24/7 incident response: 0333 880 0922

Do I need Cyber Essentials? A straight answer

What Cyber Essentials actually is, whether your business needs it, and what it does and doesn't protect you from.

By Jellybean Cyber

Cyber Essentials comes up constantly. A client asks for it. Your insurer mentions it. A tender requires it. But nobody explains what it actually is or whether it's worth doing.

Here's the straight answer.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme. It covers five basic security controls:

  1. Firewalls — are your internet-facing devices properly configured?
  2. Secure configuration — have you changed default settings and removed unnecessary software?
  3. Access control — do users only have the access they need?
  4. Malware protection — do you have anti-malware and is it up to date?
  5. Patch management — are your operating systems and applications patched within 14 days of a critical update?

There are two levels:

  • Cyber Essentials — a self-assessment questionnaire verified by a certification body
  • Cyber Essentials Plus — the same controls, but independently tested by an assessor who actually checks your systems

Do you need it?

Yes, if:

  • You bid on government contracts (it's been mandatory for central government contracts involving personal data since 2014)
  • Your clients or suppliers require it (increasingly common in professional services, education, and healthcare supply chains)
  • Your cyber insurance policy asks for it (some insurers offer discounts or require it)
  • You want a baseline to build from (it forces you to get the fundamentals right)

No, if:

  • You're already doing everything it covers (but can you prove it?)
  • You're pursuing ISO 27001 or SOC 2 (these are more comprehensive and include everything CE covers)

What it doesn't do

Cyber Essentials is a baseline. It does not:

  • Test for sophisticated attacks
  • Cover social engineering or phishing
  • Assess your incident response capability
  • Test your web applications
  • Check your Active Directory configuration
  • Monitor your network for threats

It's the equivalent of checking that your doors have locks. It doesn't check whether someone can pick the locks, clone your keys, or climb through a window.

Is it worth the money?

The basic Cyber Essentials costs around £300–£500 for the certification fee. Cyber Essentials Plus typically costs £1,500–£3,000 depending on the size and complexity of your environment.

For what you get — a structured review of your basic controls and a certificate you can show clients — it's good value. Just don't mistake it for a comprehensive security assessment.

Our recommendation

Get Cyber Essentials if you need it for contracts or compliance. Get Cyber Essentials Plus if you want someone to actually verify your controls rather than taking your word for it.

Then do a proper penetration test to find out what Cyber Essentials doesn't cover. That's where the real risks usually hide.

We can help with both. Get in touch and we'll point you in the right direction.