For SMBs / MSPs Guide

Cybersecurity Essentials for UK Small Businesses: From Cyber Essentials Basic to Cyber Essentials Plus

A practical guide to Cyber Essentials and Cyber Essentials Plus for UK small businesses. The five controls, real 2026 costs, the v3.3 changes, and an honest answer to whether you actually need Plus.

Cybersecurity Essentials for UK Small Businesses: From Cyber Essentials Basic to Cyber Essentials Plus

The honest position on Cyber Essentials, which most providers selling it won’t state plainly: the basic tier is a genuinely good scheme for UK small businesses, and most small businesses do not need Cyber Essentials Plus. A significant share of the Plus certifications purchased every year are bought because a consultant told the client they needed it, not because the organisation’s actual risk profile, contractual obligations, or customer base requires it.

That’s worth stating up front, because the rest of this article describes how to get Cyber Essentials Plus if you need it — and the first question any business should answer is whether they do. If you already know you need Plus because a public sector tender, an MoD supply chain requirement, or a specific client has asked for it, skip to the process and cost sections. If you don’t, read the first few sections carefully. You may save yourself between £1,500 and £3,000 by deciding that basic Cyber Essentials is the right level for your organisation.

This guide covers both tiers, the five controls behind them, the real 2026 costs, the process for getting certified, and the significant changes coming under version 3.3 of the requirements — the “Danzell” question set — which takes effect for all new assessment accounts from 27 April 2026.

What Cyber Essentials actually is

Cyber Essentials is a UK government-backed certification scheme launched in 2014 by the National Cyber Security Centre (NCSC). It is delivered by IASME, which is the NCSC’s official delivery partner and manages a network of approximately 400 licensed Certification Bodies across the UK. Over 215,000 certificates have been awarded since launch, and the scheme has become the recognised baseline cybersecurity standard for UK organisations.

The scheme is deliberately simple. It focuses on five technical controls that, implemented correctly, block the overwhelming majority of common internet-based threats — the attacks that target any organisation with an internet connection, regardless of industry or size. It is not a substitute for an enterprise security programme. It is a published minimum that, if you meet it, you have a meaningful defence against commodity attacks.

The five controls are:

  1. Firewalls and boundary devices — controlling traffic into and out of your network.
  2. Secure configuration — setting up computers, servers, and cloud services to reduce unnecessary exposure.
  3. User access control — making sure the right people have access to the right things, and nothing more.
  4. Malware protection — active protection against viruses and malicious software on every device.
  5. Security update management — keeping software patched and up to date.

If those five controls are properly in place, you are materially harder to compromise than most of your peers. The scheme has no ambition beyond that. It is not trying to turn a 15-person accountancy firm into a bank. It is trying to stop the kind of attack that turns up on the phone every week.

Basic vs Plus: the real difference

There are two levels of certification. The practical difference between them is often misunderstood, and the misunderstanding is how businesses end up buying Plus when they don’t need it.

Cyber Essentials (basic) is a verified self-assessment. Your organisation completes a structured questionnaire about its IT environment, policies, and controls. An assessor from a licensed Certification Body reviews your answers and either passes you, queries specific items, or identifies non-compliance. The controls you describe are not independently tested. You are attesting, with a board-level declaration, that what you’ve said is true.

Cyber Essentials Plus uses the same five controls and the same technical requirements, but adds an independent technical audit. A qualified assessor physically or remotely examines a representative set of your user devices, all your internet-facing services, and your configuration against the specific requirements. They will run vulnerability scans, check patch levels, verify MFA enforcement, test anti-malware configuration, and make sure that what you said in the self-assessment is actually the case in practice.

That is the entire difference. Plus is not a stricter security standard. It is the same standard, independently verified.

Cyber EssentialsCyber Essentials Plus
Assessment typeVerified self-assessmentSelf-assessment + technical audit
Controls requiredThe same fiveThe same five
Independent testingNo — based on your declarationYes — vulnerability scan, device checks, configuration audit
2026 cost (micro, 0–9 staff)£320 + VATFrom ~£1,400 + VAT
2026 cost (small, 10–49 staff)£400 + VAT~£1,500–£2,250 + VAT
2026 cost (medium, 50–249 staff)£500 + VAT~£2,500–£3,500 + VAT
Time to certifyDays to weeks (self-paced, 6 months max)Weeks (requires auditor scheduling)
Validity12 months12 months
PrerequisiteNoneBasic CE completed within the previous 3 months
Free cyber insuranceYes (if whole-org certified, turnover under £20m)Yes
Typically required forMost UK business contextsCentral government contracts handling sensitive information, MoD supply chain, some regulated sectors

The critical row is the last one. If a customer, regulator, or tender process has asked specifically for Plus, you need Plus. If nobody has, basic is almost certainly adequate. The free cyber insurance is unchanged between the two tiers. The board-level assurance is higher with Plus, but that is primarily useful to organisations with a board that wants that assurance — most small businesses’ boards are the directors themselves, and the basic tier’s self-declaration is already signed by them.

Who actually needs Plus

Before paying for Plus, verify one of the following applies:

  • A contract explicitly requires it. This is the most common genuine trigger. Read the clause. Plenty of contracts say “Cyber Essentials” and that means basic is acceptable. Plenty specifically say “Cyber Essentials Plus.” A meaningful number say “or equivalent,” which gives you room to present basic plus other controls.
  • You supply the UK Ministry of Defence or hold certain central government contracts. Many of these now require Plus, particularly where the work involves handling of any sensitive information. The MoD’s cyber defence contract requirements flow down through supply chains — ask your customer directly rather than guessing.
  • You handle customer data at a scale or sensitivity that warrants independent verification. This is a judgement call. If you process personal data for a large number of individuals, operate in healthcare or financial services supply chains, or have customers for whom “we’ve signed to say we comply” genuinely isn’t enough, Plus adds value.
  • Your cyber insurance carrier offers a meaningful premium reduction for Plus. Some do. Some don’t differentiate. Ask explicitly.

If none of these apply, basic is the right level. You can always upgrade later if a contract demands it, though you will need to pass basic again first.

The five controls, in practical terms

For a small UK business, what does each of the five controls actually require in 2026? The v3.3 changes, covered in more detail below, tighten several of these.

Firewalls and boundary devices. Every device that connects to the internet needs a firewall — either a software firewall on the device (Windows Defender Firewall is acceptable if configured) or a network firewall between the device and the internet. Default administrative passwords on the firewall must be changed. Inbound connections that aren’t needed must be blocked. This is largely set-and-forget for most small businesses, assuming the firewall was set up properly in the first place.

Secure configuration. Systems should be configured to minimise unnecessary features, services, and user accounts. Default passwords on every device and service must be changed. Auto-run should be disabled on removable media. The principle is that anything not needed for business operation should be turned off or removed. In 2026, one of the specific tightenings is that unnecessary software must be demonstrably removed or disabled across in-scope devices — not merely “not used.”

User access control. Every user gets the minimum access needed for their role. Administrative accounts are separate from day-to-day working accounts. Privileged access is reviewed regularly. Multi-factor authentication is enforced wherever it is available — and under v3.3, this is now an absolute requirement for all cloud services that offer it, with no partial-compliance grace. The specific wording: if a cloud service offers MFA, whether free, subscription-included, or paid, and it is not switched on, the organisation fails the assessment.

Malware protection. Every in-scope device must have active malware protection — this can be traditional antivirus, an EDR product, or application allowlisting. For most small UK businesses on Windows 10 or 11, Microsoft Defender is included and meets the baseline requirement when left enabled and properly configured. Organisations running regulated or higher-risk workloads may choose to invest in a third-party EDR solution. We cover the small-business choices in our best backup and endpoint tooling guide, which touches on the EDR/backup combination most small businesses end up running.

Security update management. All software, firmware, and operating systems must be kept up to date. Under v3.3, critical and high-severity patches must be applied within 14 days of release. Software that is no longer supported by the vendor — out-of-support operating systems, unpatched applications, end-of-life network hardware — cannot be in scope for certification. This is the single most common failure point at assessment, and it is not usually a technical problem. It is an inventory problem: the organisation is running something it has forgotten about, and it turns up during the assessment.

The v3.3 “Danzell” changes from 27 April 2026

All assessment accounts created after 27 April 2026 will be judged against version 3.3 of the Requirements for IT Infrastructure, known as the Danzell question set. If you’re renewing after that date, this applies to you. The five controls remain the same. What changes is how strictly they are interpreted.

The most significant changes worth flagging:

  • MFA becomes an automatic fail criterion. Under current rules, a missing MFA on a cloud service that offers it is a major non-compliance but potentially survivable. Under v3.3, it is an automatic fail. This alone will catch a meaningful proportion of organisations that have MFA on admin accounts but not on every user account with cloud access.
  • Critical vulnerability patching tightens to 14 days. Organisations that relied on monthly patch cycles — common among small businesses using managed IT providers on light-touch contracts — will need to change their cadence or change providers.
  • Scope clarity increases. The scope of assessment expands to include any device that connects to the internet and any cloud service that stores organisational data. Arbitrary exclusions are no longer permitted without proper justification. This closes a loophole that some organisations used to exclude bring-your-own-device phones and tablets from scope.
  • Backup guidance moves earlier in the document. Not a pass-fail change, but a signal that IASME views backup discipline as a higher priority going forward. Expect the requirement to tighten in subsequent versions. If your backup strategy is informal, now is a good time to formalise it — our best backup solutions for UK small businesses covers the practical options.
  • Application Development requirements reference the UK Software Security Code of Practice. Only relevant if you develop software in-house. If you do, read this section carefully.

Organisations currently certified and renewing before 27 April 2026 remain on the current v3.2 standard for this cycle. At your next renewal after that date, you are on v3.3.

The certification process, step by step

The process for basic Cyber Essentials is straightforward enough that many small businesses can complete it without external help. The steps:

  1. Download the assessment questions. The full question set and the Requirements for IT Infrastructure document are available free from the IASME website. Read them before doing anything else. This is not a document to start reading after you’ve paid.
  2. Run the NCSC Readiness Tool. Free, interactive, takes about 30 minutes. It walks through the controls and gives you a tailored action plan showing where you are currently non-compliant.
  3. Fix the gaps. This is where the real work happens. Common gaps for small UK businesses: MFA not enabled across all cloud accounts, out-of-date software somewhere in scope, default admin passwords left unchanged on network equipment, no formal patch schedule, a handful of shared accounts that should be individual.
  4. Choose a Certification Body. You don’t apply directly to IASME — you go through one of approximately 400 licensed Certification Bodies. They review your submission and issue the certificate. Prices are standardised at the IASME fee level for the assessment itself, but Certification Bodies can bundle support, consultancy, and preparation at additional cost.
  5. Register and pay. You buy your assessment through your chosen Certification Body and receive login details for the secure online assessment platform. From that point, you have six months to submit.
  6. Complete and submit. Answer every question accurately in the online platform. Save progress as you go. Before you submit, a board-level person in the organisation must confirm the answers are accurate.
  7. Assessor review. A qualified assessor reviews your submission within three working days. If they need more information or you’ve missed something, they’ll say so. You can update and resubmit — each resubmission gets another three-day review. If the assessor finds you compliant, the certificate is issued instantly.

For Cyber Essentials Plus, the self-assessment stage is a prerequisite — you need to have passed basic within the previous three months. After that, the technical audit happens. Audits can be remote or in-person. The assessor will:

  • Run vulnerability scans against your in-scope external IPs.
  • Check a representative sample of end-user devices (typically 10% or a minimum number depending on size) for patch compliance, anti-malware configuration, and user account setup.
  • Test that MFA is actually enforced where you said it was.
  • Verify that the configurations and policies you described in the self-assessment are operationally in place.

If the audit passes, the certificate is issued. If it fails, you fix the gaps and repeat — but unlike basic, retesting is not free. Each re-audit incurs a further charge. This is why preparation matters significantly more for Plus than for basic.

What it actually costs in 2026

IASME publishes fixed fees for basic Cyber Essentials. These are the assessment fees only, not the cost of any support you buy alongside them:

  • Micro (0–9 employees): £320 + VAT
  • Small (10–49 employees): £400 + VAT
  • Medium (50–249 employees): £500 + VAT
  • Large (250+ employees): £600 + VAT

Plus pricing is quoted individually by Certification Bodies because the audit effort varies with scope, complexity, and number of in-scope IP addresses. Realistic 2026 ranges:

  • Micro (0–9 employees): from ~£1,400 + VAT
  • Small (10–49 employees): ~£1,500–£2,250 + VAT
  • Medium (50–249 employees): ~£2,500–£3,500 + VAT
  • Large: £3,500+ VAT and quoted case by case

Additional costs that often catch small businesses out:

  • Remediation. If the Readiness Tool or assessor finds gaps, fixing them takes time and sometimes tooling. Budget realistically.
  • Consultancy and support. If you use a Certification Body’s “supported” package or a separate consultant, expect to pay £300–£1,000 on top of the IASME fee for basic, and substantially more for Plus preparation.
  • Annual renewal. The certificate expires after 12 months. Renewal costs the same fee, though the preparation work is usually much lighter in year two.
  • Retesting for Plus. If you fail the audit, you pay again.

The free £25,000 cyber liability insurance included for UK organisations with turnover under £20 million, where the whole organisation is certified, is genuinely worth having. It is not a substitute for proper cyber insurance cover for any business with meaningful revenue — the limit is low — but it is a decent safety net and, on its own, more or less pays for the basic certificate for many micro-organisations.

DIY, supported, or fully managed

Three broad routes to certification:

DIY. You pay only the IASME fee, use the free Readiness Tool, download the free questions, and work through the process yourself. Realistic for most micro and small organisations with a director or office manager who is reasonably IT-literate. Time investment: typically 10–20 hours for a first certification, much less for renewals.

Supported. Your Certification Body or a separate consultant guides you through the process — reviews your draft answers, helps with specific control implementations, flags likely assessor queries before submission. Typical additional cost: £300–£1,000. Worth considering if you have specific concerns about particular controls (legacy systems in scope, unusual cloud setup, complex remote working arrangements).

Fully managed. Your MSP or a consultant handles the entire process, including remediation work. Typical additional cost: £1,500–£3,000 for basic, substantially more for Plus. Makes sense for organisations with complex IT estates, limited internal capacity, or tight deadlines driven by contract requirements.

The useful framing: for basic, default to DIY unless you have a specific reason not to. For Plus, the pre-assessment work is where the failures happen, and investing in supported or managed preparation is almost always cheaper than paying for a failed audit and a re-audit.

From Cyber Essentials to bigger frameworks

Once you’ve got Cyber Essentials in place, the question of what’s next depends on where your organisation is going. The scheme is deliberately scoped at the baseline — it is not designed to be the only security framework an organisation needs. Natural next steps, depending on direction:

  • ISO 27001 if you are scaling into enterprise customer bases that expect a full information security management system.
  • SOC 2 if your customer base is concentrated in the US or in US-adjacent technology supply chains.
  • NIS2 compliance work if you are in scope of the UK or EU network and information systems regulations — which, post the autumn 2026 UK Cyber Security and Resilience Bill, will include substantially more mid-market organisations than it does today.
  • NCSC Cyber Assessment Framework (CAF) if you are in critical national infrastructure supply chains.

For most UK small businesses, the sequence that works is: get basic Cyber Essentials, embed the five controls as ongoing operational practice, renew annually, and only move to Plus when a contract or regulatory change genuinely requires it. That sequence is defensible, proportionate, and — crucially — something a small organisation can actually sustain without hiring a security manager.

Frequently asked questions

Do I need Cyber Essentials Plus if my customers haven’t asked for it? Almost certainly not. The basic tier covers the same five controls, and unless a contract, regulator, or specific customer has asked for Plus, the independent verification Plus provides is a nice-to-have rather than a requirement. Default to basic and upgrade if and when a specific trigger arises.

Can a micro-business realistically complete Cyber Essentials themselves? Yes. The question set is written for business owners, not IT experts. The NCSC Readiness Tool is genuinely useful, IASME publishes extensive free guidance, and a director with reasonable IT literacy can complete basic certification in a few working days. For Plus, external support is more often justified.

What happens if I fail the assessment? For basic, the assessor will tell you what was non-compliant and you have two working days to fix it and resubmit at no additional cost. For Plus, if the audit fails, you will need to remediate and pay for a re-audit — this is the single most important reason preparation for Plus matters.

How long is Cyber Essentials valid for? Twelve months. After that, you renew. Renewal costs the same IASME fee but the preparation work is usually much less, assuming you’ve maintained the controls year-round rather than letting them drift.

Does the free cyber insurance that comes with certification actually pay out? It is provided by IASME for UK organisations with turnover under £20 million where the whole organisation is certified. Cover is £25,000. It is genuine insurance rather than a marketing line, but the limit is low — it is a useful safety net for micro-businesses, not a substitute for proper cover at any meaningful revenue scale.

What’s the difference between Cyber Essentials and the NCSC’s other guidance? Cyber Essentials is a certification scheme with a specific question set, five specific controls, and a pass/fail assessment. The broader NCSC guidance (the 10 Steps to Cyber Security, the Small Business Guide) is advisory. Cyber Essentials turns a subset of NCSC’s guidance into a certified minimum standard. They are complementary rather than alternatives.

Is there any benefit to Plus if my contracts don’t require it? Three potential benefits: marginally better cyber insurance pricing with some carriers, stronger supply-chain credibility if you sell into larger organisations, and a level of independent assurance that some boards genuinely value. Against that, the cost difference is £1,000–£3,000. For most small businesses, the money is better spent on actual security improvements rather than additional verification of existing ones.