Gap assessment, remediation and certification support from a CREST-certified team. Fully compliant with v3.3 requirements.
Cyber Essentials is the UK government's baseline cyber security certification, backed by the National Cyber Security Centre. It is increasingly required for businesses bidding for public sector contracts and is becoming a standard requirement in private sector supply chains too. SME Cyber Solutions guides you through the entire process — from gap assessment to certified submission.
The certification is built around five technical controls that, when properly implemented, prevent the large majority of common cyber attacks: boundary firewalls, secure configuration, user access controls, malware protection and security update management. We assess your current setup against all five, identify any gaps and support you in resolving them before your assessment begins.
Cyber Essentials is a verified self-assessment. You complete a structured questionnaire, a board-level signatory confirms your answers, and an independent assessor reviews your submission. Costs start at £320 +VAT, scaling with organisation size.
Cyber Essentials Plus adds independent technical testing by a qualified assessor who verifies that your controls are working in practice, not just described on paper. It carries more weight in procurement and is required for certain government contracts. Costs vary by organisation size and network complexity.
Both certifications last 12 months and require annual renewal. Organisations with annual turnover under £20 million automatically receive free cyber liability insurance up to £25,000 on full-organisation certification.
Version 3.3 of the Cyber Essentials requirements came into force on 27 April 2026. The most significant change is that MFA is now an automatic fail trigger — if a cloud service offers multi-factor authentication and you have not enabled it, your assessment fails immediately. Cloud services also cannot be excluded from scope under the new rules. We ensure your setup is fully compliant before your assessment begins. Read our full guide to the 2026 changes.
Gap assessment. We review your current IT environment against the five controls and produce a clear list of what needs to change before you certify.
Remediation support. We help you implement the required changes — MFA configuration, firewall review, access control updates — so your assessment reflects your actual security posture.
Certification guidance. We walk you through the self-assessment questionnaire and ensure your answers are accurate, complete and aligned to the current question set.
Cyber Essentials Plus testing. As a CREST-certified provider, we conduct the independent technical testing required for Plus certification and provide a clear remediation roadmap where issues are found.
Annual renewal support. We keep track of your renewal date, flag any requirement changes ahead of your next assessment and support you through the process each year.
Cyber Essentials certification is suitable for any UK business regardless of size or sector. It is essential for businesses bidding for government contracts, increasingly expected by large private sector clients and valuable for any organisation that wants a recognised baseline of protection. If you are renewing after the April 2026 changes, or certifying for the first time under v3.3, we can ensure the process is straightforward.
Book a free consultation and we will assess where you stand against the current requirements and give you a clear plan for certification. You can also check your email security configuration right now using our free security tools — no signup required.
How long does Cyber Essentials certification take?
For most small businesses, the process from initial gap assessment to certification takes two to four weeks, depending on what remediation is needed. If your controls are already close to compliant, it can be faster.
Do we need Cyber Essentials Plus or will standard certification be enough?
Standard Cyber Essentials is sufficient for most SMEs unless a specific contract or client requires the Plus level. We can advise based on your situation. Read our comparison guide.
What changed with the April 2026 update?
MFA is now an automatic fail if not enabled on cloud services, cloud services cannot be excluded from scope, and the new Danzell question set replaced Willow. We ensure you are assessed against the current requirements. Full details here.
Does certification come with insurance?
Yes. Any UK organisation with annual turnover under £20 million that achieves full-organisation Cyber Essentials certification receives free cyber liability insurance up to £25,000, arranged by IASME.
Cyber Essentials establishes your baseline. Penetration testing goes further by actively probing your defences, and 24/7 monitoring provides the ongoing visibility that certification alone does not cover.
Book a free consultation and find out exactly where you stand against the current requirements.