Cyber Essentials is the UK government-backed cybersecurity certification scheme, developed by the National Cyber Security Centre (NCSC) and delivered by IASME. It sets out five technical controls designed to protect organisations against the most common internet-based cyber threats. If you bid for UK government contracts, handle sensitive data, or simply want to demonstrate robust cyber hygiene to clients and insurers, Cyber Essentials is the baseline standard you need. The scheme's requirements were updated on 27 April 2026, and the changes are significant. Here is everything UK businesses need to know to achieve and maintain certification under the new regime.

What Is Cyber Essentials?

Cyber Essentials certification confirms that an organisation has implemented five core technical controls across its IT infrastructure:

  1. Firewalls and Internet Gateways — securing the boundary between the organisation's network and the internet to prevent unauthorised access.
  2. Secure Configuration — ensuring computers and network devices are configured to minimise vulnerabilities, including removing unnecessary software and disabling unused accounts.
  3. User Access Control — restricting access to data and systems to only those who need it, using the principle of least privilege.
  4. Malware Protection — deploying and maintaining anti-malware defences, including keeping signatures updated and enabling real-time scanning.
  5. Patch Management — keeping software up to date with security patches, covering operating systems, applications, and firmware.

According to the NCSC, these five controls, properly implemented, prevent an estimated 80% of common cyber attacks — including phishing-based credential theft, ransomware delivered through unpatched vulnerabilities, brute force attacks on poorly configured services, and malware infections from compromised websites. The scheme is deliberately limited to these five controls to ensure it remains achievable for organisations of all sizes, including SMEs with limited IT resources.

Certification costs start at £320 plus VAT for the self-assessment route, making it one of the most cost-effective cybersecurity investments a UK business can make. For organisations with a turnover under £20 million, there is an additional benefit: free cyber liability insurance arranged by IASME, including 24/7 incident response support.

What Changed in the April 2026 Update?

The IASME Cyber Essentials scheme underwent a significant update on 27 April 2026. Our consultants have reviewed the revised requirements, and the key changes are as follows:

1. Stricter Patching Timelines

The previous requirement was to apply security patches within 14 days for critical vulnerabilities. The April 2026 update formalises and tightens this: critical patches must now be applied within 14 days of release, with an expectation that organisations have the capability to deploy emergency patches faster for actively exploited vulnerabilities. Organisations must also demonstrate a documented patch management policy that covers all in-scope devices, including servers, workstations, mobile devices, and network equipment.

2. MFA Now Required for All Cloud Services

This is one of the most impactful changes. Previously, Multi-Factor Authentication (MFA) was required for administrative accounts accessing cloud services. Under the 2026 requirements, MFA must be enabled for all user accounts on all cloud services that the organisation uses to conduct its business. This includes email (Microsoft 365, Google Workspace), file storage (OneDrive, SharePoint, Google Drive), CRM systems, project management tools, accounting software, and any other cloud-hosted business application.

Where MFA is genuinely not available — for legacy applications that do not support it — compensating controls must be documented and approved. These exceptions are expected to be rare and temporary.

3. New Remote Working Controls

The 2026 update introduces specific controls for remote and hybrid working arrangements, which have become the norm for many UK organisations. Requirements include:

  • Company-managed devices used remotely must meet the same security standards as on-premises devices, including the five core controls
  • Bring Your Own Device (BYOD) arrangements must be governed by a formal policy that addresses how the organisation ensures security on devices it does not fully control
  • Remote access connections (VPNs, remote desktop, direct cloud access) must use MFA and be configured to prevent unauthorised access
  • Home networks used for remote work must have basic protections, including a properly configured home router firewall

4. Expanded Cloud Accountability

The update clarifies the shared responsibility model in cloud environments. Organisations are now required to demonstrate that they understand and manage their part of the security responsibility for each cloud service they use. This includes verifying that cloud provider configurations (identity federation, data residency, access logging) align with the organisation's security policies. Simply stating "the cloud provider is responsible" is no longer sufficient.

Cyber Essentials vs Cyber Essentials Plus

The two levels of certification serve different needs:

Cyber Essentials is a verified self-assessment. The organisation completes a comprehensive questionnaire covering the five technical controls, which is then independently reviewed by an IASME-licensed certification body. The organisation's answers must be signed off by a board member or equivalent senior leader. Certification costs start at £320 plus VAT, tiered by organisation size.

Cyber Essentials Plus includes everything in the self-assessment plus an independent technical audit conducted on-site (or remotely) by a certified assessor. The technical audit includes:

  • External vulnerability scanning of internet-facing systems
  • Internal configuration checks on a sample of devices
  • MFA verification testing
  • Patch validation on representative systems

Most organisations pursue Cyber Essentials first and upgrade to Cyber Essentials Plus within 12 months. Cyber Essentials Plus is increasingly specified in commercial contracts and government procurements as the preferred level of assurance.

Who Needs Cyber Essentials?

Cyber Essentials is mandatory for:

  • All UK central government contracts that involve handling personal data or providing digital services. This is enforced through the Government Security Classification (GSC) policy and the Cabinet Office's procurement guidance.
  • Ministry of Defence supply chain — the MOD mandates Cyber Essentials as a baseline requirement for all suppliers.
  • NHS and healthcare supply chain — increasingly required by NHS trusts and integrated care boards.

Beyond mandatory requirements, Cyber Essentials is increasingly specified by:

  • Cyber insurance policies — many UK insurers now require or strongly incentivise Cyber Essentials certification as a condition of cover. Some policies offer premium discounts of 10% or more for certified organisations.
  • Commercial contracts — particularly in financial services, legal, accountancy, and technology sectors, large enterprises routinely request Cyber Essentials evidence from their suppliers.
  • Local government — many local authorities now require Cyber Essentials from their vendors.

Free Cyber Insurance for Certified SMEs

One frequently overlooked benefit: any UK organisation with a turnover under £20 million that achieves Cyber Essentials certification covering their entire organisation is automatically entitled to free cyber liability insurance, arranged by IASME. This includes 24/7 incident response support with technical, legal, and crisis management services — a significant value-add that can save thousands in annual insurance premiums.

Certification Process and Timeline

A typical Cyber Essentials certification takes 1–4 weeks from start to certification, depending on the organisation's starting maturity:

  1. Self-assessment gap check (1–3 days) — review current infrastructure against the five control areas using the free IASME readiness tool.
  2. Remediation (1–14 days) — address any gaps identified. Common fixes include enabling MFA, configuring firewalls, removing local admin rights, and applying outstanding patches.
  3. Questionnaire completion (1–2 days) — complete the IASME Cyber Essentials self-assessment questionnaire. This must be signed off by a board member or equivalent.
  4. Submission and assessment (5–10 working days) — submit to an IASME-licensed certification body for review. The assessor may request clarification or additional evidence.
  5. Certification issued — valid for 12 months.

Cyber Essentials Plus adds approximately 1–2 weeks to the timeline for the on-site technical audit. The combined Cyber Essentials Plus process typically takes 3–6 weeks for well-prepared organisations, or 8–12 weeks if significant remediation is required.

Common Certification Pitfalls

From our experience supporting organisations through certification, the most common reasons for failed or delayed assessments include:

  • Shadow IT — cloud services or devices used by staff without IT's knowledge that don't meet Cyber Essentials requirements. A thorough discovery phase is essential.
  • Legacy systems that cannot be patched — old operating systems or applications that have reached end-of-life must be segregated or upgraded.
  • Incomplete MFA coverage — particularly for non-email cloud services that IT teams may overlook.
  • BYOD devices not governed by policy — the updated requirements are clear that personal devices used for work must be covered.

Our team provides end-to-end Cyber Essentials and Cyber Essentials Plus support. We conduct gap assessments against the updated 2026 requirements, provide remediation guidance for any non-compliant areas, and coordinate with IASME-licensed certification bodies to schedule and manage the assessment process. Through our fractional vCISO service, we provide ongoing support to maintain certification year after year, ensuring that changes to your IT infrastructure — new cloud services, staff growth, remote working arrangements — don't accidentally create compliance gaps.

For organisations pursuing Cyber Essentials Plus, our consultants can also act as a technical resource during the on-site assessment, helping to interpret assessor findings, prioritise any identified issues, and implement corrective actions quickly to keep the certification timeline on track.

Whether you are starting from scratch or renewing an existing certification under the updated requirements, our team can help you navigate the process efficiently.

Get supported through Cyber Essentials certification →

Free compliance readiness score →