A clear, practical overview of the Cyber Essentials scheme, what the five controls mean in practice, and how ongoing support keeps you certified — not just at renewal.
Cyber Essentials is the UK government-backed certification scheme designed to protect organisations against the most common online threats.
Overseen by the National Cyber Security Centre (NCSC) and administered by IASME, the scheme establishes a technical baseline that every organisation — regardless of size — should have in place.
According to the NCSC, most cyber attacks exploit basic weaknesses: the digital equivalent of a thief trying your front door. Cyber Essentials is designed to lock that door.
"No matter your business' size or location, cyber attacks are no longer a question of 'if' but 'when'."
Self-assessed questionnaire, verified by an approved certification body. Starting from £500 + VAT (pricing by organisation size).
Self-AssessedSame five controls, but independently tested by a qualified assessor. More rigorous — and increasingly expected in supply chains and financial services.
Independently TestedUK organisations with turnover under £20m that achieve full-scope certification are entitled to free cyber liability insurance — including a 24-hour incident helpline — arranged by IASME.
Up to £25,000 coverThe NCSC states that implementing these five controls correctly can prevent the vast majority of common cyber attacks. The current requirements are defined in the v3.3 specification (April 2026).
Firewalls control traffic entering and leaving your network. Cyber Essentials requires that boundary and software firewalls are properly configured, default passwords changed, and only necessary services exposed to the internet. This applies equally to home and remote workers.
Misconfigured firewalls are one of the most common causes of direct internet exposure — making this the logical first line of defence.
Secure configuration reduces unnecessary exposure by removing unused software, disabling unnecessary services, changing default settings, and ensuring every device is built to a secure baseline before use.
Out-of-the-box default settings are designed for convenience, not security. This control requires organisations to take deliberate ownership of their configuration posture.
Users should only have access to the data and systems they need to do their job. This means unique user accounts, strict limits on administrative privileges, and prompt removal of access when staff leave or change roles.
Under v3.3, multi-factor authentication (MFA) is required for administrative accounts and cloud services. Password requirements are clearly defined, and technical controls must be used to enforce credential quality.
Every in-scope device must be protected against malicious software. This includes using supported anti-malware tools, keeping definitions current, and applying appropriate controls to devices under BYOD or remote working policies.
Disabled antivirus and untrained staff are among the most common causes of malware incidents. Certification requires demonstrable, consistent protection — not a best-efforts approach.
Known vulnerabilities must be patched before attackers can exploit them. Cyber Essentials v3.3 requires that critical and high-risk patches (CVSS score 7.0 or above) are applied within 14 days of release, on all in-scope devices and software.
Unpatched operating systems and network appliances are among the most exploited attack vectors. Automated update management and a documented patch process are essential to meeting this control consistently.
The Cyber Essentials scheme is owned by the NCSC and administered by IASME Consortium. Requirements were most recently updated in April 2026 (v3.3). The five core controls remain unchanged, while assessment methodology and requirements continue to evolve for clarity and effectiveness. For the authoritative requirements document, visit ncsc.gov.uk/cyberessentials.
Cyber security fails most often not because the standard is wrong — but because nobody owns it day to day. A support contract changes that.
We assess your current environment against all five controls before you submit — so there are no surprises and no failed submissions.
Where gaps exist, we fix them. From firewall configuration to MFA rollout, we handle the technical work so your team doesn't have to.
With ongoing support, Cyber Essentials controls are monitored continuously — aligned to NCSC guidance as requirements evolve year to year.
Annual renewal becomes a formality, not a project. Changes to users, devices, or infrastructure are assessed against certification requirements as they happen.
Rather than pulling business leaders away from growth and customers, a support partner ensures Cyber Essentials becomes part of your operational fabric — quietly maintained, consistently applied, and always ready to demonstrate compliance.
Whether you're preparing for certification for the first time or want to make renewal painless, Gibberish Limited is here to help — practically, not theoretically.
Contact Us 📅 Book a Short Call See Our Process