Cyber Essentials is a UK government-backed certification scheme that proves an organisation has the basic technical controls in place to defend against the most common cyber attacks. It is run by the IASME Consortium on behalf of the National Cyber Security Centre (NCSC) — part of GCHQ — and has become the de facto security baseline for credible UK businesses and IT providers.
For a buyer choosing an IT provider, it is one of the simplest and most useful signals there is: an independently certified, verifiable answer to the question “do they actually take security seriously, or do they just say so?”
Where Cyber Essentials comes from
The scheme was launched by the UK government in 2014 to tackle a simple problem: the overwhelming majority of cyber attacks are not sophisticated, targeted operations — they are opportunistic, automated attacks that exploit basic weaknesses. Unpatched software, weak passwords, accounts with too much access and missing malware protection account for the bulk of real-world incidents. Cyber Essentials defines a minimum standard that, if met, stops most of them.
Since 2020 the scheme has been delivered by the IASME Consortium, the NCSC’s sole Cyber Essentials Partner. IASME accredits a network of certification bodies, which in turn assess and certify organisations. So while you certify through a certification body, the standard itself sits firmly within UK government cyber security policy.
The five technical controls
Cyber Essentials is built around five control areas. They sound basic — and that is precisely the point. Get all five right and you close the doors that most attackers walk through.
- 1. Firewalls — properly configured boundary and device firewalls to control what can reach your systems from the internet.
- 2. Secure configuration — removing default passwords, unnecessary accounts and unused software so systems ship in a hardened state, not an open one.
- 3. Security update management — keeping operating systems and software patched, with critical and high-severity updates applied promptly (within 14 days).
- 4. User access control — giving people only the access they need, controlling administrator rights, and using multi-factor authentication (MFA) on cloud services.
- 5. Malware protection — anti-malware, application allow-listing or sandboxing to stop malicious code running on your devices.
The technical requirements are reviewed and updated periodically to keep pace with how people actually work — recent revisions have tightened expectations around cloud services, multi-factor authentication and home/remote working.
Cyber Essentials vs Cyber Essentials Plus
There are two levels. Cyber Essentials is a verified self-assessment: the organisation answers a structured questionnaire, which is reviewed and certified by an accredited certification body. Cyber Essentials Plus covers exactly the same five controls but adds an independent, hands-on technical audit — an assessor actually tests a sample of your systems to confirm the controls are really in place.
In short: the base level confirms an organisation says it meets the standard; Plus confirms an assessor has checked. We unpack the difference, and which to look for, in our dedicated guide to Cyber Essentials vs Cyber Essentials Plus.
Why it matters when choosing an IT provider
A managed service provider holds the keys to your entire IT estate — administrator access to your email, your cloud platforms, your backups and your network. If their own house is not in order, that weakness becomes yours. Attackers know this, which is why MSPs and their tools are an increasingly popular route into the businesses they serve.
Cyber Essentials gives you an independently certified baseline to expect. A provider that does not hold even the base certification is asking you to take their security entirely on trust. One that holds Cyber Essentials Plus has had that security independently tested. It should not be the only thing you look at — see our guide on ISO 27001 for the next level of maturity — but it is a sensible floor.
Don’t take a logo on a website as proof. A Cyber Essentials certificate shows the certification body, the issue date and a reference number, and can be confirmed against the NCSC list of certified organisations. Certificates expire after twelve months — check the date, not just the badge.
How WhatMSP treats Cyber Essentials
Security and compliance is the most heavily weighted category in our independent /50 scoring methodology. Cyber Essentials and Cyber Essentials Plus both contribute, with Plus recognised as the stronger signal because it has been independently tested. Crucially, we verify the certificate at source against the IASME-issued record and the NCSC list — not a footer logo — so the points are earned, never claimed.
Compare providers on verified security
Every provider on the register is independently scored out of 50, with certifications like Cyber Essentials checked at source. We don’t sell rankings — the score is earned. Free for buyers.
Frequently asked questions
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, run by the IASME Consortium on behalf of the National Cyber Security Centre (NCSC). It sets out five basic technical controls every organisation should have in place to protect against the most common internet-based cyber attacks, and certifies that an organisation has implemented them.
Is Cyber Essentials mandatory in the UK?
It is not mandatory for most private businesses, but it is required to bid for many UK central government contracts that involve handling personal or sensitive information. Even where it is not required, a growing number of insurers, clients and supply chains now ask for it, so most credible IT providers hold it as a baseline.
What does Cyber Essentials cover?
It covers five technical control areas: firewalls, secure configuration, security update management (patching), user access control, and malware protection. Together these address the great majority of commodity cyber attacks such as phishing-led account takeover, unpatched-software exploitation and malware.
How much does Cyber Essentials cost and how long does it last?
Certification fees for the self-assessed Cyber Essentials are tiered by organisation size and typically start at a few hundred pounds. A certificate lasts twelve months, after which the organisation must re-certify. Cyber Essentials Plus, which adds an independent hands-on audit, costs more.
Why should I choose an IT provider with Cyber Essentials?
Your IT provider holds administrative access to almost everything you own digitally, so their own security is effectively your security. Cyber Essentials is independently certified evidence that they meet a recognised baseline, rather than an unverifiable claim that they "take security seriously". Treat it as the minimum to expect.
How can I verify an IT provider really holds Cyber Essentials?
Ask for the certificate, which shows the certification body, the date and a reference number, and check it against the NCSC list of certified organisations. Do not rely on a logo in a website footer — certificates expire after twelve months and logos are easily left up after they lapse. WhatMSP verifies this at source for every provider on the register.