Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Resources

Compliance

Cyber Essentials: The Complete What-You-Need-To-Do Guide

Updated 22 April 2026

Cyber Essentials is the UK's entry-level cyber security certification, backed by the National Cyber Security Centre (NCSC) and administered by IASME. It's a self-assessment (with an optional technical audit for CE Plus) against five technical controls. Done properly it blocks around 80% of commodity internet attacks, the stuff actually hitting SMEs day-to-day.

This guide walks through exactly what needs to be in place before you apply.

What you're certifying

Cyber Essentials checks five technical control areas:

  1. Firewalls and boundary devices
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management (patching)

Each applies to every device, cloud service, and piece of software in scope, which usually means everything your staff use to do their jobs. You self-assess against a questionnaire, a senior person signs it off, and a certifying body reviews your answers. CE Plus adds a hands-on audit.

Step 0: Define your scope

Before anything else, decide what's in scope. Options:

  • Whole organisation, easiest to explain to clients, required for most contracts
  • Defined sub-set, e.g. "head office network only", cheaper and quicker, but limits what you can claim

Scope includes:

  • Every laptop, desktop, tablet and phone used for work (including personally-owned devices used for work email, BYOD)
  • Every cloud service that holds company data (Microsoft 365, Google Workspace, Dropbox, Xero, CRM, etc.)
  • Every server (physical, virtual, cloud)
  • The office internet connection and any VPN
  • Every piece of software on in-scope devices

This catches people out. "We only use Microsoft 365" doesn't mean only M365 is in scope, the laptops staff use to access it are in scope too.

Control 1: Firewalls and boundary devices

What's required:

  • Every internet-facing device must be behind a firewall (most routers have one built in, that's fine).
  • The default password on the firewall must be changed.
  • Admin access to the firewall must not be available from the internet, or if it is, protected by MFA.
  • Inbound services (anything accessible from the internet) must be documented and justified. Close anything you don't need.
  • Rules that are no longer needed must be removed.

Common fail: the office router's default admin password ("admin/admin" or whatever's on the sticker) has never been changed. Fix this before you submit.

Home workers count too. If staff connect from home, either use a corporate-provided firewall / VPN or ensure their home router isn't using factory credentials and has been patched.

Control 2: Secure configuration

Every device and piece of software should be set up so it's safe by default:

  • Remove unused software and accounts
  • Disable auto-run for removable media
  • Disable or change default passwords on everything (routers, servers, admin panels, IoT)
  • Block unauthenticated access to services that don't need to be public
  • Enforce screen-lock after idle time (10 minutes max, required by the standard)

For Microsoft 365 specifically, this means turning off Basic/Legacy Authentication across the tenant, it bypasses MFA and there's no justification to keep it on in 2026.

Control 3: User access control

Access must be controlled and minimised:

  • Every user has their own account, no shared logins.
  • Admin accounts are separate from day-to-day user accounts. Admins don't read email or browse the web as admin.
  • Access is granted only when needed, and removed when people leave (you must be able to show the process).
  • MFA is enforced on all cloud service accounts, this is now a hard requirement, not a nice-to-have. See our MFA guide.
  • Strong authentication: passwords must meet NCSC requirements (12+ characters OR 8+ characters plus MFA), OR use biometric / hardware-key authentication.

Common fail: admin rights on every laptop. Standard users should be standard users. Local admin should be a separate account used only for installs.

Control 4: Malware protection

At least one of the following on every device:

  • Anti-malware software, up-to-date signatures, real-time scanning on, scheduled scans
  • Application allow-listing, only approved apps can run
  • Sandboxing, apps run in an isolated environment

For practical purposes on Windows and macOS, this means an active, managed anti-malware tool. Microsoft Defender (built into Windows 10/11 Pro and Business) qualifies, as does Heimdal, Defender for Business, Sophos, ESET, and similar.

What doesn't work: free consumer antivirus on work laptops, or products where the subscription has lapsed and signatures aren't updating.

Control 5: Security update management

All software on in-scope devices must:

  • Be licensed and supported, Windows 7 is out, Windows 10 is approaching end-of-life, macOS versions older than the two most recent are out. Same for third-party software.
  • Have auto-updates enabled where available
  • Have high and critical patches applied within 14 days of release, this is a hard deadline from the standard
  • Remove unsupported software where no patches are coming

"Within 14 days" is what trips up most self-installed environments. Enterprise patch tooling (Intune, Heimdal, Action1) tracks this automatically; manual patching usually can't prove it.

Evidence you'll need

You don't submit evidence for standard CE, you self-declare. But you must be able to demonstrate it if audited (you will be, for CE Plus). Practically, gather:

  • Asset inventory, every device in scope, OS version, patch level
  • Software inventory, every application in use
  • User list, with access levels, separate admin/user accounts
  • Firewall config export, or a screenshot of the rules
  • MFA coverage report from M365 / Google / whichever cloud
  • Anti-malware status, managed console export showing every endpoint protected
  • Patching evidence, screenshots of Intune/Heimdal patch compliance, or WSUS reporting
  • Joiner / mover / leaver process, documented (even as a simple internal wiki page)

CE vs CE Plus

Cyber Essentials is the self-assessed tier, you answer the questionnaire, pay the fee (£320–£600 depending on size), and get your certificate.

Cyber Essentials Plus adds a hands-on technical audit. An assessor:

  • Runs external vulnerability scans against your public IPs
  • Runs authenticated scans on a sample of endpoints
  • Tests malware detection with standard test files
  • Verifies MFA is actually enforced
  • Checks patching compliance from real devices
  • Verifies that removing a user actually removes their access

CE Plus typically runs £1,050–£1,650+ depending on size. It's required for more sensitive government contracts, and some insurers give you bigger discounts for it.

Common reasons people fail

From what we see most often:

  1. Unsupported operating systems, old macOS, unpatched Server 2012s still running in a cupboard
  2. MFA not enforced for all users, it's on for admins but optional for others
  3. Legacy Authentication still enabled in M365
  4. Local admin rights for every user on their laptop
  5. Unknown scope, a personal device someone uses for work email that was never accounted for
  6. Patching lag, can't prove things are patched within 14 days
  7. Default router passwords on home workers' routers

Rough timeline

For a typical 20-person SME with reasonable IT:

  • Week 0, scoping call, identify gaps
  • Weeks 1–3, remediation (patching, MFA rollout, clean up local admin, sort out old kit)
  • Week 4, pre-assessment dry run against the questionnaire
  • Week 5, formal submission
  • Week 6, certificate issued (assuming no follow-up questions)

If you're aiming for CE Plus, add 2–4 weeks for the audit booking and remediation of anything the assessor finds.

Keeping it

CE certification lasts 12 months. The controls must remain in place every day, not just on the day you certified. Annual renewal means repeating the questionnaire against whatever the current edition of the standard is (it evolves, cloud service requirements in particular have tightened every year since 2022).

If you'd like help scoping, remediating, or running the questionnaire, get in touch, we're a Cyber Essentials Cyber Advisor firm and do this week in, week out.