UK · NCSC · Policy & Process ✓ Live in platform

Cyber Essentials — the UK's baseline cybersecurity certification. Every business needs it.

Mandatory for UK government suppliers. Increasingly required by enterprise procurement, cyber insurers, and regulated sector contracts. 786 Cyber covers all 5 control categories — policies, controls, roadmap, and evidence vault included.

Start your Cyber Essentials roadmap free Speak to an expert
Applies to: All UK businesses  ·  Required: UK government suppliers  ·  Recommended: all SMEs

What is Cyber Essentials?

A government-backed scheme that proves your business has the basics right.

Cyber Essentials is a UK government-backed certification developed by the NCSC (National Cyber Security Centre). It defines five fundamental technical controls that protect organisations against the most common cyber threats — covering around 80% of the attacks that target UK businesses.

There are two levels: Cyber Essentials (self-assessed, verified by an accredited assessor) and Cyber Essentials Plus (independently verified through technical testing). Both require the same five control categories — CE Plus adds a hands-on technical audit on top.

Certification is valid for 12 months and must be renewed annually. 786 Cyber tracks renewal dates and alerts you before they lapse.

Developed by the UK National Cyber Security Centre (NCSC)
Mandatory for all UK central government contracts involving personal data or network access
Recognised by the Ministry of Defence supply chain requirements
Accepted by major cyber insurers as evidence of baseline controls
Annual renewal — 786 Cyber tracks and alerts before lapse

Who needs Cyber Essentials?

🏛️
UK government suppliers

Mandatory for any contract involving personal data or network access to government systems.

🏢
Enterprise supply chains

Large enterprises increasingly require CE from all suppliers before onboarding — regardless of contract size.

🔐
Cyber insurance applicants

Insurers use CE certification as a baseline for cover eligibility and premium calculation.

💼
Any UK SME

Even without a legal requirement, CE is the recognised signal that a business takes security seriously.

Certification body

NCSC — National Cyber Security Centre

Renewal

Annual

The five control categories

Cyber Essentials covers five fundamental areas of technical security.

786 Cyber generates the policies, controls, and evidence required for all five — automatically.

1

Firewalls

Boundary and device-level firewall configuration to prevent unauthorised access

control:firewalldomain:network
2

Secure configuration

Remove unused software, change default passwords, apply auto-lock and screen timeouts

control:hardeningdomain:configuration
3

User access control

Least privilege access, remove unused accounts, MFA for admin and remote access

control:mfadomain:access-control
4

Malware protection

Anti-malware software active, application whitelisting where appropriate

control:anti-malwaredomain:endpoint
5

Patch management

Operating systems and applications patched within 14 days of a critical update

control:patchingdomain:vulnerability
🏷️

CE controls are tagged to other frameworks automatically

Many Cyber Essentials controls satisfy requirements in ISO 27001, UK GDPR, and NIST CSF simultaneously. 786 Cyber's tagging system tracks this automatically — implement once, progress across multiple frameworks.

control:mfa framework:cyber-essentials framework:iso27001 framework:gdpr severity:critical

Why it matters

Cyber Essentials isn't just a certificate. It's proof your business is fit to trade securely.

The certification is straightforward. What it unlocks commercially — and what non-compliance costs you — is often underestimated.

Without Cyber Essentials
Excluded from government contracts: Any UK central government contract involving personal data or network access requires Cyber Essentials. Without it, you cannot bid — regardless of capability or price.
Blocked from enterprise supply chains: FTSE 250 companies, NHS trusts, defence contractors, and financial institutions are increasingly mandating CE across their supplier base. Non-certification is a disqualifier at the procurement stage.
Higher insurance premiums or rejected cover: Insurers price cyber risk based on evidenced controls. Without CE, you're assessed as higher risk — or declined cover altogether for certain incident types.
Exposure to common attacks: The five CE control categories protect against approximately 80% of the cyber attacks targeting UK SMEs. An uncertified business is significantly more exposed to ransomware, phishing, and credential theft.
With Cyber Essentials
Government contract eligibility: Certification opens the door to UK public sector procurement — a market worth hundreds of billions annually — and signals readiness to any buyer running due diligence.
Enterprise supplier approval: CE certification satisfies the security requirements of most enterprise supplier onboarding processes — removing a common bottleneck in new client relationships.
Better insurance terms: Certified businesses typically qualify for lower premiums and broader cover — with insurers recognising the CE controls as evidence of a responsible security posture.
Foundation for ISO 27001: Cyber Essentials covers the technical baseline that ISO 27001 builds on. Getting CE right first means ISO 27001 is a natural progression — not a standing start.
Staff and client confidence: A publicly listed CE certification tells clients their data is protected and gives staff clear, documented expectations around device and system use.

"For most UK SMEs, Cyber Essentials is where the security journey starts. It's not the destination — but nothing else is accessible without it."

Sample extract

See what your Cyber Essentials roadmap looks like.

This extract is from a roadmap generated for Meridian Consulting Ltd — a fictional 47-person UK professional services firm with no prior certifications. It shows the priority controls, progress tracking, and cross-framework tags your team would see after running the Compliance Wizard.

👤

Want to see your organisation's real roadmap?

Sign up free and run the Compliance Wizard — your personalised Cyber Essentials roadmap in under 10 minutes. Start now →

View as:

Cyber Essentials Roadmap
Meridian Consulting Ltd
Professional services · 47 employees · London, UK
40%
CE progress
8
Actions left

Progress by control category

Firewalls60%
Secure configuration50%
User access control25%
Malware protection80%
Patch management40%

Priority actions

!
Enable MFA for all admin and remote access accounts
Required under user access control. Currently not configured.
control:mfaframework:cyber-essentialsframework:iso27001severity:critical
Patch all OS and applications within 14 days of critical release
Current patching cycle exceeds 14-day window. Process needs formalising.
control:patchingframework:cyber-essentialsseverity:high
~
Remove unused user accounts and enforce least privilege
3 dormant accounts identified. Access review in progress.
domain:access-controlframework:cyber-essentialscontrol:access-reviewseverity:high
Boundary firewall configured and default passwords changed
Verified. Last reviewed 28 Feb 2026.
control:firewallframework:cyber-essentialsdomain:network
Generated by 786 Cyber · 1 May 2026 Page 1 of 4

Sample extract only. Sign up free to generate your real roadmap.

Certification checklist

What you need for Cyber Essentials certification.

786 Cyber generates the policies, maps the controls, and tracks your progress across all of these automatically.

  • !
    Boundary firewall in place — all devices protected, default vendor passwords changed, inbound rules documented.
    framework:cyber-essentialscontrol:firewalldomain:network
  • !
    Secure configuration applied — unused software removed, auto-screen-lock enabled, admin accounts separated from standard user accounts.
    framework:cyber-essentialscontrol:hardeningdomain:configuration
  • !
    MFA enabled for admin and remote access — multi-factor authentication required for all privileged accounts and any external access to systems.
    framework:cyber-essentialscontrol:mfaseverity:critical
  • !
    Unused accounts removed — all dormant user accounts disabled or deleted, access rights reviewed and limited to what each role requires.
    framework:cyber-essentialscontrol:access-reviewdomain:access-control
  • !
    Anti-malware active on all devices — real-time protection enabled, signatures up to date, coverage confirmed across all in-scope devices.
    framework:cyber-essentialscontrol:anti-malwaredomain:endpoint
  • !
    Critical patches applied within 14 days — OS and application patching process documented and verified. High-severity vulnerabilities patched within 14 days of release.
    framework:cyber-essentialscontrol:patchingdomain:vulnerability
  • ~
    Acceptable Use Policy published and acknowledged — all staff have read and signed the AUP covering device, internet, and email use.
    framework:cyber-essentialspolicy:acceptable-usedomain:governance
  • ~
    Password Policy in place — minimum password length, complexity requirements, and MFA mandate documented and communicated to all users.
    framework:cyber-essentialspolicy:passwordcontrol:mfa
  • Remote Working Policy documented — secure remote access procedures, device requirements, and data handling rules for staff working outside the office.
    framework:cyber-essentialspolicy:remote-workingdomain:endpoint
  • Asset inventory maintained — all in-scope devices catalogued with owner, OS version, and patch status. Required for scoping the assessment.
    framework:cyber-essentialsdomain:assetcontrol:asset-management

How 786 Cyber helps

Everything you need for Cyber Essentials — generated automatically.

786 Cyber covers the full certification journey — from first assessment to renewal reminder.

🧭

AI Compliance Wizard

6-step assessment identifies your CE gaps, prioritises actions, and produces a clear roadmap — in under 10 minutes.

📝

Auto-generated policies

Acceptable Use, Password, Remote Working, and BYOD policies generated and pre-populated for your organisation — ready to publish.

🏷️

Cross-framework tagging

CE controls tagged to ISO 27001, GDPR, and NIST CSF simultaneously. One action satisfies multiple frameworks.

📊

Progress tracking per category

Visual progress rings per CE control category — see exactly where you are and what's left before certification.

📋

Audit trail & evidence vault

Every control implementation logged automatically. When the assessor asks for evidence, it's already compiled.

🔔

Renewal alerts

CE certification is annual. 786 Cyber tracks your renewal date and alerts you before it lapses — keeping you continuously certified.

Next step

Ready for Cyber Essentials Plus?

CE Plus adds independent technical verification on top of the CE documentation. 786 Cyber handles the complete documentation layer — all policies, controls, and evidence — so you're ready for the assessor from day one.

View Cyber Essentials Plus →

Start your Cyber Essentials journey today.

Run the Compliance Wizard free — get your personalised CE roadmap in under 10 minutes. No security expertise needed.

Start free — run the wizard Speak to an expert All frameworks →

MSP delivering CE to clients: enquire about the partner programme →