Cyber Essentials

Cyber Essentials certification support from an IASME licensed Certification Body. Practical help with scope, readiness, assessment questions and next steps.

Cyber Essentials is often requested when an organisation needs to satisfy a tender requirement, reassure a client, meet a supply-chain condition or show that basic security controls are in place.

The assessment is straightforward in structure, but the answers still need to reflect how your organisation actually works. Devices, users, cloud services, remote access, firewalls, software updates and administrator accounts all need to be considered properly.

Be Secure Cyber is an IASME licensed Certification Body. We help organisations understand what the assessment is asking, identify gaps before submission and use the process as a practical way to improve security.

When Cyber Essentials is usually needed

Cyber Essentials is commonly triggered by:

a public-sector or larger customer tender
a client asking for evidence of basic cyber security controls
a supplier assurance questionnaire
an insurance or governance requirement
a decision to improve security using a recognised baseline
preparation for Cyber Essentials Plus

For many organisations, Cyber Essentials is the first formal security assessment they complete. Done properly, it gives a useful view of whether the basics are being managed consistently.

How we help

We can support the certification process from early readiness through to assessment.

This may include:

confirming the scope of the assessment
explaining the Cyber Essentials questions clearly
reviewing your current controls before submission
identifying areas that may need remediation
helping you understand cloud, remote working and device scope
supporting the certification process as an IASME licensed Certification Body
advising on sensible next steps after certification

The aim is not simply to complete the questionnaire. The aim is to make sure the answers are accurate, defensible and useful to the business.

What the process involves

Most Cyber Essentials certifications follow a similar path:

Scope: we confirm what should be included, including devices, users, cloud services and remote working.
Readiness: we review your current controls and highlight where they appear to fall short of the Cyber Essentials requirements.
Submission: the self-assessment is completed and assessed against the Cyber Essentials standard, with guidance available where support has been agreed.
Certificate: once the answers meet the standard, you receive your Cyber Essentials certificate, valid for 12 months.

For a reasonably prepared organisation, certification is usually achievable within a few weeks.

Cyber Essentials pricing

Cyber Essentials is usually a fixed piece of work, so we are happy to be clear about cost.

Certification only: from £320 + VAT. You complete the self-assessment yourself and we assess the submission against the Cyber Essentials standard. This suits organisations that are confident in their answers and do not need guidance.
Certification with guidance and support: from £430 + VAT. We work through the assessment with you and review your answers before submission, providing guidance where your current controls appear to fall short of the standard. This is the option most organisations choose, particularly for their first certification.

Cyber Essentials certification also includes the cyber liability insurance that IASME provides for eligible UK organisations.

Final pricing depends on the size of your organisation. Cyber Essentials Plus is priced separately on the Cyber Essentials Plus page. Speak to us for a figure for your organisation.

Common areas that cause problems

Cyber Essentials is based on a defined set of controls, but many difficulties come from day-to-day IT decisions that have built up over time.

Common issues include:

unsupported operating systems or applications
inconsistent patching
missing or incomplete multi-factor authentication
excessive administrator access
unmanaged laptops, phones or tablets
unclear bring-your-own-device arrangements
cloud services that have not been included in scope
weak firewall or remote access arrangements
uncertainty about who owns particular systems

These issues are usually manageable, but they are easier to address before the assessment is submitted.

Cyber Essentials and Microsoft 365

Many organisations now rely heavily on Microsoft 365. That means the Cyber Essentials assessment is not only about laptops and firewalls.

Microsoft 365 settings can affect user access, administrator roles, MFA, email security, device access and external sharing. For organisations preparing for Cyber Essentials Plus, the Microsoft 365 configuration may also affect readiness for technical testing.

Where needed, we can review Microsoft 365 security settings as part of wider readiness work or as a separate security review.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials is a self-assessment certification. The organisation answers questions about its controls and the answers are assessed.

Cyber Essentials Plus goes further. It includes technical verification of selected systems to check that key controls are working in practice.

Many organisations start with Cyber Essentials and then move to Cyber Essentials Plus when a customer, tender or internal governance process requires stronger evidence.

Why use an IASME licensed Certification Body

Working with a licensed Certification Body means the assessment is handled through the official certification process.

It also means you can ask practical questions before submission rather than guessing how to interpret the assessment. This is particularly useful where your IT environment includes remote workers, cloud services, systems managed by an external IT provider, shared devices or mixed ownership of assets.

Be Secure Cyber combines certification support with practical security consultancy. Where the assessment identifies gaps, we can help you decide what needs to be fixed first and what can be planned sensibly over time.

Beyond certification

Cyber Essentials is a useful baseline, but it is not the whole security programme.

After certification, organisations often ask for help with:

preparing for Cyber Essentials Plus
reviewing Microsoft 365 security
improving administrator access and MFA
answering supplier security questionnaires
building a security roadmap
moving toward IASME Cyber Assurance
getting practical guidance through NCSC Cyber Advisor support
getting ongoing security leadership through vCISO support

The right next step depends on why you needed certification and what the assessment showed.

For organisations looking for regional support, Be Secure Cyber also provides Cyber Essentials support for organisations in Scotland .

Frequently asked questions

How much does Cyber Essentials cost?

Cyber Essentials certification starts from £320 + VAT if you complete the self-assessment yourself, or from £430 + VAT if you would like guidance and a review of your answers before submission. Cyber Essentials Plus, which adds technical testing, starts from £1,300 + VAT. Final pricing depends on the size of your organisation, so speak to us for a figure for yours.

Can you help before we submit the assessment?

Yes. A readiness review can help identify issues before submission. This is often the most useful stage to get advice, especially if the organisation is unsure about scope, cloud services, remote workers or device management.

Do we need Cyber Essentials Plus as well?

Not always. Cyber Essentials may be enough for some client or tender requirements. Cyber Essentials Plus is usually needed when a customer wants stronger technical evidence or when the organisation wants more assurance that controls are working in practice.

Can Cyber Essentials be completed remotely?

In most cases, yes. The self-assessment process can usually be supported remotely. Cyber Essentials Plus may involve additional technical testing requirements, depending on the environment and assessment approach.

What happens if we find issues during readiness work?

That is normal. The purpose of readiness work is to find issues early enough to fix them. We can help prioritise what needs to be addressed before submission and what can be handled as part of a wider improvement plan.

Is Cyber Essentials only for larger organisations?

No. It is often used by small and mid-sized organisations that need to meet customer, tender or supply-chain requirements. The important point is making sure the scope and answers reflect how the organisation actually operates.

Speak to us about Cyber Essentials

If you need Cyber Essentials for a tender, client requirement or internal security improvement, we can help you understand the process and the likely work involved.

Contact Be Secure Cyber to discuss Cyber Essentials support.