The complete UK SMB guide to Cyber Essentials certification (2026)

This guide covers what it actually is, the five controls in plain English, what the assessment looks like, where most businesses fail, and how to get from zero to certified in 30 days.

What is Cyber Essentials?

Cyber Essentials is a certification scheme run by IASME (the body appointed by the UK National Cyber Security Centre, NCSC) since 2020. It checks your organisation has five categories of security control in place to defend against around 80 percent of common internet-based threats: phishing, ransomware, drive-by malware, credential stuffing, and unauthorised access.

There are two levels:

• Cyber Essentials (basic). Self-assessment questionnaire (SAQ) that you fill out, your provider fills out, or both. Verified by an external assessor. Certified within roughly two weeks of submission.
• Cyber Essentials. Same scope as basic, but an external auditor performs hands-on testing of a sample of your devices and Microsoft 365 tenant. More rigorous, more expensive, and what most regulated buyers want to see.

It is an annual certification. You re-apply every 12 months.

Why UK SMBs are getting certified in 2026

Three drivers, all stronger than they were two years ago:

1. Public sector contracts. Required for any central government supplier handling personal information or sensitive data. Increasingly required by local authorities, NHS, MoD-adjacent suppliers, and education sector tenders.
2. Enterprise B2B sales. Large companies push compliance down the supply chain. If you sell to a FTSE 250 client, expect a vendor-security questionnaire that mentions Cyber Essentials by name.
3. Cyber insurance. Insurers now ask for it routinely. Premiums are 10 to 30 percent lower with Cyber Essentials on file. Some insurers will not write cover at all without it.

If you are scaling and you are not certified, it is going to start costing you deals soon.

The five controls, in plain English

Cyber Essentials assesses these five technical control families. Here is what each one means in practice for a 20 to 50 person UK business.

1. Firewalls

You need boundary firewalls between your internal network and the internet. For office-based work that is your router or dedicated firewall (Draytek, Sophos, Fortinet, Cisco). For home or hybrid workers it is the host-based firewall on each laptop (Windows Defender Firewall is fine if configured correctly, macOS firewall too).

Common pass: business-grade firewall with default password changed, admin access from internal network only, firmware updated, no unnecessary inbound ports open.
Common fail: home routers with default admin passwords, or hybrid workers with the laptop firewall switched off.

2. Secure configuration

Devices must be set up to the minimum needed to do their job. No unnecessary user accounts, no default passwords, no software you do not actually use.

Common pass: standard build for laptops, autorun disabled on USB, unused services off, MDM-enforced configuration.
Common fail: unused admin accounts left on machines, “ssadmin” accounts shared between three people, default vendor passwords on networked printers and NAS devices.

3. User access control

Every user has their own account. Admin rights are only given to people who need them, and only when they need them. Multi-factor authentication (MFA) is on for all cloud admin accounts.

Common pass: separate user and admin accounts for the IT person, MFA on every Microsoft 365 user, conditional access rules in place.
Common fail: shared admin@ mailboxes, MFA off for the founder “because it gets in the way”, local admin rights on every workstation.

4. Malware protection

Anti-malware running on every internet-connected device. The certification does not mandate a specific product, but Microsoft Defender for Endpoint, ESET, SentinelOne, Bitdefender, CrowdStrike, and similar all qualify. App allow-listing is acceptable as an alternative.

Common pass: enterprise EDR or Defender for Business deployed via MDM, real-time scanning on, definitions current.
Common fail: free consumer antivirus on a couple of laptops, nothing at all on others, mobile devices unprotected.

5. Security update management

Patches applied within 14 days of release for any update that fixes a “high” or “critical” severity vulnerability. Operating systems and applications must be in support (no Windows 8.1, no macOS that has dropped off Apple’s update list).

Common pass: automatic Windows update plus a third-party patching tool (Patch My PC, Action1, Intune-driven WUfB), audit log shows patches applied within 14 days.
Common fail: out-of-support OS still in use somewhere, third-party apps (Chrome, Adobe, Zoom) months out of date, end-user laptops never patched because the user always cancels the restart.

What does the assessment actually look like?

For Cyber Essentials (basic), here is the real timeline:

• Weeks 1 to 2: Discovery. Your provider (or you) lists every in-scope device, user, location, and cloud service. You answer the SAQ, about 80 questions across the five controls.
• Week 3: Remediation. Anything that does not currently meet the standard gets fixed. Usually MFA gaps, patch backlogs, or the founder’s admin account.
• Week 4: Submission and review. Submit through IASME’s portal (or your assessor’s branded portal). They review, often come back with clarification questions.
• Week 5 to 6: Certification. Once they are happy, you get your certificate and badge.

For Cyber Essentials, add another 2 to 4 weeks for the on-site or remote audit. The auditor will:

• Run a vulnerability scan against a sample of your laptops and any internet-facing infrastructure
• Check patch level on randomly chosen devices
• Send simulated phishing emails to test malware controls
• Check Microsoft 365 / Google Workspace admin settings
• Verify MFA is enforced on a sample of accounts

If you fail Plus, you get one chance to fix the issues and re-test before they reissue.

What it actually costs

Pricing in 2026 (UK):

If you are on a Standard or Premium tier IT support contract, certification support is usually included. You only pay the IASME body fee. If you are on Essentials or buying ad-hoc, expect the provider day-rate to add up to the figures above. See our IT support cost guide for context on tiers.

Worth knowing: company size for IASME’s pricing band is based on whole-organisation employee count, not just IT scope. A 75-person firm pays more than a 25-person firm even if only 25 of them are in the IT scope.

Where most UK SMBs fail (and how to avoid it)

Across the projects we run, these come up again and again:

• MFA gaps. A founder, an old contractor account, or a shared mailbox without MFA. Certification will fail for any cloud admin account that does not have MFA enforced.
• Out-of-support software. Someone has Windows 8.1 in the back room, an old Mac on macOS 11, or QuickBooks 2018. All instant fails.
• BYOD without controls. Personal phones reading company email without MDM enrolment or app protection policies. You either bring them in scope (MDM, encryption, screen lock enforced) or out of scope (separate corporate-owned device).
• Patching latency. Third-party apps (Chrome, Zoom, Adobe Reader, 7-Zip) months out of date because no one is patching them centrally. Windows update alone is not enough.
• Default passwords. On the meeting-room TV, on the Brother printer, on the cheap NAS in the cupboard. All in scope. All testable.
• Local admin rights. “Just give me admin so I can install Slack” is a hard no under user access control. Use a privilege management tool or an approval workflow.

The fix for all of the above is usually 2 to 3 weeks of focused work plus the right tooling. None of it is rocket science, but it has to be evidenced.

Cyber Essentials vs ISO 27001 vs NIST

If you are asking whether you need ISO 27001 instead, the answer is usually “not yet”. ISO 27001 is a much bigger commitment: 6 to 12 months, £15,000 to £40,000, and an ongoing internal audit function. It is the right shape for organisations selling to enterprise clients who specifically demand it.

NIST CSF (the US National Institute of Standards and Technology Cybersecurity Framework) is a framework rather than a certification. Useful as a structuring tool, but it does not give you a badge to put in proposals.

For a UK SMB under 250 staff, the order is: Cyber Essentials, then Cyber Essentials, then ISO 27001 (if your buyers demand it). That covers 95 percent of compliance asks you will see.

How Smart Start IT helps you get certified

We treat Cyber Essentials as a project, not a checkbox:

1. Day 1 to 7: Scoping. We map every device, user, network, and cloud service in scope. We tell you upfront if anything is going to fail and what the fix costs.
2. Week 2 to 3: Remediation. We deploy MDM if needed, enforce MFA, install EDR, configure patching, fix admin rights. Usually with no business disruption.
3. Week 4: SAQ. We complete the questionnaire alongside you, pulling evidence from our tooling rather than asking you to remember things.
4. Week 5 to 6: Submission and certification. We submit, handle clarifications, and you get your badge.

For Plus, we add a pre-audit review against the same scan tooling the assessor uses, so there are no surprises on audit day.

Pricing is included on Standard and Premium managed IT support tiers. On Essentials, it is a fixed-fee project. Read more about our cyber security service for context on what sits underneath certification day-to-day.

Frequently asked questions