The most common question I get about Cyber Essentials is whether it's just a box-ticking exercise. The honest answer: sometimes yes, sometimes no, and which one applies to your business depends on why you're getting it.
Five controls, not fifty
Cyber Essentials is a UK government-backed certification covering five security controls: firewalls configured to block unnecessary inbound connections, secure device configuration with no default passwords left in place, access control with users having only the permissions they need, up-to-date malware protection, and patch management with critical vulnerabilities addressed within 14 days.
These are not advanced security practices. They're the basics. But a large proportion of successful cyberattacks exploit gaps in exactly these areas, not because the attacks are sophisticated, but because the basics aren't done. A business that genuinely implements these five controls is protected against the majority of opportunistic attacks.
Three situations where you should get it
If you supply to central government, NHS, or large regulated organisations, Cyber Essentials is increasingly written into contract requirements. You may need it to bid for the work, full stop.
If you're arranging or renewing cyber insurance, check whether your insurer requires it. Some won't quote without it. Others will, but at higher premiums. The certification typically costs £300-500 for the basic self-assessment, and it pays back in insurance savings for many businesses.
If you honestly don't know the state of your IT security, the questionnaire is a useful forcing function. It makes you look at patch status, admin account practices, and firewall configuration in a way that doesn't happen organically.
Basic vs Plus: what the difference actually means
The basic certification is a self-assessment questionnaire. You answer questions about your controls, an assessor reviews the answers, and if satisfied, you're certified. No one technically verifies that your answers are accurate.
Cyber Essentials Plus involves an independent technical assessment of your actual systems, where someone actually looks at your devices and configuration. It costs £1,500-4,000 for most SMEs depending on scope. If your motivation is reassuring clients or differentiating from competitors, Plus is meaningfully more credible. If you're meeting a tender requirement, basic is usually sufficient.
What Cyber Essentials doesn't cover
This is the part that gets glossed over. The certification says nothing about phishing resilience, social engineering, insider threats, physical security, or business continuity. A business can hold Cyber Essentials and still hand over credentials after a convincing phone call from someone pretending to be their IT provider. That happens regularly.
Cyber Essentials is a useful floor. It's not a security programme. Treat it as the starting point for a conversation about security posture, not the end of one.