Cyber Essentials 2026: The Complete Certification Guide

21 February 2026 10 min read

Cyber Essentials remains the UK's most widely-adopted cybersecurity certification scheme. Originally launched in 2014 by GCHQ and the NCSC, it has evolved into a foundational standard for businesses across every sector and size. In 2026, understanding Cyber Essentials is essential not just for compliance, but for vendor qualification, insurance pricing, and customer trust.

This guide walks you through the requirements, certification levels, costs, and practical path to achieving and maintaining certification.

What Is Cyber Essentials?

Cyber Essentials is a government-backed, IASME-administered certification scheme that defines five core security controls required to protect organisational IT systems against common cyberattacks:

1. Boundary firewalls and internet gateways

2. Secure configuration of IT infrastructure

3. User access control and privilege management

4. Malware protection and patch management

5. Security monitoring and incident response

The scheme is deliberately simple - not because cybersecurity is simple, but because these five controls prevent the vast majority of attacks that target UK organisations. Cyber Essentials doesn't certify advanced security or compliance with complex frameworks like ISO 27001. Instead, it certifies that you've implemented the hygiene basics.

This focus on fundamentals explains its rapid adoption:

  • Over 20,000 UK organisations hold Cyber Essentials certification
  • It's required by many government procurement contracts
  • Many insurers offer premium discounts for certified organisations
  • Customer due diligence increasingly demands it, even from small suppliers

Cyber Essentials v3.3: What Changed

The most recent version of Cyber Essentials (v3.3, released in 2025) made subtle but important changes to accommodate modern IT environments:

1. Cloud and Hybrid Environments

v3.3 explicitly addresses cloud and hybrid infrastructure. The controls now apply to:

  • Cloud platforms (AWS, Azure, GCP) using the Shared Responsibility Model
  • Hybrid setups where data and systems span on-premises and cloud
  • Software-as-a-Service (SaaS) applications with third-party data storage

Example: If your organisation uses Azure for critical workloads, you're now required to ensure Azure's security group configurations, network segmentation, and identity management meet the same standards as on-premises infrastructure.

2. Privileged Access and Modern Identity

v3.3 emphasises modern identity and access management beyond traditional Windows Active Directory:

  • Multi-factor authentication (MFA) required for all remote access and privileged accounts
  • Passwordless authentication (Windows Hello, FIDO2) explicitly supported
  • Service accounts and API tokens subject to the same access controls as user accounts
  • Regular review and deprovisioning of inactive accounts (at minimum, annual audits)

3. Third-Party and Supply Chain Risk

New language around vendor management:

  • Contracts must require suppliers to maintain compatible security standards
  • Regular security assessments of critical suppliers (annual minimum)
  • Incident notification requirements from suppliers
  • Supply chain mapping for critical dependencies

4. Data Handling and Privacy

v3.3 tightens data handling expectations:

  • Encrypted storage for sensitive data (at rest)
  • Encrypted transmission for sensitive data (in transit, using TLS 1.2 minimum)
  • Documented data classification and handling procedures
  • Clear data retention and destruction policies

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

Cyber Essentials comes in two certification levels:

Cyber Essentials (CE)

What it is: A self-assessment certification covering the five controls above.

How it works:

  • You complete a detailed questionnaire covering each control
  • Questions are specific and technical - not vague
  • You submit evidence of implementation (policies, screenshots, logs)
  • Certified assessors review your submission
  • Certification is awarded if you meet the standard

Cost: £500-£1,500 depending on organisation size and assessor choice

Time to certification: 4-8 weeks from application

Renewal: Annual (every 12 months)

Who needs it: Most organisations. CE is suitable if you can accurately self-assess your security posture and are comfortable with the responsibility of ongoing compliance.

Cyber Essentials Plus (CE+)

What it is: CE with an in-depth technical assessment and penetration test.

How it works:

  • You complete the CE questionnaire as above
  • An accredited assessor conducts a technical audit of your systems
  • This includes network scanning, configuration review, and limited penetration testing
  • The assessor interviews key staff (IT manager, network admin)
  • Certification is awarded if you meet the standard and pass the technical assessment

Cost: £2,500-£5,000 depending on organisation size and scope

Time to certification: 6-12 weeks from application

Renewal: Annual

Who needs it: Organisations handling sensitive data, critical infrastructure operators, government suppliers, and those managing complex IT estates. CE+ is increasingly required by large enterprises as part of vendor qualification.

How to Choose

| Factor | CE | CE+ |

|--------|----|----|

| Budget tight? | ✓ | |

| Simple IT setup? | ✓ | |

| Selling to government? | | ✓ |

| Handling sensitive data? | | ✓ |

| Complex network? | | ✓ |

| Need technical validation? | | ✓ |

| Want cheaper insurance? | ✓ | ✓✓ |

Our recommendation: If you're uncertain, start with CE. It's significantly cheaper and serves most purposes. If you're selling to large enterprises, government, or managing sensitive data, invest in CE+ for the technical validation and deeper compliance assurance.

The Five Controls: Practical Requirements

1. Boundary Firewalls and Internet Gateways

What you need:

  • A perimeter firewall (hardware or cloud-based) filtering inbound/outbound traffic
  • Explicit allow-lists for outbound connections (rather than allow-all with block-lists)
  • VPN or other secure remote access mechanism
  • No direct internet access to internal systems from outside the organisation

Practical implementation:

  • Deploy a firewall appliance (Sophos, Palo Alto, Fortinet) or use cloud-native solutions (AWS Security Groups, Azure NSGs)
  • Configure rules to deny all inbound traffic except explicitly required services
  • Implement VPN for remote workers
  • Use web filtering to block malicious categories

Common mistakes:

  • Overly permissive firewall rules ("allow any to any")
  • VPN credentials stored insecurely
  • No regular firewall rule audits (drift over time)

2. Secure Configuration of IT Infrastructure

What you need:

  • Documented secure configurations for all device types (Windows, macOS, Linux, network switches, firewalls)
  • Deviation from baselines tracked and remediated
  • Unnecessary services and ports disabled
  • Default credentials changed
  • Security updates applied

Practical implementation:

  • Use configuration management tools (Ansible, Puppet, Group Policy)
  • Document baselines in a change management system
  • Implement automated compliance monitoring (Tenable, Qualys)
  • Schedule monthly patch management windows
  • Track deviations and remediate within 30 days

Common mistakes:

  • Configuration drift - baselines exist but aren't enforced
  • Inconsistent patching across the estate
  • Default credentials left on appliances
  • No documentation of "why" configurations exist

3. User Access Control and Privilege Management

What you need:

  • User accounts with minimal required privileges (principle of least privilege)
  • Multi-factor authentication (MFA) for all remote access and all privileged accounts
  • Separate privileged accounts for administrative tasks (not using admin accounts for regular work)
  • Regular review and deprovisioning of unused accounts
  • Documented access control policy

Practical implementation:

  • Implement MFA platform-wide (Microsoft Authenticator, Duo, Okta)
  • Deploy PAM (Privileged Access Management) solution for privileged accounts
  • Use identity governance tools (Okta, Azure AD) to automate provisioning/deprovisioning
  • Conduct quarterly access reviews (who has what and why)
  • Audit privileged account usage logs weekly

Common mistakes:

  • MFA enabled but not enforced - users can skip it
  • Shared credentials or shared admin accounts
  • No regular access reviews (accounts accumulate)
  • Privileged accounts used for regular work

4. Malware Protection and Patch Management

What you need:

  • Antivirus or anti-malware installed on all devices
  • Regular malware scans (scheduled, automated)
  • Patch management process for OS, software, and firmware
  • Vulnerability scanning to identify unpatched systems
  • Clear policy for timely patch deployment

Practical implementation:

  • Deploy endpoint detection and response (EDR) solution (CrowdStrike, Microsoft Defender, Sophos)
  • Schedule automated full scans weekly
  • Implement software update management (Windows Update, third-party update managers)
  • Use vulnerability scanning tools (Nessus, Qualys) monthly
  • Define SLAs: critical patches within 7 days, other patches within 30 days

Common mistakes:

  • Antivirus running but not updated
  • Scanning scheduled but results not reviewed
  • Patching delayed due to "stability concerns" (this is fear, not risk management)
  • Legacy systems excluded from patching

5. Security Monitoring and Incident Response

What you need:

  • Logging enabled on all critical systems
  • Log aggregation into a central repository
  • Monitoring for security-relevant events (failed logins, privilege escalation, etc.)
  • Incident response plan documenting roles and escalation procedures
  • Regular incident response testing

Practical implementation:

  • Deploy a SIEM or centralised logging solution (Splunk, ELK Stack, Azure Sentinel)
  • Enable logging on firewalls, servers, domain controllers, and critical applications
  • Define alerts for high-severity events (multiple failed logins, privilege escalation)
  • Document incident response procedures (who to contact, what to do)
  • Run annual incident response tabletop exercises

Common mistakes:

  • Logs collected but never reviewed
  • Alert fatigue - so many alerts that real incidents are missed
  • Incident response plan gathering dust (never tested)
  • No clear ownership for incident response

The Certification Process: Step by Step

Step 1: Self-Assessment (Weeks 1-2)

Complete a detailed questionnaire covering all five controls. This isn't a checkbox exercise - each question has detailed supporting guidance. You'll need technical knowledge or support from your IT team.

Evidence required: policies, screenshots, configurations, audit logs.

Step 2: Find an Assessor (Week 2-3)

IASME maintains a list of accredited Cyber Essentials assessors. For CE, you can work with any accredited assessor. For CE+, you need assessors with technical certification privileges.

Cost varies significantly: small assessors (£500-£1,500 for CE) vs. larger firms (£2,000-£5,000). Get multiple quotes.

Step 3: Submit Your Application (Week 3-4)

Upload your questionnaire and evidence to your chosen assessor's portal. They'll review completeness and may request clarification on specific responses.

Step 4: Assessment Review (Week 4-8)

Assessors review your evidence against the v3.3 standard. If gaps exist, they'll request additional information or evidence. Back-and-forth can extend timelines.

For CE+, a technical assessment is scheduled during this phase.

Step 5: Certification Awarded (Week 8+)

Once approved, you receive your Cyber Essentials certificate (valid 12 months) and can use the Cyber Essentials badge in marketing and procurement documents.

Step 6: Annual Renewal (Month 11-12)

The process repeats annually. Most organisations find renewal faster than initial certification as baselines are already documented.

Costs Breakdown: What to Budget

| Item | Cost Range |

|------|------------|

| CE Assessment | £500-£1,500 |

| CE+ Assessment | £2,500-£5,000 |

| Remediation | £5,000-£50,000+ (depends on current state) |

| Tools (SIEM, EDR, PAM) | £10,000-£100,000+ annually |

| Internal resources | 200-400 hours annually |

Total year one investment: £20,000-£160,000 depending on starting position and organisation size.

Ongoing annual costs: £5,000-£20,000 (renewals, tool subscriptions, updates).

Getting Started in 2026

1. Self-assess your current posture against the five controls

2. Identify gaps and prioritise remediation

3. Get quotes from 2-3 accredited assessors

4. Plan remediation work in parallel with the assessment process

5. Engage your IT team early - they'll be heavily involved

6. Budget 3-4 months for the full process

7. Plan for renewal 12 months after certification

How Fig Supports Cyber Essentials

Fig Group's platform simplifies Cyber Essentials compliance through:

  • Automated Evidence Collection: Real-time gathering of logs, configurations, and system states required for the five controls
  • Assessment Readiness: Pre-assessment scans to identify gaps before formal assessment
  • Continuous Monitoring: Post-certification monitoring to ensure ongoing compliance
  • Renewal Readiness: Automatic evidence compilation for annual renewal assessments

With Fig, certification is an outcome of continuous security hygiene rather than a point-in-time audit.

The Bottom Line

Cyber Essentials in 2026 is no longer optional for most organisations. It's foundational. If you sell to government, are seeking insurance discounts, or simply want to demonstrate security competence, Cyber Essentials certification is the benchmark.

Start your assessment now. Most organisations can achieve certification within 8-12 weeks with proper planning and support.