SecurSentry
← All notes
Cyber Essentials

How to Get Cyber Essentials Certified: A Step-by-Step Guide

From getting the five controls in place to choosing an assessor and renewing each year — here is the whole path to Cyber Essentials, in the order you'll actually walk it.

The short version

So you’ve decided you need Cyber Essentials. Maybe a contract demands it, or a prospect asked. The next question is simply how you actually get it. Learning how to get Cyber Essentials certification isn’t complicated, but it does follow a clear order, and skipping steps is where most SMEs come unstuck. This guide walks the whole path, from preparing the controls to renewing each year.

If you’re still weighing up whether you need it at all, start with Cyber Essentials explained and come back here once you’ve decided. Ready? Here are the five steps.

Step 1: Understand what you are aiming for

Cyber Essentials is a UK government-backed certification that checks five core security controls are in place, assessed by an IASME-licensed Certification Body, so the target is “these five things working properly,” not a vague sense of being secure.

The five controls are firewalls, secure configuration, user access control, malware protection, and patch management (keeping software up to date). That’s the whole scope. Cyber Essentials isn’t trying to test everything about your security. It checks that the doors most attackers try first are genuinely locked.

It helps to know how the scheme works before you start. Cyber Essentials is run by IASME, the National Cyber Security Centre’s official delivery partner, which licenses a network of cyber security organisations across the UK to act as Certification Bodies. The assessment itself is a structured self-assessment questionnaire: you answer questions about your controls, and a qualified assessor marks your submission against the published requirements.

One important note on timing. The scheme is updated periodically, and the requirements tightened in April 2026. Multi-factor authentication (MFA, a second login step beyond a password) is now an auto-fail control across cloud services, and critical or high-risk security updates must be applied within 14 days of release. Make sure you’re preparing against the current version of the requirements, not an older guide you found online.

Why "understand first" matters

The single most common reason an SME's preparation drags on is starting to fill in the questionnaire before knowing what the questions are actually asking for. Read the requirements first. Knowing the shape of the target turns a daunting form into a checklist.

Step 2: Get the five controls in place

Before you assess, your five controls need to genuinely be in place. For most SMEs this is the bulk of the work, typically two to six weeks, because it means closing real gaps rather than ticking boxes.

This is the step that takes time, and it’s the step worth doing honestly. Here’s the practical shape of each control:

Some of these are quick. Tidying device settings can be closer to an afternoon’s work than a month-long project once you know what to check. Others take real time and genuine coordination: rolling MFA out across a whole team, running a proper access review, building a reliable patching routine with a clear owner. Don’t mistake a missing process for a click.

“The honest truth is that most SMEs aren’t starting from zero — they’re starting from ‘partially there, inconsistently applied, undocumented.’ Getting certified is mostly about closing those gaps and writing down what you do.”

A structured Cyber Essentials checklist is the fastest way to see where you actually stand before you commit to an assessment date. Work through it, mark what’s already solid, and you’ll have a clear list of what’s left to close.

Step 3: Choose your route: self-led vs a Certification Body

You can complete Cyber Essentials yourself (the self-led route) or get a Certification Body to support you through it (the supported route). Both end with an IASME-licensed assessor marking your submission, so the choice is about how much help you want, not how valid the result is.

On the self-led route, you register for certification, pay, and complete the verified self-assessment yourself. This works well when your controls are in good shape, you’re comfortable with the questions, and you mostly need the assessment and the certificate.

On the supported route, a Certification Body works alongside you before you submit, helping you understand what each question is really asking and how it applies to your specific setup. Some Certification Bodies offer support packages alongside the assessment itself. This is worth considering if the requirements feel unfamiliar, if you’ve not done anything like this before, or if you’d rather get it right first time than risk a resubmission.

Either way, the assessor who marks your answers is a qualified person at an IASME-licensed Certification Body. The credibility of the badge is identical. The difference is purely how much guidance you have along the way.

A quick word on cost so there are no surprises. Basic Cyber Essentials is priced on a sliding scale by organisation size, starting around £320 + VAT for the smallest organisations (up to 9 people) and rising for larger ones, up to roughly £600 + VAT. Cyber Essentials Plus, which adds a hands-on technical assessment, is quoted individually and typically runs into the low thousands. We break the numbers down properly in our guide to Cyber Essentials cost. If you’re weighing up the two levels, Cyber Essentials vs Cyber Essentials Plus explains the difference.

Step 4: Complete and submit the assessment

Once your controls are in place and your route is chosen, you complete the self-assessment questionnaire honestly, gather your supporting evidence, and submit it to your Certification Body for an assessor to mark.

This is the part that feels big but is actually the quick one, assuming you’ve done Step 2 properly. The questionnaire asks structured questions across the five control areas. Your job is to answer each one accurately, describing what you genuinely have in place.

A few things that make this go smoothly:

If your submission meets the requirements, you’re certified. If the assessor flags something, you’ll typically get the chance to put it right and resubmit within a set window, which is exactly why honest, well-prepared answers save time. The same discipline that makes a Cyber Essentials submission painless also makes answering a security questionnaire far quicker, because you’ve already gathered the evidence once.

Step 5: Maintain it: annual renewal and staying compliant

Cyber Essentials certification lasts 12 months, so renewal is built in. The businesses that find renewal easy are the ones that kept their controls running all year rather than rebuilding them each time.

Certification isn’t a finish line. It’s a checkpoint you pass every year. To renew, your five controls need to still be genuinely in place and your evidence current. If you’ve let MFA lapse on a new tool, stopped patching reliably, or never removed a departed employee’s access, renewal is where that surfaces.

The good news is that the work compounds. Every control you implemented to certify the first time is a control that keeps protecting your business, and a renewal you mostly already meet. The businesses that treat Cyber Essentials as an ongoing programme, with named owners and a simple routine, breeze through renewal. The ones that treat it as an annual scramble repeat the stressful version every year.

Practically, that means keeping your patching routine running, reviewing access when people join and leave, keeping MFA switched on as you adopt new tools, and keeping your evidence in one organised place rather than reconstructing it twelve months later. Maintaining the controls is the whole point. The certificate is just the proof.

The organising principle

Cyber Essentials isn't a test you cram for and forget. It's a baseline you reach, then hold. Reach it honestly, hold it deliberately, and everything that references it gets easier: every renewal, and every questionnaire, contract and insurance check.


SecurSentry is launching soon to help UK SMEs work through Cyber Essentials step by step: mapping exactly what your business needs, guiding you as you put the controls in place, and keeping your evidence ready for assessment and renewal. Join the waitlist to be among the first to know when we open.

This article is for general information only and does not constitute legal or compliance advice. Requirements vary by organisation and context, and certification scheme details can change. Where in doubt, consult a qualified professional or an IASME-licensed Certification Body.

Frequently asked questions

How do I get Cyber Essentials certification?

Get the five controls in place (firewalls, secure configuration, user access control, malware protection and patch management), choose whether to self-assess or use a Certification Body for support, then complete and submit the self-assessment questionnaire to an IASME-licensed assessor. If your answers meet the requirements, you're certified for 12 months and renew annually.

Who can certify my business for Cyber Essentials?

Only IASME-licensed Certification Bodies can assess and certify Cyber Essentials. IASME is the National Cyber Security Centre's official delivery partner and licenses a network of cyber security organisations across the UK. You complete the assessment, and a qualified assessor at a Certification Body marks your submission.

What is the difference between the self-led and supported routes?

On the self-led route you register, pay and complete the verified self-assessment yourself. On the supported route, a Certification Body helps you understand the questions and how they apply to your organisation before you submit — useful if the requirements feel unfamiliar. Both end with an IASME-licensed assessor marking your answers.

How often do I need to renew Cyber Essentials?

Cyber Essentials certification is valid for 12 months, so you renew annually. Renewal isn't a formality — your controls need to still be in place and your evidence current. Treating it as an ongoing programme rather than a yearly scramble keeps each renewal straightforward.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Security questionnaires

Vendor Security Questionnaire: What It Asks & How to Prepare

7 Jul 2026 · 7 min
Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.