assess your submission as your Certification Body and verify your technical controls meet the five requirements. Once confirmed, your IASME certificate is issued and listed on the public register.

// Next Level

Need independent verification? Cyber Essentials Plus adds a technical audit by our IASME-approved assessors - confirming your controls are working, not just documented.

Explore CE Plus →
// Transparent Pricing

HOW MUCH DOES CYBER ESSENTIALS COST?

All prices are fixed and include the IASME certification fee. No add-ons, no middlemen, no surprises.

Organisation SizeEmployeesPrice + VAT
Micro1–9 employees£320
Small10–49 employees£440
Medium50–249 employees£500
Large250+ employees£600

🛡️ FREE CYBER LIABILITY INSURANCE - UP TO £25,000

UK organisations with annual turnover under £20m automatically receive free cyber liability insurance up to £25,000 with their Cyber Essentials certificate. No extra cost, no separate application - included as standard for whole-organisation scope.

// Free Resource

NOT SURE IF YOU'RE READY?

Use our free Cyber Essentials readiness checklist to see exactly where you stand against all five controls - before you commit to certification.

Get Free Checklist →
// FAQ

COMMON QUESTIONS

// General & Pricing

Pricing is based on your organisation's size. All prices are fixed and exclude VAT:

SizeEmployeesPrice + VAT
Micro1–9£320
Small10–49£440
Medium50–249£500
Large250+£600

These fees are set by IASME and are consistent across all Approved Certification Bodies. Build Your Quote →

Your certification fee covers the IASME assessment fee, your verified certificate, and listing on the IASME public register of certified organisations. Our service also includes a pre-assessment gap review and guided questionnaire support throughout - at no extra cost. We explain each requirement and review your draft responses; you complete and sign the self-assessment declaration yourself. There are no hidden charges.
Cyber Essentials is mandatory for all UK Government contracts that involve handling personal data or the supply of certain technical products and services. This includes contracts with central government departments, the NHS, and MOD-related supply chains in many cases. Even where it is not contractually required, certification is increasingly expected by commercial clients and insurance providers, and provides important protections against the most common cyber attacks.
We don't offer a monetary guarantee, but our process is specifically designed around first-time pass. Before you submit, we conduct a thorough pre-assessment review to identify and resolve any gaps. Our team supports you through every question in the questionnaire to ensure your answers are accurate and compliant. The majority of our clients achieve certification on their first attempt as a result.
// The Certification Process
The time from starting the process to receiving your certificate depends on your current readiness. If your controls are largely in place, certification can be completed within a few days. If there are gaps to address, it typically takes one to three weeks. We work to your timeline and can support urgent certification for tender deadlines.
Once your Cyber Essentials assessment application is opened, you have up to six months to complete and pass it. This window gives you time to implement any required controls before submission, rather than having to be fully ready on day one. However, your certificate validity date runs from the date of certification - so the sooner you submit, the longer your certificate is active. We recommend not delaying unnecessarily.

Note: If you are proceeding to Cyber Essentials Plus, a separate and shorter window applies - you have 90 days (3 months) from your CE basic certification date to complete and pass CE Plus. If CE Plus is not passed within 90 days, you will need to re-certify at CE basic level before restarting the Plus process, which incurs an additional cost. Learn more about CE Plus →
If your submission does not meet the requirements, you will receive detailed feedback explaining exactly which controls were not satisfied and why. You then have the opportunity to address those issues and resubmit within your assessment window - there is no additional fee for resubmission. Our team will help you understand the feedback and make the necessary changes as quickly as possible.
Feedback is specific and actionable. You will be told which questions were answered incorrectly or incompletely, which controls were not met, and what the requirement is. This is not a vague pass or fail - it is a detailed report that tells you exactly what to fix. Our team will translate this into practical steps and help you remediate efficiently.
Cyber Essentials certificates are valid for 12 months from the date of certification. Annual renewal is required to maintain certified status, which is important for ongoing government contracts and supply chain requirements. We can help you manage your renewal cycle to avoid any gaps in certification.
// Requirements & Compliance
The official document is called the Cyber Essentials Requirements for IT Infrastructure and is published by IASME on their website (iasme.co.uk). The current version reflects the Danzell (v3.3) update introduced in April 2026, which includes new auto-fail rules for MFA on cloud services and updated patching requirements. We always assess against the current version and will make sure you understand what applies to your organisation.
Cyber Essentials (basic) is a self-assessed certification - you complete a questionnaire about your security controls, which is reviewed and verified by your Certification Body. Cyber Essentials Plus includes everything in the basic level, plus an independent technical audit where an assessor actively tests your systems to verify the controls are working as described. Plus provides a higher level of assurance and is required for some government and MOD contracts. Learn more about CE Plus →
The CE Plus audit is a hands-on technical assessment conducted by our team. It includes: external vulnerability scanning of your internet-facing systems, internal vulnerability scanning of a sample of in-scope devices, checks on email and web browser configuration, and verification that security controls such as patching, malware protection, and access control are correctly implemented - not just documented. The audit is conducted remotely and typically takes a few hours depending on scope. See the full CE Plus audit process →
Yes - Cyber Essentials is recognised as a foundation for several other frameworks. It is a mandatory prerequisite for Defence Cyber Certification (DCC) Level 0, which is assessed against Def Stan 05-138 for MOD supply chain organisations. It also aligns with elements of ISO 27001, the DSPT (Data Security and Protection Toolkit), and various supply chain assurance programmes. Many organisations use CE as the first step in a broader cyber security improvement journey - often following it with Cyber Essentials Plus before progressing toward ISO 27001, where independently verified controls provide a strong starting point.
Certain issues automatically result in a failed assessment, regardless of other controls being in place. These include: use of unsupported or end-of-life software within scope, failure to apply high or critical security updates within 14 days of release, internet-facing services with known exploitable vulnerabilities, and - from the Danzell (v3.3) update - failure to enforce MFA on all cloud services accessible from the internet. A further key Danzell rule: broad cloud platforms such as Microsoft 365 or Google Workspace cannot be excluded to artificially narrow your assessment scope. If your organisation uses them for business purposes, they are in scope. Our pre-assessment review is specifically designed to identify these issues before you submit, so they can be resolved in advance.
// Procurement & Support
Cyber Essentials is mandatory for all UK central government contracts that involve handling personal data or the provision of certain ICT products and services. This requirement is set by the Cabinet Office and applies across government departments. Many NHS organisations, local authorities, and MOD supply chain contracts also mandate it, either directly or through contractual flow-down. If your contract tender mentions cyber security requirements, Cyber Essentials is almost always the minimum expected standard.
Our team is available throughout your assessment to answer any questions in plain English - no jargon. Whether you are unsure how a question applies to your environment, need help understanding a technical requirement, or want to check whether something falls within scope, just get in touch. We believe assessors should be helpful and approachable, not a barrier to certification.
Yes, in two important ways. First, all UK organisations that achieve Cyber Essentials certification through an IASME Approved Body are automatically eligible for free cyber insurance up to £25,000 - this is included as part of the IASME scheme at no additional cost. Second, many commercial cyber insurers offer reduced premiums or improved policy terms for CE-certified organisations, as certification demonstrates that baseline security controls are in place. It is worth informing your broker of your certification status.
// Client Reviews

WHAT OUR CLIENTS SAY

★★★★★
"The Cyber Essentials process was simple, quick and well explained. We achieved a first-time pass without unnecessary stress - couldn't recommend them more."

- SME DIRECTOR / West Midlands

★★★★★
"Straightforward from start to finish. Every question was answered clearly, and we passed first time. Great service for a small business."

- MANAGING DIRECTOR / UK Technology Company

★★★★★
"We needed certification quickly for a government tender deadline. Vincent Cyber Defence turned it around efficiently and we met our deadline with time to spare."

- OPERATIONS MANAGER / Professional Services

Client names are withheld in line with confidentiality requirements; character references are available upon request.

READY TO GET CERTIFIED?

Talk to our UK-based team. Clear, jargon-free guidance with expert support at every step.

// Blog & Guides

LATEST INSIGHTS

View All Articles →
// Get In Touch

GET CERTIFIED TODAY

Fill in the form and we'll be in touch shortly. No jargon, no hard sell.