Cyber Security can feel confusing when you first start looking into it.

You know your business needs to be protected. You may have heard customers, suppliers, insurers or tender applications mention Cyber Essentials. But the first question most businesses ask is, "What is Cyber Essentials?"

Cyber Essentials Overview

Cyber Essentials is a UK Government backed cyber security scheme designed to help businesses protect themselves against common online threats.

It focuses on five key technical controls:

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Security update management

These are the basics that every business should have in place.

Cyber Essentials is not about making your business impossible to hack. No certification can promise that. It is about reducing the risk of common cyber attacks by making sure your business has the right foundations in place.

For many businesses, it is also a useful way to show customers, suppliers and partners that cyber security is being taken seriously.

Cyber Essentials Certification

Cyber Essentials certification is based on a verified self-assessment.

This means your business answers a set of questions about how your IT systems are set up and protected. An assessor then reviews your answers to check whether you meet the required standard.

For some businesses, the questionnaire is straightforward. For others, it highlights gaps that need fixing before certification can be achieved.

This is why preparation matters. The cost of the certificate is one thing, but your business also needs to be technically ready.

Cyber Essentials Plus Certification

Cyber Essentials Plus is the next level up.

It is based on the same Cyber Essentials requirements, but instead of only completing a self-assessment, your systems are independently tested.

This means an assessor carries out technical checks to make sure the controls are actually in place.

How much does Cyber Essentials cost?

Cyber Essentials has an official pricing structure based on the size of your organisation.

The current Cyber Essentials costs are:

Micro organisation 0–9 employees £320 + VAT

Small organisation 10–49 employees £440 + VAT

Medium organisation 50–249 employees £500 + VAT

Large organisation 250+ employees £600 + VAT

The official fee usually covers the assessment itself. It does not always include extra help with preparation, technical changes, admin support or fixing issues that may stop your business from passing.

How much does Cyber Essentials Plus cost?

Cyber Essentials Plus usually costs between £1,500 and £5,500 + VAT, depending on the size and complexity of your business.

Unlike standard Cyber Essentials, there is not one fixed national price for Cyber Essentials Plus. This is because Cyber Essentials Plus includes independent technical testing, so the cost depends on how much work is involved in checking your systems.

Is a Cyber Essentials certificate worth it?

For many UK businesses, yes. Cyber Essentials is worth it because it gives your business a recognised cyber security standard to work towards. It can help reduce your risk, improve customer trust and support tender applications. It is especially useful if:

• You work with larger organisations
• You bid for public sector or supply chain contracts
• Your customers ask about cyber security
• You handle sensitive business or customer data
• You want a clear cyber security baseline
• You want to show you take security seriously

The process itself can also be valuable.

A lot of businesses only discover weak points when they go through the assessment. Things like old devices, missing updates, shared accounts, weak passwords or poor admin controls can easily be missed during day-to-day work. Cyber Essentials gives you a clear framework to follow.

Why do some providers charge more than the official Cyber Essentials fee?

This is where a lot of confusion comes from.The official Cyber Essentials fee covers the certification assessment. However, some providers charge more because they include additional support around the certification process.

That extra support may include:

• Helping you understand the requirements
• Reviewing your current IT setup
• Checking whether your answers are accurate
• Identifying issues before you submit
• Supporting technical changes
• Reducing the admin involved
• Helping manage the certification process

This does not mean the official certification fee has changed. It means the provider is charging for their time, guidance and support on top of the assessment cost. For some businesses, this support is not needed. If you have a strong internal IT team and your systems are already well managed, you may be comfortable completing the assessment yourself. For other businesses, support can be useful because it saves time and reduces the risk of submitting incorrect answers or discovering issues too late.

Cyber Essentials FAQs

How long does Cyber Essentials certification last? Cyber Essentials certification lasts for 12 months. After that, your business needs to renew the certification each year to stay certified.

Can I complete Cyber Essentials myself?

Yes, you can complete Cyber Essentials yourself. However, you need to be confident that your answers are accurate and that your systems meet the requirements. If you are unsure about things like firewalls, admin accounts, device updates or malware protection, it may be worth getting support before submitting.

What happens if I fail Cyber Essentials?

If your business does not meet the requirements, you will need to fix the issues and resubmit. This is why preparation is important. It is better to identify problems before submission rather than finding out during the assessment process.

Does Cyber Essentials include Cyber Essentials Plus?

No. Cyber Essentials and Cyber Essentials Plus are separate certifications. Cyber Essentials is the verified self-assessment. Cyber Essentials Plus includes independent technical testing and usually costs more.

Do small businesses need Cyber Essentials?

Small businesses can benefit from Cyber Essentials because they are often targeted by common cyber attacks such as phishing, weak passwords and unpatched devices. It gives smaller organisations a clear structure to follow without making cyber security overly complicated.

Is Cyber Essentials required for tenders?

Sometimes, yes. Cyber Essentials is often requested in tender applications, especially when working with government bodies, larger organisations or supply chains that have stricter cyber security requirements. Even when it is not mandatory, having the certificate can help show that your business takes cyber security seriously.

Does Cyber Essentials guarantee my business is secure?

No certification can guarantee complete security. Cyber Essentials helps protect your business against many common cyber threats, but it should be seen as a strong baseline rather than the whole answer. Good cyber security also includes staff awareness