A customer, insurer or tender has asked you to be Cyber Essentials certified. The deadline is two to four weeks away. You can do this.
Cyber Essentials is the UK government-backed cyber security certification. It’s run by IASME on behalf of the NCSC. The standard version (the one most businesses need) is a self-assessment questionnaire scored by an external assessor. Cyber Essentials Plus is the same standard plus an on-site verification audit. For most businesses chasing a tender or insurer deadline, the standard version is the one to start with.
The five technical controls you have to demonstrate
Cyber Essentials assesses five areas. Get these in place and you pass.
1. Firewalls
Every device connected to the internet — office router, individual laptops, home routers staff use — needs a properly configured firewall. Default passwords must be changed. Unnecessary services must be off.
2. Secure configuration
Default settings on devices are insecure. You need to harden them: remove unused accounts, disable auto-run, set strong passwords, encrypt drives.
3. User access control
Staff get the minimum access they need to do their job. Admin accounts are separate from daily accounts. Multi-factor authentication is on for cloud services. Leavers are offboarded the day they leave.
4. Malware protection
Every device has anti-malware running. For Windows this is usually Microsoft Defender. For Mac it’s a paid product like Sophos or Crowdstrike. Smartphones must use the official app stores.
5. Security update management
Critical security patches must be installed within 14 days of release. This applies to operating systems, browsers, and any software with internet access. End-of-life software (Windows 10 from October 2025, for example) must be removed or replaced.
The two-week plan
Week 1: scope, audit, fix
- Day 1. Confirm scope. Which staff, which devices, which cloud services, which offices. The assessor will ask. Get it right at the start or you’ll redo the questionnaire later.
- Day 2-3. Inventory every device. Yes, including the laptop your sales lead bought themselves. If it touches company data, it’s in scope.
- Day 4-5. Audit current state against the five controls above. Document the gaps in writing.
- Day 6-7. Fix the gaps. Most common: MFA isn’t on for everyone, admin accounts aren’t separated, an end-of-life version of macOS is still in use, someone’s home router has the default password.
Week 2: questionnaire, submission, certificate
- Day 8-10. Complete the IASME self-assessment questionnaire. There are around 70 questions. Honest answers matter — lying gets you uncertified later and voids your insurance.
- Day 11. Internal review. Get someone other than the person who filled it in to read it.
- Day 12. Submit and pay (around £330 + VAT for businesses up to 9 staff, more for larger).
- Day 13-14. IASME marks it. If you pass, the certificate arrives. If anything fails, you get one free correction.
What trips most businesses up
Personal devices. If staff use their own phones to read company email, those phones are in scope. Either bring them into your management (Microsoft Intune) or move email to dedicated devices.
Cloud services. Every cloud service you use — Microsoft 365, Google Workspace, Xero, HubSpot — must have MFA on. If you’ve left any with single-factor login, you fail.
End-of-life software. Windows 10 stops getting security updates in October 2025. If you’re still on it after that, you fail Cyber Essentials. Plan the upgrade before the renewal.
Home workers. Their home routers count. You either need to confirm the default password has been changed (usually fine, hotels and airports tend not to) or provide a managed device with its own software firewall.
What it costs
IASME certification fees, current as of 2026:
- Micro businesses (up to 9 staff): £330 + VAT
- Small businesses (10-49 staff): £430 + VAT
- Medium businesses (50-249 staff): £530 + VAT
If you’re getting external help to prepare — most businesses do — budget another £500-£1,500 depending on the state of your current setup. Cyber Essentials Plus is roughly twice the certification fee plus the on-site audit.
Should you do it yourself or hire someone?
If you’ve got an in-house IT person who knows MFA, Intune, and your cloud licensing inside-out, you can do this in two weeks alone.
If your IT is currently a mix of “the founder set it up three years ago” and “someone’s brother helped with the server”, get an MSP to run the certification project. Two reasons. First, the questionnaire is precise — wrong answers fail you. Second, the fixes (separating admin accounts, hardening cloud services, deploying Intune) are faster done by people who do them every week.
What happens next year
Cyber Essentials lasts 12 months. The renewal is the same questionnaire with any changes. The job is to maintain the controls so renewal is a formality — not let the setup drift and scramble again. We keep client renewals on the calendar and pre-flight the questionnaire two months ahead of expiry.
Need to be certified next month?
We run Cyber Essentials projects for UK businesses every fortnight. Two-week sprint, fixed quote, certified before the deadline. Book a 30-minute chat and tell us when you need the certificate.