Cyber Essentials Checklist in 2025: How to Get a Cyber Essentials Certification?

In 2024, half of all UK businesses said they’d been hit by some kind of cyber attack or security breach in the past year. That’s not just a wake-up call—it’s a clear sign that cyber security can’t be put off or left to chance, especially for small and medium-sized businesses.

More and more companies are looking for a straightforward way to protect their systems without overcomplicating things.

That’s where the Cyber Essentials scheme comes in. Backed by the National Cyber Security Centre (NCSC), it gives businesses a practical checklist to follow, helping them defend against the most common online threats. 

In this guide, we’ll walk through the Cyber Essentials checklist, explain the difference between Cyber Essentials and Cyber Essentials Plus, and cover what your business needs to know to get started with CE certification in 2025.

[.c-button-wrap][.c-button-main][.c-button-icon-content]Contact Us[.c-button-icon-content][.c-button-main][.c-button-wrap]

What are Cyber Essentials in the UK?

The Cyber Essentials scheme is a government-backed certification standard that helps organisations of all sizes protect themselves from a wide range of the most common cyber threats.

It was developed by the NCSC and is delivered through official CE delivery partners, such as IASME. The scheme focuses on five core areas of cyber security: firewall configuration, secure settings, user access control, malware protection, and security update management.

While CE is not legally required for all UK businesses, many government contracts now require the certification as a minimum baseline.

If your business wants to work with the public sector or handle sensitive data, meeting the Cyber Essentials checklist is more than just a smart move—it’s often mandatory. 

For others, the certification still provides a clear security framework that strengthens your security posture, demonstrates accountability, and reduces the risk of common cyber attacks.

Cyber Essentials vs. Cyber Essentials Plus: What's the difference?

Understanding the difference between Cyber Essentials and Cyber Essentials Plus is key before you start the certification process.

Cyber Essentials (Basic)

This level is a self-assessment. Your organisation completes a detailed Cyber Essentials checklist, answering questions about your IT infrastructure, software configuration, user access, and general security measures.

The goal is to ensure that your company has implemented the five basic security controls.

You’ll submit your answers through an online portal managed by a certification body or an official CE delivery partner like IASME.

After review, if your answers meet the CE certification requirements, you’ll receive your certificate, usually within a few days.

Cyber Essentials Plus

CE Plus builds on the basic certification but adds a technical audit. This involves a qualified assessor carrying out independent testing of your systems to verify that the controls you claimed are actually working.

The Cyber Essentials checklist includes everything in the basic certification but also checks for known security issues, vulnerability to malware, unpatched software, and misconfigured access controls. The audit is more rigorous and provides a much higher level of assurance.

How much should your business spend to get CE certification?

Certification costs vary based on your business size and whether you go for the standard CE or CE Plus. Here’s a quick breakdown:

• Micro business (0-9 employees)
  
  
  • CE: £300 + VAT
    
    
  • CE Plus: Starts around £1,500, depending on complexity

‍

• Small business (10-49 employees)
  
  
  • CE: £400 + VAT
    
    
  • CE Plus: £1,600 – £2,500+

‍

• Medium business (50-249 employees)
  
  
  • CE: £450 – £500 + VAT
    
    
  • CE Plus: £2,500 – £4,000+

‍

• Large business (250+ employees)
  
  
  • CE: Custom quote required
    
    
  • CE Plus: £5,000 and up
    

It’s important to note that prices may vary depending on your selected Cyber Essentials delivery partner, your organisation’s IT infrastructure, and whether pre-audit work is needed to prepare your systems for certification.

Cyber Essentials checklist: How to prepare for the certification

The Cyber Essentials checklist is far more in-depth than the basic level. Here's how to make sure you're prepared.

Check for secure firewall configuration

The Cyber Essentials checklist begins with a full inspection of your firewall settings. 

An assessor will test whether external traffic is properly filtered and whether your network perimeter is protected from unauthorised access. This includes verifying firewall rules, port settings, and restrictions on inbound connections from the internet.

To meet certification requirements, your business must ensure that each internet-connected device—whether it’s a laptop, server, or router—has the proper technical controls in place to block suspicious traffic. 

Misconfigured firewalls are a major gap in many systems, so this is often one of the first areas flagged during a technical audit.

Verify user access control settings

Another key part of the CE Plus checklist is user access control. 

The assessor will look at how your organisation grants, manages, and revokes access to data and systems. Every employee should only have access to the data they need, based on role—not blanket admin permissions.

This part of the audit ensures that user access is well-managed across devices and software, especially for high-risk systems. 

Admin rights must be tightly controlled, temporary access should be time-bound, and default accounts must be disabled or changed. Weak or unrestricted access is a red flag for both compliance and security.

Review malware protection across all devices

Your malware protection solutions must be active, up to date, and running on all relevant systems. This includes antivirus tools, endpoint protection platforms, or any custom security solutions your business uses. 

The Cyber Essentials checklist requires this protection to be consistent and centrally managed, especially for remote workers.

The assessor will test how well your malware defences respond to threats by introducing simulated files during the audit. These tests are non-destructive but provide real feedback on how your systems would behave under a common cyber attack.

Validate security update management

Keeping your software updated is one of the five core controls in the CE scheme, and it’s heavily scrutinised during the Plus assessment. 

The security update management section of the checklist looks at whether your operating systems, third-party apps, firmware, and plugins are all current and patched against known security issues.

Any system missing high-priority updates or unsupported software can lead to automatic failure. Businesses must prove that updates are applied within 14 days of release, which is in line with Cyber Essentials requirements. 

Test real-world security posture

To complete your CE Plus certification, the auditor doesn’t just review answers—they actively test your systems. 

This includes network scans, vulnerability assessments, and configuration reviews to see how well your organisation can prevent real attacks. The checklist for 2025 expects you to demonstrate that you're protected from both internal and external threats.

Systems are evaluated for exposure to cyber criminals, such as open ports, outdated software, and weak passwords. Any vulnerability to known security exploits is flagged. 

Your security posture must reflect modern cyber security best practices as defined by the NCSC and supported by your CE delivery partner, IASME or another approved body.

Tips to ensure your business passes the CE certification

Getting certified requires preparation and attention to detail. These extra steps can help your business avoid common pitfalls during the assessment:

• Assign internal responsibility to a dedicated person or team who can coordinate responses and ensure all Cyber Essentials checklist requirements are met.
  
  
• Document your processes. Have written policies for access control, patching, and user permissions.
  
  
• Run internal checks. Use tools to scan for known security issues before submitting the assessment.
  
  
• Apply updates regularly to all systems—software that's not up to date is a common reason for rejection.
  
  
• Use strong passwords and 2FA where possible, especially for admin-level accounts.
  
  
• Ensure your firewall is correctly configured and limits unnecessary inbound connections.
  
  
• Isolate legacy systems or bring them up to compliance standards.
  
  
• Work with a Cyber Essentials delivery partner, IASME, or another official CE delivery partner for expert guidance and faster processing.

Following these tips can dramatically improve your chances of passing the Cyber Essentials checklist assessment the first time, saving your business time, resources, and unnecessary stress. 

Need help with your cyber security? Call Netflo!

If your business is preparing for certification or if you just need a clearer plan to boost your cyber security controls, Netflo can help.

As a trusted IT services provider and CE delivery partner, we specialise in guiding organisations through the certification process—whether you're just beginning or need help completing your Cyber Essentials checklist.

Our team stays on top of the latest cyber threats, compliance requirements, and tools like the CE readiness tool, so you don’t have to.

[.c-button-wrap2][.c-button-main2][.c-button-icon-content2]Contact Us[.c-button-icon-content2][.c-button-main2][.c-button-wrap2]

Frequently asked questions

What is Cyber Essentials certification, and how does it help secure your business?

CE certification is a government-backed certification scheme designed to help any organisation improve its cyber security by implementing five key security controls.

It’s a practical way to help secure your business against common cyber attacks and reduce your exposure to known security issues by following a simple checklist.

Who can help us get started with CE?

You can get started with the Cyber Essentials checklist by working with an official CE delivery partner, such as a provider approved by IASME, the certification body responsible for the CE scheme.

These partners offer support through tools like the CE readiness tool and guide you through the CE self-assessment or audit.

Why do small and medium businesses need Cyber Essentials?

Small and medium businesses need CE because they are often targeted by cyber criminals and lack the in-house resources to manage complex security systems.

By following the five basic security practices in the Cyber Essentials checklist, they can build a strong security posture without major costs or hiring a full-time security team.

What are the key requirements for CE certification?

The requirements for CE include securing your devices and software, limiting user access, maintaining software up to date, and implementing the controls of CE as defined by the National Cyber Security Centre (NCSC).

These align with the five core principles of good cyber hygiene and help organisations meet certification requirements effectively.

How often should you renew your Cyber Essentials certificate?

The CE certificate is an annual, renewable certification.

This ensures your security update management processes and security framework stay current and effective against new threats in 2025 and beyond while continuing to meet the standards set by cyber advisors and NCSC-assured cyber advisors.

Can Cyber Essentials be applied to only one part of our organisation?

Yes, you can define the scope of the Cyber Essentials checklist to apply the certification to specific areas of your business.

Whether you certify your whole network or just a department, the CE helps ensure that the in-scope systems follow security best practices as laid out by the network of NCSC-assured cyber experts.

Is there a questionnaire or tool to help prepare?

Yes, the CE readiness tool acts like a pre-certification questionnaire, helping your business identify gaps before you formally begin.

It’s highly recommended for those who need Cyber Essentials guidance and want to assess their current security posture against the 2023 and 2025 cyber security guidance.