Cyber Essentials Before Summer: The Step-by-Step Guide to Getting Certified Before the Pledge Arrives
The Cyber Resilience Pledge launches this summer. When large organisations sign it, they commit to requiring Cyber Essentials certification from their supply chains. If your business supplies goods or services to any organisation likely to sign, certification is no longer optional. It is a procurement condition waiting to arrive.
Certification takes four to six weeks from start to finish. The cost ranges from £300 to £500 for self-assessment. Most of the technical fixes required cost nothing. Here is the exact process.
What Cyber Essentials Actually Covers
Cyber Essentials assesses five technical controls. These are not aspirational frameworks or theoretical best practices. They are specific, testable requirements that the NCSC considers the baseline for protecting against the most common internet-based attacks.
1. Firewalls and internet gateways. Every device connecting to the internet must be protected by a correctly configured firewall. This includes your office router, any cloud services, and employee devices used for remote work. Default firewall rules must block inbound connections unless explicitly required.
2. Secure configuration. Devices and software must be configured securely. Default passwords must be changed. Unnecessary software must be removed. Auto-run and auto-play features must be disabled. Guest accounts must be disabled or removed.
3. Access control. User accounts must follow the principle of least privilege. Administrative accounts must only be used for administrative tasks, not daily work. Every user account must have a unique password. MFA must be enabled on all cloud services and internet-facing admin portals.
4. Malware protection. Every device must run up-to-date anti-malware software, or use an operating system that provides equivalent built-in protection. Application whitelisting or sandboxing counts as an equivalent measure.
5. Patch management. All software must be updated within 14 days of a security patch being released. Unsupported software, anything that no longer receives security updates from the vendor, must be removed or isolated from the network.
That is it. Five areas. All of them practical. All of them testable.
The Step-by-Step Process
Week 1: Choose Your Certification Body and Run the Gap Assessment
Step 1: Select an IASME-accredited certification body. IASME is the sole accreditation body for Cyber Essentials in the UK. Visit the IASME website to find accredited certification bodies. Costs vary slightly between providers, but the range for basic Cyber Essentials self-assessment is £300 to £500 including VAT. Do not pay significantly more than this.
Step 2: Run a gap assessment against the five controls. This takes approximately half a day for a business with five to fifty employees. Walk through each of the five control areas and document your current state. You can do this yourself using the NCSC’s published Cyber Essentials requirements document, or your IT provider should do it for you.
For each control, answer one question: do we meet this requirement today, yes or no?
Document every “no” as a gap. That gap list becomes your remediation plan.
What your IT provider should do at this stage: If you have an external IT provider, they should be able to run this gap assessment for you as part of their existing support arrangement. If they charge you a separate consultancy fee for assessing you against Cyber Essentials, that is worth a conversation about whether their standard service is adequate.
Week 2-3: Fix the Gaps
This is the step that determines your overall timeline. Some gaps take minutes. Others take days. Here are the most common failures and how long they take to fix.
Personal accounts with administrative privileges. This is the single most common failure. Staff using accounts with admin rights for daily work. The fix: create standard user accounts for daily use, keep admin accounts separate, use admin accounts only when installing software or changing system settings. Time: 30 minutes per user.
No MFA on cloud services. If your business uses Microsoft 365, Google Workspace, or any cloud-hosted application, MFA must be enabled on all accounts. Most cloud platforms include MFA at no additional cost. Time: 15 minutes per service plus 5 minutes per user for enrolment.
Unsupported operating systems. If any device runs Windows 10 (end of support: October 2025) or older, it fails the patch management control. The fix is either upgrading the OS or replacing the device. If upgrading, check hardware compatibility first. Time: 1-4 hours per device, depending on data migration requirements.
Unpatched software. Any security patch older than 14 days is a failure. Run Windows Update, update your browsers, update any third-party software. Set automatic updates where available. Time: 15-60 minutes per device, depending on how far behind you are.
Default passwords on network equipment. Your office router, wireless access points, printers with web interfaces. If any of these still use the manufacturer’s default credentials, that is a failure. Time: 10 minutes per device.
Unnecessary software installed. Remove software that is no longer used or required. Pay particular attention to remote access tools, old VPN clients, and trial software that was never uninstalled. Time: 15-30 minutes per device.
Week 3-4: Complete the Self-Assessment Questionnaire
The Cyber Essentials self-assessment is a structured questionnaire that asks specific questions about how your organisation meets each of the five controls. You answer the questions, declare that your answers are accurate, and submit.
Important: answer the questions as your organisation actually operates, not as you intend to operate. The assessment covers your current state. If you are in the process of fixing something, fix it first, then answer the question.
The questionnaire asks about:
- How your internet boundary is protected
- How devices are configured when first deployed
- How user accounts and access rights are managed
- How you protect against malware
- How quickly you apply security updates
Be precise. “We have a firewall” is not sufficient. You need to know which firewall, how it is configured, and whether it blocks inbound connections by default.
What your IT provider should do at this stage: Your IT provider should either complete this questionnaire on your behalf (with your sign-off) or provide you with the technical details needed to complete it accurately. If they cannot answer questions about your firewall configuration or patch management timeline, that is a problem.
Week 4-6: Submit and Receive Certification
Submit the completed questionnaire to your chosen certification body. They review your answers, may ask clarification questions, and either certify you or identify areas that need correction before certification can be granted.
If corrections are needed, the certification body will specify exactly what must be addressed. Fix the issues, resubmit, and certification is granted.
Certification is valid for 12 months. You will need to recertify annually.
Cyber Essentials vs Cyber Essentials Plus
There are two levels of certification.
Cyber Essentials (self-assessment): You complete the questionnaire yourself and declare compliance. Cost: £300-500. Suitable for most businesses starting the process. This is the level the Pledge supply chain requirement refers to.
Cyber Essentials Plus (verified): An accredited assessor performs a technical audit of your systems, including vulnerability scanning and on-site or remote testing. Cost: £1,500-3,000 depending on the size and complexity of your organisation. This provides stronger assurance because it is independently verified.
For most small businesses starting the process, begin with standard Cyber Essentials. It meets the Pledge requirement, it establishes your baseline, and it gives you a foundation to build on. Move to CE Plus when your clients or contracts require it, or when you want the stronger assurance of external verification.
Common Mistakes That Delay Certification
Forgetting about remote workers’ home equipment. If employees use personal devices or home routers for work, those devices may be in scope. Check whether your IT policy covers BYOD (bring your own device) arrangements and whether home networks meet the firewall requirements.
Not including all cloud services. Every cloud service your business uses is in scope. That includes file storage, email, CRM, accounting software, project management tools. Map all of them before starting the questionnaire.
Declaring intent instead of current state. “We are planning to enable MFA” is not the same as “MFA is enabled.” Complete the fixes before completing the questionnaire.
Overlooking network printers and IoT devices. Printers with web management interfaces, smart TVs in meeting rooms, CCTV systems connected to the network. If it connects to your network and the internet, it is in scope.
Not knowing your actual firewall configuration. “Our ISP provided the router and we have not changed anything” is a common answer. It may also be a failing answer if the default configuration does not meet CE requirements. Check, or have your IT provider check.
How to Turn This Into a Competitive Advantage
Cyber Essentials certification is not just a compliance exercise. It is a verifiable signal to the market that your business takes security seriously.
Put it in your email signature. Add the CE badge and certification number to your email footer. Every email you send becomes a signal.
Add it to your proposal template. When responding to tenders or RFPs, include your certification status in the company credentials section. For Pledge signatories reviewing suppliers, this is the line that moves you from “needs further assessment” to “meets requirements.”
Reference it in contract negotiations. When a client raises security concerns, “We are Cyber Essentials certified and recertify annually” is a concrete response. It closes the conversation faster than vague assurances about “taking security seriously.”
How to Sell This to Your Board
The business case for Cyber Essentials certification is straightforward.
Cost: £300-500 for self-assessment. Staff time for the gap assessment and remediation adds perhaps two to three days of effort across the business. For most organisations, the majority of the fixes are tasks your IT provider should be doing anyway.
Revenue protection: significant. If any of your top clients sign the Cyber Resilience Pledge, CE certification becomes a contract condition. The certification cost is trivial relative to the contract value it protects.
Insurance relevance. Some cyber insurance providers offer premium reductions for CE-certified organisations. Others use CE as a baseline requirement for policy eligibility. Check your current policy wording.
Regulatory direction. The Cyber Security and Resilience Bill is progressing through Parliament. The National Cyber Action Plan lands this summer. Government procurement already requires CE for many contracts. The direction of travel is more requirements, not fewer.
What This Means for Your Business
-
Choose a certification body today. Visit the IASME website, select an accredited body, and register. This takes fifteen minutes.
-
Run the gap assessment this week. Half a day, using the NCSC requirements document or your IT provider’s assessment. Document every gap.
-
Fix admin privileges immediately. Separate daily-use accounts from admin accounts. This is the most common failure and the fastest fix.
-
Enable MFA on every cloud service. Microsoft 365, Google Workspace, your accounting platform, your CRM. All of them. This takes an afternoon.
-
Set a target date for questionnaire submission. Work backwards from the Pledge’s summer launch. If the Pledge goes live in July, you want certification in hand by June. That means starting the process now.
The Pledge is coming. The procurement emails will follow. The businesses that are already certified when those emails arrive will keep their contracts. The ones that are not will be scrambling.
Certification takes four to six weeks. You have that time now. You may not have it later.