NullShield

Get started
← Back to Blog
·6 min read

Cyber Essentials Certification: What UK Businesses Need to Know

Learn what Cyber Essentials is, who needs it, what it covers, and how NullShield helps you prepare for certification.

Cyber Essentials is the UK Government's baseline cybersecurity certification scheme. It was designed by the National Cyber Security Centre (NCSC) to help organisations of all sizes protect themselves against the most common cyber threats. If you handle any form of personal data, process payments, or bid for government contracts, this certification is increasingly becoming a requirement rather than a nice-to-have.

What Is Cyber Essentials?

Cyber Essentials is a self-assessment certification that verifies your organisation meets five fundamental security controls. It provides a clear statement to customers and partners that you take cybersecurity seriously. There are two levels:

  • Cyber Essentials — A self-assessment questionnaire verified by an external certification body. Costs between £300–£500 and is valid for 12 months.
  • Cyber Essentials Plus — Includes everything in the basic certification plus an independent, hands-on technical audit of your systems. Typically costs £1,500–£3,000.

Who Needs It?

Since 2014, Cyber Essentials has been mandatory for any organisation bidding on UK government contracts that involve handling sensitive or personal information. But certification is increasingly expected across the private sector too:

  • Government suppliers — Required for all central government contracts dealing with sensitive data.
  • NHS and healthcare providers — Expected for any organisation in the NHS supply chain.
  • Financial services — Many insurers now require Cyber Essentials as a condition for cyber insurance policies.
  • Any UK business handling personal data — While not legally mandatory, it demonstrates GDPR compliance due diligence and builds customer trust.

The Five Technical Controls

Cyber Essentials focuses on five key areas that together prevent the majority of common cyber attacks:

1. Firewalls and Internet Gateways

Your boundary devices (routers, firewalls) must be properly configured to control inbound and outbound traffic. Default passwords must be changed, and only necessary ports should be open.

2. Secure Configuration

Computers and network devices should be configured to reduce vulnerabilities. This means removing unnecessary software, changing default credentials, and disabling features you do not use. On websites, this includes removing default admin pages, debug endpoints, and sample files.

3. User Access Control

User accounts should follow the principle of least privilege — each user gets only the access they need. Admin accounts should be used only for admin tasks, and multi-factor authentication should be enabled wherever possible.

4. Malware Protection

Anti-malware software must be installed, active, and up to date on all devices. For web applications, this extends to input validation, content security policies, and protection against code injection.

5. Security Update Management

All software must be licensed, supported, and patched within 14 days of a critical security update being released. This includes operating systems, web servers, CMS platforms, plugins, and frameworks.

How NullShield Helps You Prepare

Several of the Cyber Essentials controls map directly to what NullShield scans for. Before you submit your self-assessment, run a free NullShield scan to identify gaps:

  • Secure configuration — NullShield checks for default pages, exposed admin paths, debug endpoints, and server information leakage.
  • Security headers — We verify all recommended HTTP security headers are present and correctly configured.
  • TLS configuration — We check your certificate validity, TLS version, and cipher suite strength.
  • Patch management evidence — Our technology fingerprinting identifies outdated software versions that need updating.

NullShield reports are written in plain English, so you can hand them directly to your certification body as supporting evidence of your security posture. Check our pricing plans for ongoing monitoring that keeps you audit-ready year-round.

Getting Started

The certification process is straightforward. Choose a certification body from the NCSC's list of accredited assessors, complete the self-assessment questionnaire, and submit it for verification. The whole process typically takes 1–2 weeks. For Cyber Essentials Plus, allow 2–4 weeks for the technical audit.

Before you start, run a NullShield scan to identify and fix any issues. It is far cheaper to fix vulnerabilities before the assessment than to fail and reapply.

Prepare for Cyber Essentials with a free scan

Identify gaps in your security posture before you apply for certification.

Scan My Website Free →

No credit card required

Related articles

The Complete Website Security Checklist for UK SMEs (2026)

Headers, TLS, DMARC, cookies, and exposed paths in one checklist.

Is Your Website GDPR Compliant? 7 Things to Check

Cookies, consent, privacy policies, and data handling essentials.