Cyber Essentials for Small Business: A Plain-English Guide

If you run a small business in the UK, you have probably heard the phrase “Cyber Essentials” at some point — maybe from your IT support company, a client who asked whether you are certified, or a government procurement form that listed it as a requirement. For many business owners, the reaction is a mixture of mild guilt and confusion: it sounds important, but where do you actually start? The good news is that Cyber Essentials is far less intimidating than it sounds. If your business is already using Microsoft 365 with sensible settings, Windows laptops, and a modern broadband router, there is a reasonable chance you are already most of the way there. This guide explains what it means in practice, what you probably need to fix, and how to get the certificate on the wall.

What Cyber Essentials actually is

Cyber Essentials is a UK government-backed certification scheme run by the National Cyber Security Centre (NCSC). It was designed specifically so that small and medium-sized organisations can demonstrate they have the basic security controls in place to defend against the most common cyber attacks — things like phishing emails, ransomware, and attackers scanning the internet for easy targets.

It is not an audit where someone comes and pokes around your network for a week. At the basic level, it is a self-assessment questionnaire: you answer a set of questions about how your business manages five key controls, a certifying body reviews your answers, and if you pass, you receive a certificate valid for twelve months. There is a higher tier called Cyber Essentials Plus, which does involve an independent technical test, but most small businesses start with the standard certification and find it perfectly sufficient for their needs.

The five controls the scheme focuses on are: firewalls and internet gateways, secure configuration of devices, user access controls, malware protection, and patch management (keeping software up to date). If those terms feel unfamiliar, do not worry — we will walk through what they mean in a typical small business context.

What you probably already have in place

Here is something that often surprises small business owners: if you are running a reasonably modern setup, you have likely already ticked quite a few boxes without realising it.

• Microsoft 365 with multi-factor authentication (MFA): If your team logs into Microsoft 365 and uses the Authenticator app or a code sent to their phone, that covers a significant portion of the user access control requirement.
• Windows 11 laptops: Windows 11 ships with Windows Defender enabled by default, which handles malware protection. Automatic Windows updates, switched on by default, cover the patching requirement for the operating system.
• A modern broadband router: Most routers provided by business broadband suppliers in recent years have a basic firewall built in. If yours is less than five years old and you have not deliberately opened ports into your network, the firewall control is likely in reasonable shape.
• Microsoft 365 apps kept up to date: M365 applications update themselves automatically, which means your Word, Excel, Outlook and Teams installs are generally patched without any effort on your part.

That is a solid foundation. The self-assessment is not starting from zero.

What you probably need to fix

Most small businesses have a handful of gaps — often the same ones. Here are the most common issues that come up during Cyber Essentials readiness checks:

• MFA not switched on for everyone: MFA might be available in your Microsoft 365 tenant but not enforced for all users. If even one account can log in with just a password, that is a gap. Check that Conditional Access policies or Security Defaults are configured to require MFA across the board.
• Windows 10 machines still in use: Windows 10 reaches end of support in October 2025, and assessors are increasingly scrutinising older operating systems. If you have any laptops still running Windows 10, plan to upgrade them to Windows 11 or replace them.
• Default passwords on routers, printers, and other devices: Many offices have a printer, a NAS device, or a router where nobody has ever changed the default admin password. Assessors specifically ask about this. Go and check — it usually takes ten minutes per device.
• Ex-staff accounts still active: It is surprisingly common for Microsoft 365 accounts belonging to people who left the business months ago to still be sitting there, active and licensed. These need to be disabled or deleted. A quick audit of your Microsoft 365 admin centre will show you who is active.
• Software installed on devices that nobody manages: If staff have installed random free software on their work laptops, that software needs to be kept updated too. The simplest approach is a clear policy that only approved software is installed — and making sure what is installed stays patched.

The process, step by step

1. Choose a certification body. IASME is the main body accredited by the NCSC to deliver Cyber Essentials in the UK. Many IT managed service providers (MSPs) are themselves IASME-accredited, meaning they can certify their own clients. If you have an IT support company, ask them — there is a good chance they offer this as part of their service, or can at least guide you through the self-assessment before you submit.
2. Complete the online self-assessment. The questionnaire is completed through the IASME portal. Set aside a few hours to work through it carefully. Your IT support company can sit alongside you if needed. The questions are written in plain English and you do not need to be technical to answer most of them.
3. Pay the fee. For small organisations, the current cost through the IASME portal is in the region of £300 to £500, depending on the size of your organisation. This includes the assessment review and, if you pass, your certificate.
4. Receive your certificate. If your answers meet the requirements, you will receive your Cyber Essentials certificate, valid for twelve months. You will then need to recertify annually to keep it current.

Why it is worth doing beyond just passing an assessment

The certificate is useful in several practical ways. Some cyber insurance providers offer reduced premiums to businesses that hold Cyber Essentials, reflecting the lower risk profile. If you work with or want to work with the public sector — including NHS trusts, local councils, or central government — Cyber Essentials is often a contractual requirement. Increasingly, larger private sector organisations ask suppliers to demonstrate it as part of their own supply chain due diligence. And for your own peace of mind, working through the process gives you a clear picture of where your business stands — which is genuinely valuable even if nobody ever asks to see the certificate.

The NCSC’s website at ncsc.gov.uk has free guidance documents and toolkits if you want to read more before getting started. For most small UK businesses, Cyber Essentials is achievable in a few weeks with modest effort and a modest budget — and the work you do to pass it will leave your business meaningfully more secure in the process.

Related Cyber Essentials Guides

• Cyber Essentials — The Complete UK Business Guide
• What Is Cyber Essentials? The UK Business Guide
• Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
• The Five Cyber Essentials Controls Explained
• How to Pass the Cyber Essentials Self-Assessment Questionnaire