Cyber Essentials.
On-time. Done right.
Cyber Essentials is the UK government-backed certification that proves your business has the basic controls to keep attacks out. Most companies come looking for it the week a contract starts.
We have done that, solo, end-to-end, on a clock that left no room for a six-week fact finding mission first. Self-assessment or the audited Plus tier, scoped, evidenced and passed.
We have done that, solo, end-to-end, on a clock that left no room for a six-week fact finding mission first. Self-assessment or the audited Plus tier, scoped, evidenced and passed.
14-day Certified
Deadline Guaranteed
Precisely Scoped
Truth Over Comfort
Shared Risk Model
Senior-Led Execution
Cyber Essentials certificate, or a missed contract. You choose…
It usually happens the same way… Someone you are quoting lists it as a requirement. A larger customer sends a security questionnaire with it ringed in the conditions, or the insurer asks whether you hold one. Suddenly this cyber essential certificate you half-remembered hearing about is standing between you and money you had already counted on.
Then the quotes come back for the work and they tell you weeks or months. You get an onboarding call from a cyber security consultant, feel quite confident, then get a second onboarding call (from a junior second round). The readiness phase is priced way higher than the certificate it is preparing you for.
Most of the above is padding. Cyber Essentials is a defined set of five technical controls, evidenced and submitted to a single scheme. Yes it may seem like a black art from the outside, which rather suits the people who bill for it as though it were. It will be handled by someone who has passed it before and knows which answers an assessor actually scrutinises, and it will move at the speed your business needs it, not the speed of a company’s billing cycle.
Then the quotes come back for the work and they tell you weeks or months. You get an onboarding call from a cyber security consultant, feel quite confident, then get a second onboarding call (from a junior second round). The readiness phase is priced way higher than the certificate it is preparing you for.
Most of the above is padding. Cyber Essentials is a defined set of five technical controls, evidenced and submitted to a single scheme. Yes it may seem like a black art from the outside, which rather suits the people who bill for it as though it were. It will be handled by someone who has passed it before and knows which answers an assessor actually scrutinises, and it will move at the speed your business needs it, not the speed of a company’s billing cycle.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme, overseen by the National Cyber Security Centre (NCSC) and certified through IASME. It checks that five core controls are genuinely in place: firewalls, secure configuration, security update management, user access control, and malware protection, (that’s five, not fifty).
Get it right and you shut out the overwhelming majority of opportunistic attacks, which is most of what bothers a small or mid-sized business in the first place. The certificate is recognised across UK, and opens the door to a great many public sector and government contracts, in fact, it’s not normally sitting politely in the optional column. It is required.
Get it right and you shut out the overwhelming majority of opportunistic attacks, which is most of what bothers a small or mid-sized business in the first place. The certificate is recognised across UK, and opens the door to a great many public sector and government contracts, in fact, it’s not normally sitting politely in the optional column. It is required.
Cyber Essentials or Plus?
The two get muddled up constantly, and the difference is refreshingly simple. Cyber Essentials is a verified self-assessment: you submitted your answers, a qualified assessor marks the paper, and you certify. Cyber Essentials Plus is the same controls inspected with the gloves on, an assessor actually tests your systems directly instead of taking your word for it.
Which one you need is up to you, if you have been asked to put it in place, check the level requested. Some accept self-assessment. Others, including anything brushing against government data or a serious supply chain, want Plus (and potentially ISO 27001, but that’s a different beast).
Which one you need is up to you, if you have been asked to put it in place, check the level requested. Some accept self-assessment. Others, including anything brushing against government data or a serious supply chain, want Plus (and potentially ISO 27001, but that’s a different beast).
How long does certification take?
The answer – Less time than the quote you are holding, almost certainly. The self-assessment can be scoped, evidenced and submitted inside days when your setup is already in decent shape, and inside a couple of weeks when something needs fixing, or hardware needs changing first.
Cyber Essentials Plus adds the hands-on audit, which has to happen within three months of the self-assessment award, so the calendar is usually the only thing slowing it down. The reason most providers quote longer is structural, not technical. Handoffs, junior review, an account manager turning your problem into a brief and the brief back into a problem. Take that layer out and the timeline shrinks to the actual work.
Cyber Essentials Plus adds the hands-on audit, which has to happen within three months of the self-assessment award, so the calendar is usually the only thing slowing it down. The reason most providers quote longer is structural, not technical. Handoffs, junior review, an account manager turning your problem into a brief and the brief back into a problem. Take that layer out and the timeline shrinks to the actual work.
0
Typical Turnaround
What does Cyber Essentials cost?
Two numbers, not one. The scheme has its own certification fee, which is fixed, published and banded by the size of your organisation, and paid to the certifying body, this is not up for dispute.
The variable is the work to get you ready, and it’s where quotes will diverge wildly. A business already running a solid setup with sensible controls needs very little. One that has no controls in place, archaic hardware and never thought of having a policy will need more. We scope it against your actual setup rather than a one-size package.
We may not be the cheapest on your list (although hopefully we are), but we will frequently the fastest, and we will be the most honest and thorough.
The variable is the work to get you ready, and it’s where quotes will diverge wildly. A business already running a solid setup with sensible controls needs very little. One that has no controls in place, archaic hardware and never thought of having a policy will need more. We scope it against your actual setup rather than a one-size package.
We may not be the cheapest on your list (although hopefully we are), but we will frequently the fastest, and we will be the most honest and thorough.
0
For the certificate itself
What the work actually involves.
01. Scope and gap check
Work out what is in, what is out, and where you actually stand today. Over-scoping is the most popular way to make both the cost and the timeline balloon, so we do this part properly.
If hardware is required, we look for the best balance of quality, speed and keep an eye on that End of Life date, so you can be confident you will be up-to-spec for years.
If hardware is required, we look for the best balance of quality, speed and keep an eye on that End of Life date, so you can be confident you will be up-to-spec for years.
Asset & device inventory
Scope definition
Control gap analysis
Quick-win triage
Honest findings, no inflation
02. Configure and harden
The unglamorous controls that quietly stop the expensive day. Devices, endpoints and the boundary, set to a sensible baseline rather than whatever shipped out of the box.
For an SME this means we aim to get your Microsoft Defender Secure Score over 80% (a reasonable level if you don’t want to splash out on Microsoft’s more expensive licenses every month).
For an SME this means we aim to get your Microsoft Defender Secure Score over 80% (a reasonable level if you don’t want to splash out on Microsoft’s more expensive licenses every month).
Microsoft Defender / EDR
Secure config baselines
Host & boundary firewalls
Applications, web & email
Disable vulnerable services
03. Patch and control access
Work out what is in, what is out, and where you actually stand today. Over-scoping is the most popular way to make both the cost and the timeline balloon, so we do this part properly.
We work to put you steps ahead with your setup, ensure everything is in place so that the following years cost far less, and are quick and easy to renew.
We work to put you steps ahead with your setup, ensure everything is in place so that the following years cost far less, and are quick and easy to renew.
Intune update rings / WSUS
End-of-life & updates
Entra ID Conditional Access
MFA enforcement
Process rollouts
04. Verify, evidence and pass
Prove the controls hold, write down the bits the scheme wants written down, and put the submission in front of the assessor in the form they expect.
For Plus, we go hands-on, liasing directly with the Cyber Essentials assessor.
For Plus, we go hands-on, liasing directly with the Cyber Essentials assessor.
Policy authorship & review
Staff security awareness
Device sampling
Evidence pack assembly
Submission & pass
A clean form is not a secure business.
The self-assessment is a questionnaire, and a questionnaire is precisely the thing an AI will complete for you with the serene confidence of something that has never met your network. The answers come out tidy and plausible. A few are wrong, and it will not flag which ones. Submit those and you own a certificate stapled to your front door overnight, propped open with a fire extinguisher allowing anyone to come in… Passing the form was never the work.
Closing the gap the form is poking at, that was the work all along. Which is the deeply unfashionable reason a human who understands your systems costs far less than the cyber incident that finds the issue first.
Closing the gap the form is poking at, that was the work all along. Which is the deeply unfashionable reason a human who understands your systems costs far less than the cyber incident that finds the issue first.
What you will not get here.
No onboarding ceremony performed before any of the actual work begins. No readiness phase invented just to be invoiced. No certificate handed over by someone who will have moved on by the time the assessor asks the awkward question.
We do not take on businesses unwilling to act on a clear finding, because a control you decline to fix is just a control you are pretending to have. The certificate is only worth the paper if the thing behind it is true. We rather insist on that part!
We do not take on businesses unwilling to act on a clear finding, because a control you decline to fix is just a control you are pretending to have. The certificate is only worth the paper if the thing behind it is true. We rather insist on that part!
Q&A: Cyber Essentials Basics

What Is a Cyber Essentials Consultant?
Someone who scopes the assessment, checks your controls against the scheme, fixes what fails, and walks you through to a pass. The ones worth hiring have sat the assessment themselves rather than just read about it. We have done it solo, end to end, including the audited Plus tier, on deadlines with no margin for a redo.
How Much Does Cyber Essentials Cost?
Two parts. The scheme’s own certification fee is fixed, published and banded by company size. The rest is the work to get you ready, which depends entirely on the state of your current controls. A well-run business needs little; a neglected one needs more. We scope it to your estate rather than a fixed package.
How Long Does Certification Take?
The self-assessment can be done in days when your setup is already sound, or a couple of weeks when something needs fixing first. Cyber Essentials Plus adds a hands-on audit that must fall within three months of the self-assessment award. The work is fast; the calendar is usually the only constraint.
How Long Is a Cyber Essentials Certificate Valid?
Twelve months. It is an annual certification, so you recertify each year. That cadence also stops your controls quietly drifting out of date between renewals.
Can AI Tools Complete Cyber Essentials for Me?
They can fill in the form. They cannot tell you which of their confident answers is wrong, and a wrong answer is either a failed audit or a false sense of security. The form is the easy part. Knowing what it is really asking is the part worth paying for.
AI will write your security policy in seconds, but it might leave your door open.
Speak to a cyber essentials consultant.
Most enquiries open with a deadline and a tender clause nobody has read properly yet. A short call is usually enough to tell you which certificate the contract genuinely requires, how fast it can realistically be done, and whether the quote already in your inbox is being honest with you.