Cyber Horizon
Back to Blog
Cyber EssentialsUKCertification

Cyber Essentials & Cyber Essentials Plus: A UK Guide for 2026

5 June 2026·7 min read·Cyber Horizon Team

Cyber Essentials is the UK government-backed scheme, run under the National Cyber Security Centre, that certifies an organisation against five fundamental technical controls. It is deliberately accessible — designed so any organisation can guard against the most common internet-based attacks — and it is increasingly a requirement to win UK public-sector contracts.

The five technical controls

Firewalls: Secure your internet connection and control traffic in and out.
Secure configuration: Harden devices and software; remove defaults and what you do not need.
Security update management: Keep operating systems and software patched and supported.
User access control: Give people only the access they need, and protect admin accounts.
Malware protection: Defend devices against malware via anti-malware, allow-listing or sandboxing.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials is a verified self-assessment: you complete a questionnaire about how you meet the five controls, and it is reviewed and certified. Cyber Essentials Plus covers the same five controls but adds a hands-on technical audit — an assessor independently tests your systems to confirm the controls are genuinely in place. Plus is the stronger assurance and is often what larger customers and certain contracts require.

The practical path is usually to achieve Cyber Essentials first, then progress to Plus once you are confident the controls will stand up to a technical assessment.

Why bother?

It is mandatory for many UK government and public-sector contracts.
It is an accessible, credible signal of baseline security to customers.
It addresses the bulk of common, opportunistic internet attacks.
It is a sensible first rung before larger frameworks like ISO 27001.

Getting certified

Certification is handled through accredited certification bodies and is renewed annually, so the controls have to be maintained rather than implemented once and forgotten. Scope it carefully — be clear about which devices, networks and cloud services are in scope — and fix the common gaps first: unsupported software, missing patches, weak admin separation, and default configurations.

Cyber Essentials is a strong starting point, but most growing UK firms eventually progress to a fuller framework as enterprise and international customers ask for more. When you reach that stage, our ISO 27001 implementation guide is the natural next read.

Track Cyber Essentials and beyond in one place

Cyber Horizon maps the five controls and your evidence, then carries that work forward into ISO 27001, SOC 2 and 36 more frameworks as you grow.

Book a Demo