Skip to main content

Resources · 9-min read

Cyber Essentials for 10–50 person UK businesses: a plain-English guide

Published 19 April 2026 · IT Support Helpdesk

The short version

Cyber Essentials is a UK government-backed certification scheme with five practical technical controls. It's required for bidding on many government contracts, increasingly expected by cyber insurers, and a credible signal to clients that you take security seriously. Basic certification costs £300–£600 and takes 4–8 weeks if you're reasonably prepared. The common pitfall for small firms isn't the controls themselves — it's undocumented admin accounts and unpatched machines nobody realised existed.

What Cyber Essentials actually is

Cyber Essentials is a UK government-backed security certification scheme, developed by the National Cyber Security Centre (NCSC) and administered by IASME (the Cyber Essentials accreditation body). It exists to help organisations protect themselves against the most common types of cyber attack — not the sophisticated nation-state stuff you read about in the news, but the commodity attacks that account for the vast majority of incidents: phishing, ransomware spread via unpatched software, credential stuffing.

There are two levels:

  • Cyber Essentials (CE): A self-assessment questionnaire, reviewed and verified by an approved assessor. You answer questions about your technical controls; an assessor checks your answers are consistent and plausible. No external scanning or audit of your actual systems.
  • Cyber Essentials Plus (CE+): Adds an independent technical audit. An external assessor actually tests your systems — running vulnerability scans, attempting to verify your controls are working as claimed, not just described. Significantly more rigorous, and significantly more valuable as a signal to clients and insurers.

Most 10–50 person businesses start with CE and progress to CE+ when a contract or insurer specifically requires it.

Who needs it

Three situations make Cyber Essentials more or less mandatory:

  • Government contracts: Any business bidding for UK central government contracts that involve handling personal data or providing certain types of ICT products and services must hold Cyber Essentials. This is a hard requirement, not a preference. Many local authorities and NHS bodies have adopted the same position.
  • Cyber insurance: Insurers have tightened their criteria significantly since 2022. Many now require CE as a minimum condition of cover, or price premiums more favourably for certified businesses. A few will now refuse cover entirely without it.
  • Client requirements: If you handle client data — particularly for financial services, legal, or healthcare clients — some will ask whether you hold CE as part of their supplier onboarding process. Having it is often easier than explaining why you don't.

Even if none of these apply directly, the certification process itself is useful: it forces you to audit what you actually have, rather than what you think you have.

The five technical controls, in plain English

The entire scheme is built around five controls. Here's what each actually requires:

1. Firewalls

You need a properly configured firewall at the boundary of your network (your router/gateway) that only allows traffic you've explicitly permitted. For most small businesses this means: change the default admin password on your router, disable remote management if you don't need it, and make sure inbound connections that aren't needed are blocked. The standard doesn't require enterprise-grade hardware — a properly configured consumer or SME router will pass if it's set up correctly.

2. Secure configuration

Your devices and software should be configured securely — meaning you don't leave default credentials in place, you remove or disable software and features you don't use, and you apply manufacturer-recommended security settings. In practice: make sure you haven't left the Windows admin account enabled with a blank password (more common than you'd think), and remove software that's installed on machines but nobody uses.

3. User access control

Users should have access only to what they need to do their job. Standard users should not have administrator privileges on their own machines. Administrator accounts should only be used for administrative tasks, not for day-to-day work. This is one of the most commonly failed controls for small businesses — giving everyone admin rights is the path of least resistance, but it dramatically increases your exposure if a machine is compromised.

4. Malware protection

Your devices need up-to-date malware protection — antivirus software, or the built-in protections in modern operating systems (Microsoft Defender on Windows, for example). The key word is "up-to-date": a definition file last updated six months ago is not compliant. Most businesses pass this control relatively easily, but the assessment will ask for evidence of regular updates.

5. Security update management (patching)

Operating systems and applications must be kept up to date with security patches. The standard requires that critical patches are applied within 14 days of release. This is where many businesses fail — not because they don't patch at all, but because there's always that one old laptop nobody touches that's running a two-year-old version of Windows, or a piece of software that was installed for a project and forgotten about.

Realistic cost and time

  • Cyber Essentials (basic): The certification fee itself is £300–£400. If you use a third party to help you prepare and submit, add £200–£500 for their time. Total: £300–£600 for a business that's reasonably well-organised.
  • Cyber Essentials Plus: The assessment fee is typically £1,500–£2,500 for a small organisation, on top of the basic CE cost. Add consultancy time to prepare and remediate issues found during the audit: £1,500–£4,000 all-in is a realistic range for a 20–50 person business.
  • Time: If your systems are in reasonable shape, 4–6 weeks from starting preparation to receiving your certificate is achievable for CE basic. CE Plus adds another 2–4 weeks for the technical assessment. If you have significant remediation work — unpatched systems, undocumented admin accounts, legacy software — add more.

The pitfalls most 10–50 person firms hit

After helping businesses through this process, the same issues come up repeatedly:

  • BYOD chaos. Personal devices used for work are technically in scope if they access company systems. Many small businesses have staff using personal phones and laptops who haven't enrolled those devices in any management solution. You can either scope BYOD devices out (by restricting company system access to managed devices only) or bring them into scope and manage them — but you can't just ignore them.
  • Admin accounts given too freely. "Everyone's an admin because it's easier" is the fastest way to fail control 3. Audit who has admin rights before you start the assessment. Removing them after the fact often causes complaints — better to do it as part of a wider "we're improving our security" communications exercise.
  • Patching neglect. The 14-day patch window is strict. If you don't have an automated patching process, you'll struggle to demonstrate compliance. Microsoft 365 environments with Intune can automate most of this. Standalone machines need a different approach.
  • Forgotten software. Old Java installs, outdated browsers, deprecated applications nobody uses but nobody removed. These are in scope and will be flagged.
  • Cloud services in scope. If you use AWS, Azure, or Google Cloud directly (not just SaaS like Microsoft 365), those infrastructure components are in scope. Many businesses don't realise this until they're mid-assessment.

How we help with Cyber Essentials readiness

Our Compliance Support service includes Cyber Essentials readiness assessment — an honest gap analysis against the five controls, a prioritised remediation plan, and support through the submission process. We don't certify you ourselves (that's the role of an approved assessor), but we make sure you're actually ready before you submit, rather than failing and having to pay again.

What you'd do next if you want it by end of Q2 2026

If you want Cyber Essentials in place by the end of June 2026:

  • Now: Audit your current device inventory. List every device that accesses company systems. Note the operating system version, patching status, and whether anyone has admin rights who shouldn't.
  • Weeks 1–2: Address the most common failures — patch outstanding updates, review admin accounts, check your router/firewall configuration.
  • Weeks 3–4: Work through the self-assessment questionnaire with your IT support provider. Identify any gaps. Remediate.
  • Weeks 5–6: Submit to an approved assessor. Receive your certificate.

For CE Plus, add another 4–6 weeks for the technical audit phase.

Summary

  • Cyber Essentials is a UK government-backed scheme with five practical technical controls: firewalls, secure configuration, user access control, malware protection, and security update management.
  • CE basic: £300–£600, 4–6 weeks. CE Plus: £1,500–£4,000 all-in, 8–12 weeks.
  • Required for many government contracts; increasingly expected by cyber insurers.
  • The most common pitfalls: BYOD devices in scope, admin rights given too liberally, unpatched legacy machines.
  • Start with a device inventory. Fix your patching and admin accounts first. Then submit.

Ready to try AI-led IT support?

Sign up, install the agent, and start raising tickets. £10 per user per month. Cancel any time.

Get started — £10/user See how it works