If you're a UK-based startup, you've probably heard of Cyber Essentials. It's increasingly required for government contracts, and more enterprise customers are asking for it as a baseline before doing business. But what does it actually involve, and is it worth the effort?

Short answer: yes. Here's everything you need to know.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme that demonstrates your organisation meets a baseline of cybersecurity hygiene. It was designed to protect against the most common cyber attacks — the ones that exploit basic vulnerabilities rather than sophisticated techniques.

There are two levels:

  • Cyber Essentials: A self-assessment questionnaire verified by a licensed assessor. Suitable for most startups and SMBs
  • Cyber Essentials Plus: Includes independent technical testing of your systems. Required for some government contracts and provides stronger assurance

The 5 Controls

Cyber Essentials covers five technical controls. If you're already following security best practices, you may find you're already compliant in several areas.

1. Firewalls

Every device that connects to the internet must be protected by a properly configured firewall. For most startups using cloud services, this means ensuring your cloud provider's network controls and your endpoint firewalls (Windows Firewall, macOS Firewall) are enabled and configured correctly.

2. Secure Configuration

Devices and software should be configured to reduce vulnerabilities. This includes removing unnecessary software, changing default passwords, and disabling unused features. For cloud-first businesses, this extends to your Microsoft 365 or Google Workspace configuration.

3. User Access Control

User accounts should follow the principle of least privilege — people should only have access to what they need for their role. Admin accounts should be separate from day-to-day accounts, and MFA should be enabled.

4. Malware Protection

All devices must have malware protection. On Windows, this means keeping Microsoft Defender active and updated. On macOS, ensuring Gatekeeper and XProtect are enabled. You also need application allow-listing or sandboxing where practical.

5. Security Update Management

Software must be kept up to date. Critical and high-severity patches should be applied within 14 days of release. This applies to operating systems, browsers, plugins, and any internet-facing services.

Why Your Startup Needs It

  • Win more contracts: Many enterprises and all UK government departments require Cyber Essentials from suppliers
  • Reduce insurance premiums: Some cyber insurance providers offer discounts for certified organisations
  • Demonstrate maturity: Certification signals to customers that you take security seriously
  • Prevent 80% of attacks: NCSC estimates that Cyber Essentials controls prevent the vast majority of common attacks
  • Free cyber insurance: Cyber Essentials certification includes free cyber liability insurance (up to £25,000) for qualifying businesses

How to Prepare

For most startups, preparation takes 2-4 weeks:

  1. Scope your assessment: Define which systems, users, and locations are in scope
  2. Gap analysis: Compare your current setup against the five controls
  3. Remediate gaps: Fix any issues — common ones include missing MFA, overprivileged accounts, and outdated software
  4. Complete the questionnaire: Answer the self-assessment honestly and submit to a licensed certification body
  5. Certification: If you pass, you receive your certificate (valid for 12 months)

What It Costs

The certification itself costs between £300-500 for Cyber Essentials (depending on the certification body). Cyber Essentials Plus costs £1,500-3,000 due to the technical testing involved.

The real cost is in preparation — identifying and fixing gaps. If your security baseline is already solid, this might take a few hours. If you're starting from scratch, it could take a couple of weeks of work.

How We Can Help

Our consulting service includes Cyber Essentials preparation. We'll assess your current state against the five controls, fix any gaps, and guide you through the certification process. We also ensure your cloud configuration meets the requirements from day one.