Cybersecurity Essentials: A Practical Guide to Cyber Essentials Certification in 2026

Key Takeaways

• Cyber Essentials is the UK government-backed cyber security baseline, launched in 2014 and overseen by the national cyber security centre with IASME.
• Cyber Essentials certification helps protect against common online threats, including phishing attacks, malware, ransomware, and exposed remote access.
• There are two certification levels: Cyber Essentials and Cyber Essentials Plus, both based on the same five technical controls.
• April 2026 changes tightened Cyber Essentials requirements around cloud services, multi-factor authentication, patching, and testing devices.
• Regular vulnerability scanning and practical support from Forge Secure can greatly improve your chance of achieving and renewing certification.

What Is the Cyber Essentials Scheme and Why Is It Important?

The Cyber Essentials scheme is the UK government’s flagship baseline standard for cyber resilience, launched in June 2014 and overseen by the National Cyber Security Centre and IASME. It is an industry supported scheme and the minimum standard of cyber security recommended by the UK government for organisations of all sizes.

Cyber Essentials is designed to block the vast majority of common online threats, including fake Microsoft 365 logins used for credential theft, drive-by malicious software from compromised websites, and exploitation of unpatched VPNs. Certification can reduce cyber risk by protecting against around 80-85% of known cyber attacks, including phishing and malware.

This makes Cyber Essentials important for business reputation, supply chain security, and trust. Certified organisations are often perceived as more reliable and responsible, which strengthens relationships with clients and partners. It can also create a competitive advantage in the private sector because it proves to stakeholders that an organisation takes security seriously.

Certification is mandatory for many government contracts, including work with central departments, local authorities, and MOD supply chains involving sensitive data. It is also useful when handling financial or personal data, applying for cyber liability insurance, or discussing free cyber insurance options linked to Cyber Essentials certificates. Certification lasts 12 months, after which organisations must complete a new assessment and recertify annually.

Cyber Essentials Certification Levels: Cyber Essentials vs Cyber Essentials Plus

There are two certification levels: Cyber Essentials and Cyber Essentials Plus. Both use the same technical requirements and Cyber Essentials controls, but they differ in how evidence is checked.

Cyber Essentials is a verified self-assessment based on an online self-assessment questionnaire. A senior person confirms the answers before a qualified assessor reviews the submission. Cyber Essentials Plus adds independent technical testing, including vulnerability scans and security tests on user devices, internet gateways, and cloud services.

Organisations must hold a valid Cyber Essentials certificate before progressing to Cyber Essentials Plus. To achieve Cyber Essentials Plus certification, organisations must complete and pass the practical security tests within three months of achieving Cyber Essentials. Certification bodies, such as Forge Secure, licensed by IASME, carry out assessments and issue the certificate once requirements are met.

Cyber Essentials Plus not only helps to secure your business, but is often requested by larger customers, regulated sectors, insurers, and higher-risk supply chains because it proves security controls work in practice.

Cyber Essentials (Verified Self-Assessment)

Cyber Essentials starts with defining your scope of networks and devices, then completing the self-assessment questionnaire across five control areas:

• Firewalls
• Secure Configuration
• Access Control
• Malware Protection
• Security Update Management

A director, partner, or equivalent senior person must confirm the accuracy of the answers before submission to the certification body. Most small businesses can complete the questionnaire in a few days if they already have an inventory of devices, cloud services, internet gateways, and IT infrastructure.

Typical certification costs for Cyber Essentials start at £320 + VAT for micro-organizations with fewer than 10 employees and increase by size, reaching up to £600 + VAT for large organizations with 250 or more employees. Forge Secure can provide tailored quotes.

Cyber Essentials Plus (Independent Technical Audit)

Cyber Essentials Plus requires all basic technical controls to be in place, then adds a technical audit by an accredited assessor. This includes internal and external vulnerability scanning, a technical assessment of gateways and servers, testing Anti-Malware tools on end-user devices, and checking access controls and MFA on cloud services.

Cyber Essentials Plus costs more than the basic level. The costs can vary significantly, depending on the network, locations, number of devices, and scope of the verification audit, with costs starting at approximately £1,500 + VAT for micro-organizations and around £3,500 + VAT for large organizations,

This level provides stronger technical validation for boards, insurers, and key clients, especially where organisations handle personal data, financial information, or government classified data.

Core Cyber Security Controls Required for Cyber Essentials

Cyber Essentials outlines five key technical controls to help organizations mitigate common cyber threats: firewalls, secure configuration, access control, malware protection, and security update management. These controls apply to both on-premises systems and cloud services in scope.

Firewalls and Secure Network Configuration

Organisations must use properly configured firewalls or equivalent gateway devices on all internet connections, including home routers used for remote work, where in scope. Firewalls should block unauthorized access from outside the organization’s network, ensuring that only necessary ports and services are open.

That means changing default passwords, closing unnecessary accounts and ports, and restricting inbound traffic. Network segmentation and secure Wi-Fi settings such as WPA2/WPA3, strong keys, and no default SSIDs are expected good practice.

For example, exposed Remote Desktop services and other unnecessary services exposed to the internet is one of the most common cyber attack routes for ransomware; and configuring secure firewall rules helps to block access and secure your network.

Secure Configuration of Devices and Systems

Secure Configuration means hardening laptops, servers, mobiles, operating systems, and cloud services by removing unnecessary software, disabling unused services, and enforcing strong authentication. Default admin accounts and passwords on routers, firewalls, and business applications must be changed before certification.

An asset inventory is recommended as an essential for every business, because organisations cannot protect devices they do not know exist. This also supports confidentiality, which ensures sensitive data is accessed only by authorized individuals through strong passwords, encryption, and multi-factor authentication.

Access Control and User Management

Access Control means managing who has access to what. Cyber Essentials expects unique user accounts, strong passwords, formal approval for new accounts, prompt removal of leavers, and the principle of Least Privilege, which restricts access to systems and data to only what is necessary for a user to perform their job.

Admin accounts must be separate from everyday accounts. Multi-Factor Authentication (MFA) adds a second verification step to enhance security, so stolen passwords alone should not be enough to access Microsoft 365, Google Workspace, or major cloud platforms.

Malware Protection

Cyber Essentials requires effective malware protection on in-scope user devices, servers, and relevant cloud workloads. Malware protection involves using threat detection tools to identify and neutralize cyber threats, including sandboxing to isolate malicious code during attacks.

Modern controls include centrally managed anti-malware, application allowlisting, web filtering, and automatic scanning of downloads and attachments. These controls reduce risk from commodity ransomware, banking trojans, phishing emails, and malicious browser plug-ins.

Security Update Management (Patching)

Security Update Management means keeping operating systems, applications, and network device firmware up to date. Regular software updates patch known vulnerabilities and are essential for maintaining security.

Cyber Essentials requires high-risk vulnerabilities, such as those with a Common Vulnerability Scoring System (CVSS) score of 7.0 or above, to be patched within 14 days. Unsupported operating systems or legacy apps must be upgraded, isolated, or removed.

Recent Changes to the Cyber Essentials Standard (April 2026)

Cyber Essentials has evolved significantly, with major changes in April 2026 designed to address cloud adoption, remote work, and more advanced threats. The current version, named Danzell, places greater emphasis on cloud services, MFA, BYOD, and patching across an entire organisation by conducting security tests across multiple sample devices, where vulnerabilities are identified within the initial sample testing for Cyber Essentials Plus.

Older guidance may no longer be enough to pass. Regular checks throughout the year help maintain Cyber Essentials requirements and prevent issues from being discovered only during the certification process.

Updated Marking Criteria for Cyber Essentials

Stricter marking criteria for the verified self-assessment questionnaire has been implemented, which means additional sections result in an automatic failure.

Where sections of the questionnaire review your software and patching policies, any deviation from the 14-day update timeframe will lead to an automatic failure.

Additionally, any cloud services which are included in scope and have any options to apply MFA, whether this is a paid-for subscription tier or an optional extra, must be applied.

Scope Definition for Cyber Essentials Plus

The updates to the certification process have now included stricter guidelines for the scope, which is defined with the self-assessment questionnaire.

When progressing to Cyber Essentials Plus, the scope which is defined in the questionnaire must remain unchanged for the practical tests. Adjustments to the scope definition are no longer allowed under the schemes’ updated terms and conditions.

Cloud Services and Remote Working

All in-scope SaaS, PaaS, and IaaS platforms, including Microsoft 365, Azure, AWS, and Google Workspace, must meet Cyber Essentials controls. MFA, secure configuration, and locked-down admin interfaces are now central requirements.

Remote working devices used at home are in scope if they access organisational data, making secure VPNs, encryption, software firewalls, and patching essential. A hybrid workforce using cloud email and storage could fail if cloud admin accounts lack MFA or if security permissions are misconfigured.

MFA, Password Policies, and Admin Accounts

The updated standard expects MFA on all cloud accounts where available and treats the absence of MFA on cloud services, where it can be enabled, as an automatic failure. Password guidance now favours longer unique passphrases, MFA, and blocking common passwords over frequent forced resets.

Admin accounts must be separate, used only for admin work, and tightly controlled. Many organisations will need to reconfigure identity providers and SSO before assessment.

Firmware, BYOD, and Third-Party Devices

Firmware on firewalls, routers, and other network appliances is part of security update management under Cyber Essentials. BYOD and third-party managed devices are also in scope when they access organisational systems, including email, requiring policies, MDM, or containerisation.

Certification bodies now ask more detailed questions about asset management, including mobiles, tablets, and smart endpoints. Hidden areas like router firmware and personal mobiles can influence pass/fail outcomes.

Cyber Essentials Plus Sample Testing

Changes to the testing process for Cyber Essentials Plus have been implemented to ensure that security patches are being applied across your organisation as a whole.

When conducting the assessment, a random selection of your devices is chosen by the assessor for testing. If any of these devices highlight issues that need to be addressed, your organisation is provided with a short timeframe to resolve these issues.

When conducting a reassessment, the assessor will then ensure that the original issues on the highlighted devices have been resolved, but also select a second random sample of devices, and conduct each of the tests again on the new selection.

This updated process is designed to ensure that patching and security updates are applied across your organisation as a whole, rather than only addressing individual devices.

Preparing for Cyber Essentials: Requirements and Practical Steps

Preparation should move from defining your scope, to conducting a gap analysis, to remediating security weaknesses, and finally conducting the assessment. High-level requirements include a defined scope, maintaining an asset inventory, implementing the five technical controls, preparing documented policies, and executive sponsorship.

Defining Scope and Understanding Your Environment

Decide whether certification covers the whole estate or a defined subset, such as one office. Include internet gateways, business-critical systems, cloud tenants, and user devices that process organisational data.

Clear lists of locations, networks, and cloud tenants speed up discussions with certification bodies and helps to reduce rework. Poor scoping is a common cause of delays in both Cyber Essentials and Cyber Essentials Plus.

Documenting Policies and Responsibilities

Cyber Essentials is a technical assessment, but it still requires basic documentation for patching, access control, remote work, and cloud services. Assign a Cyber Essentials owner, supported by IT, HR, and management.

Short, practical policies beat long documents nobody reads. Senior management should be involved early because approval is needed for the verified self-assessment declaration.

Using Vulnerability Scanning and Internal Reviews

Regular vulnerability scanning across internal and external systems is one of the best ways to find gaps before a Plus audit. Scanning should cover internet-facing services, VPNs, and key servers to highlight missing patches and misconfigurations.

Even for basic certification, scans reduce the risk of incorrect questionnaire answers. Forge Secure can manage scans, interpret results, and provide practical support before your technical audit.

How Ongoing Security Practices Improve Your Chances of Certification

Cyber Essentials is easier when cybersecurity is part of daily operations rather than a once-a-year project. Defense in Depth employs multiple overlapping security measures to protect against breaches, reducing risk if one layer fails. Zero Trust architecture operates on the principle of “never trust, always verify,” requiring continuous verification of all users and devices.

Training employees on social engineering tactics like phishing is essential for a security-first culture. Phishing awareness includes verifying senders before clicking links or downloading attachments. An incident response plan outlines step-by-step procedures for breach containment and is crucial for effective cybersecurity management.

Regular Vulnerability Scanning and Patch Management

Run at least quarterly scans, and monthly or continuous scans for critical internet-facing systems. Centrally managed tools such as Intune, WSUS, or RMM platforms should prioritise security updates and generate simple reports.

A consistent patching process will help prepare your organisation for assessment, especially for Cyber Essentials Plus. Forge Secure can provide managed scanning and remediation guidance to close critical vulnerabilities before assessment.

Access Reviews, Logging, and User Awareness

Quarterly access reviews remove dormant accounts, reduce unnecessary admin rights, and confirm MFA coverage. Basic logging from cloud services and firewalls helps detect suspicious activity and allows proactive action to be taken with any suspected compromise.

Short staff training on phishing, password hygiene, and cloud safety supports certification and real-world resilience. These low-cost habits also help people moving into cybersecurity jobs understand how practical risk management works alongside information assurance and physical security.

Working with Forge Secure for Cyber Essentials Support

Forge Secure helps UK organisations plan, implement, and achieve Cyber Essentials and Cyber Essentials Plus certification. Forge Secure can assist with scoping, gap analysis, remediation planning, vulnerability scanning, and is a licensed certification body.

The focus is on practical, proportionate security rather than complex frameworks that many organisations struggle to maintain. Clients benefit from clearer documentation, fewer surprises during assessment, and a higher chance of first-time success.

If you need help with your cybersecurity essentials, Cyber Essentials renewal, or your first certification, contact Forge Secure for tailored advice, next steps, and support.

If you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.