Blog

Cyber Essentials and Cyber Essentials Plus: The UK Government Baseline

Understanding the UK's mandatory cyber security certification scheme for government suppliers and the controls it requires.

← Back to Blog
Published 1 April 2026 · BCERT Editorial Team · 6 min read

Cyber Essentials is the UK government-backed cyber security certification scheme designed to protect organisations against the most common internet-borne threats. Launched in 2014 and overseen by the National Cyber Security Centre (NCSC), the scheme is built around a core set of five technical controls that, when properly implemented, defend against the vast majority of commodity cyber attacks. Cyber Essentials certification is mandatory for all suppliers bidding for certain UK government contracts — particularly those involving handling of sensitive government information or the provision of technical products and services.

The 5 Technical Controls

The Cyber Essentials scheme is built on five foundational controls:

  1. Firewalls: Boundary firewalls and internet gateways must be configured to block unauthenticated inbound connections. This includes personal firewalls on individual devices.
  2. Secure configuration: Devices and software must be configured securely — default passwords changed, unnecessary services disabled, and only software required for business purposes installed.
  3. User access control: User accounts must have only the access rights they need. Standard user accounts must be used for day-to-day activity; administrative accounts must be used only for administrative tasks.
  4. Malware protection: Devices must have malware protection in place — either anti-malware software or application allow-listing that prevents unapproved software from executing.
  5. Patch management (Security update management): Operating systems and software must be kept up to date. High and critical patches must be applied within 14 days. Software that is no longer receiving security updates must be removed from scope or separated from the internet.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials is a self-assessment certification. The organisation completes a questionnaire describing how the five controls are implemented across its in-scope devices and infrastructure. An Assurance Service Body (ASB) reviews the answers and certifies if requirements are met. The certificate is valid for 12 months.

Cyber Essentials Plus is a higher assurance version. It starts with the same questionnaire as Cyber Essentials, but is followed by an independent technical audit conducted on-site or remotely by a qualified assessor. The auditor performs vulnerability scans, tests patch currency, attempts to reach out-of-scope systems through in-scope devices, and verifies controls are functioning as described in the questionnaire. CE Plus provides significantly more assurance and is required for some higher-sensitivity government contracts.

UK Public Sector Supply Chain Requirement

Since October 2014, all UK government suppliers handling sensitive personal information or providing certain technical services must hold a current Cyber Essentials certificate as a minimum. The Crown Commercial Service (CCS) and individual government departments include Cyber Essentials (and sometimes CE Plus) as a standard contract requirement. Beyond direct government contracts, many large private sector organisations — particularly in defence, health, and finance — now require Cyber Essentials of their suppliers as part of supply chain security programmes.

The Certification Process

The Cyber Essentials certification process involves:

  • Scoping: Defining the boundary of the certification — typically all devices that can access the internet or receive email. Cloud services may be in or out of scope depending on the service model.
  • Self-assessment questionnaire: Completing the online questionnaire through the IASME Consortium portal (the body that manages the scheme on behalf of NCSC).
  • Review and certification: An ASB reviews the responses. For CE Plus, this is followed by technical verification.
  • Annual renewal: Certificates must be renewed annually to remain current.

Ready to get certified?

Visit bcert.uk or contact us at info@bcert.uk to start your Cyber Essentials certification.

Apply for Certification →