Cyber Essentials Certification for London Businesses

Certify against the UK government-backed baseline — Cyber Essentials and Cyber Essentials Plus. We prepare your environment for the 2026 v3.3 (Danzell) requirements so you pass first time.

Key Requirements

Firewalls and Internet Gateways

Every device connected to the internet must be protected by a correctly configured firewall. Default credentials must be changed, unnecessary services disabled, and host-based firewalls enabled on all endpoints — including the laptops your staff use at home.

Secure Configuration

All devices and software must be configured to reduce vulnerabilities. Remove unnecessary software, disable unused accounts, and change every default password. From the 2026 update this explicitly extends to your cloud platform configuration, such as Microsoft 365 and Google Workspace.

User Access Control

Access to data and services must be limited to what each user needs. Administrative accounts must be kept separate from day-to-day accounts, leavers removed promptly, and multi-factor authentication enabled. Under v3.3, MFA on cloud services is enforced for all users.

Malware Protection

All devices must run up-to-date anti-malware software or use an application allow-listing approach. Signatures must update automatically and real-time scanning must be enabled. Endpoint detection and response (EDR) tools satisfy this control and are increasingly expected for Plus.

Security Update Management

Critical and high-severity patches must be applied within 14 days of release. All software must be licensed and supported. End-of-life operating systems and applications are an automatic failure unless properly isolated from the network.

Cloud Services in Scope

Any service accessed with a business account that stores or processes your data — SaaS, IaaS and PaaS — is in scope. The 2026 update closes a gap many firms previously relied on, assessing cloud configuration alongside on-premise infrastructure.

What Is Cyber Essentials?

Cyber Essentials is the UK government-backed baseline for cybersecurity. It was created by the National Cyber Security Centre (NCSC) and is run by IASME, the scheme’s official delivery partner.

The idea is simple. Most cyber attacks are not sophisticated — they exploit basic weaknesses like unpatched software, weak passwords, and misconfigured devices. Cyber Essentials sets out five technical controls that, when properly implemented, protect against the overwhelming majority of common internet-based threats.

Certification gives you an independently checked statement that those controls are in place. For many London businesses it has become the minimum standard their clients, insurers, and supply-chain partners expect to see.

It applies to organisations of every size, from sole traders to large firms, and covers the whole of your in-scope IT — laptops, servers, mobile devices, network equipment, and the cloud services your staff use. You can certify a single department or your entire organisation, provided the scope is defined clearly and honestly at the outset.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of certification, and the difference matters.

Cyber Essentials is a verified self-assessment. You complete a questionnaire about how your systems are configured, and an accredited certification body reviews your answers against the standard.

Cyber Essentials Plus covers the same five controls but adds a hands-on technical audit. A qualified assessor actively tests your systems — scanning devices, checking patch levels, and confirming that MFA and malware protection genuinely work as described.

In short: Cyber Essentials confirms what you say; Cyber Essentials Plus proves it. Plus offers far higher assurance and is frequently the version demanded for public-sector work or sensitive supply chains. We support both.

The Five Cyber Essentials Controls

Cyber Essentials has always been built on five technical controls. The 2026 update does not change the structure — it raises the bar within each.

  • Firewalls must protect every internet-facing device, including remote-worker laptops. Host-based firewalls must be enabled and default rules tightened.
  • Secure configuration means removing unnecessary software, disabling unused accounts, and changing default passwords — now explicitly including your cloud platforms.
  • User access control enforces least privilege, separates admin from everyday accounts, removes leavers promptly, and requires MFA.
  • Malware protection requires real-time, automatically updating anti-malware on every device. EDR is increasingly the expected standard for Plus.
  • Security update management requires critical and high-severity patches within 14 days, and no unsupported, end-of-life software on the network.

These five controls are the foundation of every assessment, whether self-assessed or audited.

Why Cyber Essentials Matters

Certification is rarely pursued for its own sake — it unlocks practical outcomes.

Contracts. UK government and public-sector tenders increasingly require Cyber Essentials, and in some cases Cyber Essentials Plus, before you can bid. It is contractually required across a widening range of work, even though it is not a universal legal mandate.

Cyber insurance. Many insurers now ask whether you hold Cyber Essentials, and some make it a condition of cover or offer better terms when you do.

Client and supply-chain due diligence. Larger organisations vet their suppliers’ security. Holding the certificate answers the question before it is asked and shortens procurement.

Baseline security. Beyond the paperwork, the controls genuinely reduce your exposure to the most common attacks — phishing, ransomware, and credential theft.

For a London business competing for contracts or selling into regulated sectors, certification is often the difference between making a shortlist and being filtered out.

The Cyber Essentials Certification Process

The path to certification is straightforward when your IT is well run.

  1. Scoping. We define what is in scope — every device, user, and cloud service that touches organisational data.
  2. Pre-assessment audit. We measure your environment against the current requirements and identify every gap.
  3. Remediation. We fix the gaps: deploying MFA, hardening configurations, verifying patching, and closing access-control issues.
  4. Assessment. For Cyber Essentials, we support your self-assessment submission. For Plus, we prepare for and accompany the technical audit.
  5. Certification and renewal. Once you pass, the certificate is valid for 12 months, after which you recertify.

For most well-managed environments the full process takes two to four weeks. Organisations with legacy systems, bring-your-own-device policies, or messy cloud configurations should allow up to six.

A realistic timeline depends almost entirely on your starting point. A business that already enforces MFA, patches promptly, and runs supported software can move quickly. A business that has never formally scoped its cloud estate usually needs longer — not because the work is hard, but because there is more of it to find and fix before the assessment.

How Nerdster Gets You a First-Time Pass

We handle the technical preparation that decides whether you pass or fail.

We start with a pre-assessment audit, then build a prioritised remediation plan. From there we deploy and configure MFA across every account and cloud service, review and harden cloud platform settings such as Microsoft 365, verify patch compliance across every endpoint, and confirm firewall and device hardening meets the standard. For Cyber Essentials Plus, we run internal vulnerability scans to catch issues before the external assessor arrives.

On assessment day we provide documentation support and answer technical queries from the certification body. We do not put an organisation forward until we are confident it will pass, which is how our clients maintain a strong first-time record.

Certification is also easier to sustain when your day-to-day IT is solid. Our cybersecurity services and managed IT support in London keep your controls compliant every day of the year, not just at assessment time.

Why Businesses Fail Cyber Essentials

Most failures come down to a handful of recurring issues — all avoidable with preparation.

  • Missing MFA on a cloud service or admin account. Under the 2026 rules this is an automatic failure.
  • Unsupported software, such as an end-of-life operating system or an old line-of-business application still on the network.
  • Slow patching, where critical updates slip past the 14-day window.
  • Out-of-scope cloud services that the organisation forgot to account for.
  • Default configurations left unchanged on routers, firewalls, or cloud tenants.

None of these are difficult to fix in advance. They are difficult to fix on assessment day, which is why a proper pre-assessment audit is the single biggest factor in a first-time pass.

What Changed in 2026: The Danzell Update (v3.3)

From 27 April 2026, new applications are assessed against version 3.3 of the NCSC Requirements for IT Infrastructure, using the new Danzell question set (published 13 February 2026) — which replaces the previous Willow requirements.

Three shifts matter most:

  • MFA is enforced across all cloud services. If a service offers MFA in any form, it must be turned on for every user. A single qualifying account without it fails the assessment.
  • Cloud services are firmly in scope. Any service accessed with a business account that stores or processes your data — Microsoft 365, Google Workspace, CRM and accounting tools — is assessed alongside on-premise systems.
  • Passwordless methods are encouraged. The updated user access control guidance highlights passwordless authentication such as passkeys and FIDO2 keys as a more secure alternative to passwords.

There is a transition window: assessment accounts created before 26 April 2026 keep six months to certify against the previous Willow requirements, while new accounts move straight to Danzell. If you certified in the last 12 months, do not assume you will pass again without preparation — the standard you renew against has moved. We make sure your environment is ready for v3.3 before you apply.

Get Cyber Essentials Certified in London

Whether you need Cyber Essentials to win a contract, satisfy an insurer, or simply raise your baseline security, we can take you from where you are now to a confident first-time pass.

You are welcome to read our complete Cyber Essentials certification service for timelines and pricing. When the time is right, speak to our London team for a considered scoping conversation and a clear remediation plan.

If you supply the NHS, also see our DSPT compliance service — Cyber Essentials Plus and DSPT are separate requirements and both may apply.

FAQ

Frequently asked questions

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme, created by the National Cyber Security Centre (NCSC) and delivered by IASME, that demonstrates an organisation has the five baseline technical controls in place to protect against the most common internet-based cyber attacks. It is one of the most widely recognised security certifications among UK businesses.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment questionnaire that is verified by an accredited certification body. Cyber Essentials Plus covers the same five controls but adds an independent technical audit: a qualified assessor actively tests your systems, verifies configurations, and confirms the controls are working as claimed. Plus provides a significantly higher level of assurance and is often the version required for sensitive contracts.

How much does Cyber Essentials certification cost?

The Cyber Essentials self-assessment certification fee is set by IASME on a tiered scale based on your organisation's size, starting in the low hundreds of pounds for a micro business and rising for larger organisations. Cyber Essentials Plus costs more because it includes a hands-on technical audit. We quote the certification fee and our preparation support separately and transparently before you commit.

How long does Cyber Essentials certification take?

If your environment is already well-managed, the Cyber Essentials self-assessment can be completed quickly and the Cyber Essentials Plus technical audit typically takes one to three days. The bigger variable is preparation and remediation, which usually takes two to six weeks depending on your starting position. Common blockers include legacy systems, inconsistent patching, and MFA gaps on cloud services.

Is Cyber Essentials mandatory?

Cyber Essentials is not a universal legal requirement, but it is contractually required in many situations. Since 2014 it has been mandatory for certain UK government contracts that involve handling personal data or providing specific ICT services, and a growing number of private-sector clients, insurers, and supply-chain partners now require it before they will work with a supplier.

What changed in Cyber Essentials for 2026?

From 27 April 2026, new applications are assessed against version 3.3 of the NCSC Requirements for IT Infrastructure using the new Danzell question set (published 13 February 2026), which replaces Willow. The headline changes are stricter multi-factor authentication enforcement across all cloud services, a clearer definition that brings cloud services firmly into scope, updated guidance highlighting passwordless methods such as passkeys, and two auto-fail questions covering critical security updates. Assessment accounts created before 26 April 2026 keep six months to certify under the previous requirements.

Is MFA mandatory for Cyber Essentials?

Yes — multi-factor authentication is a core requirement, and the 2026 update tightens it. If a cloud service offers MFA in any form (built-in, free, or paid) it must be enabled for every user. If a qualifying account lacks MFA at the time of assessment, the application fails. The 2026 guidance also highlights passwordless methods such as passkeys and FIDO2 security keys as a stronger alternative to passwords.

How often do you need to recertify Cyber Essentials?

Cyber Essentials certification is valid for 12 months, so you must recertify annually. Each recertification is assessed against the current version of the standard, which means organisations recertifying after 27 April 2026 will be measured against the v3.3 Danzell requirements rather than the version they passed previously.

Replies the same business day

Need compliance guidance?

Book a free compliance review and we'll assess your readiness against the latest requirements.

  • 30-day rolling contracts
  • No callout fees
  • Free assessment