IASME Cyber Essentials: The UK Certification Guide 2026
IASME is the NCSC's official Cyber Essentials delivery partner, administering certification for over 215,000 UK organisations. This guide covers all five controls, CE versus CE Plus, certification costs, and the key changes for 2026.
Bottom line up front: IASME Consortium is the National Cyber Security Centre's (NCSC) appointed delivery partner for the Cyber Essentials scheme — the UK government's baseline cyber security certification. Over 215,000 certificates have been awarded since the scheme launched in 2014, with around 49,000 issued in the most recent twelve-month period according to GOV.UK. Holding one is a prerequisite for a growing range of government and private-sector contracts. This guide covers what IASME's role means in practice, how the two certification levels differ, what the five controls actually require, and what has changed heading into 2026.
What Is IASME? The NCSC's Official Delivery Partner Explained
When you see the term "IASME Cyber Essentials", you are looking at one scheme, not two separate products. IASME Consortium is the organisation appointed by the National Cyber Security Centre to own, administer, and develop the Cyber Essentials scheme on behalf of the UK government. The NCSC and government set policy and mandate requirements; IASME executes delivery.
IASME's operational responsibilities include:
- Setting and updating the technical requirements and assessment question set
- Accrediting and overseeing a national network of more than 400 Certification Bodies (CBs) — the licensed assessors who deliver certification to individual organisations
- Operating the public certificate verification portal, allowing buyers to confirm a supplier's certification status in real time
- Managing the cyber liability insurance benefit that accompanies certification for eligible organisations
- Publishing the free Readiness Tool, guidance documents, and training resources for applicants and CBs
Every Cyber Essentials certificate issued in the UK — whether to a sole trader or a large enterprise — flows through IASME's governance framework. The NCSC endorses and mandates the scheme; IASME makes it work in practice.
Cyber Essentials vs Cyber Essentials Plus: Which Level Do You Need?
Two certification levels exist under the scheme. They cover the same five technical controls but differ significantly in how compliance is verified and what assurance they provide to buyers.
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Assessment method | Verified self-assessment questionnaire reviewed by a licensed assessor | All CE controls, plus independent hands-on technical testing of live systems |
| Who conducts it | Self-led or guided by a Certification Body | Must be conducted by an IASME-licensed Certification Body |
| Starting price | From £320 +VAT | Quoted individually; varies by organisation size and network complexity |
| Certificate validity | 12 months | 12 months |
| Free cyber insurance | Included for full-org certs, organisations under £20m turnover | Included for full-org certs, organisations under £20m turnover |
| Typically required by | Most central government contracts, general supply chain assurance | MOD supply chain, higher-risk contracts, regulated sector procurement |
The self-assessment in Cyber Essentials is not a rubber-stamp process. A licensed assessor reviews the submission and will reject answers that are inconsistent, ambiguous, or unsupported by the described technical state. Cyber Essentials Plus goes further: the Certification Body tests the live environment, attempting to exploit misconfigurations, verifying patch levels on a sample of devices, and probing endpoint protections directly.
In practitioner experience, UK SMEs typically begin with Cyber Essentials and progress to CE Plus when a contract, insurer, or sector regulator requires the higher assurance level.
The Five Technical Controls — What Assessors Actually Check
The scheme is built around five controls, each targeting a category of attack that accounts for a high proportion of successful breaches of UK organisations. Understanding what assessors look for under each is essential for a first-time pass.
1. Firewalls
Every device that connects to the internet must sit behind a properly configured boundary firewall or router. Where a boundary firewall does not fully protect individual devices — for example, laptops used on public Wi-Fi networks — personal firewalls must be active and configured. Assessors check whether default passwords have been changed, whether inbound connections are blocked except where explicitly required, and whether firewall rules are documented and reviewed.
2. Secure Configuration
Devices and software must be configured to minimise the attack surface. This means removing or disabling unnecessary accounts, default vendor software, and unused network services. Assessors check that auto-run and auto-play are disabled, that only approved software is permitted to execute, and that default accounts — including vendor-supplied accounts — have been removed or disabled and renamed where required.
3. User Access Control
Standard user accounts must be used for everyday tasks; administrator privileges granted only where strictly necessary and only for the duration of the task requiring them. Admin accounts must not be used to browse the web or check email. Multi-factor authentication (MFA) is required for all accounts that can access organisational data or services from over the internet — this explicitly includes cloud services such as Microsoft 365 tenancies, Google Workspace, and any SaaS platform with access to organisational data.
4. Malware Protection
Organisations must deploy at least one of the following on all in-scope devices: signature-based anti-malware software; application allowlisting (preventing execution of anything not on an approved list); or sandboxing for email attachments and web downloads. Where software-based malware protection is used, it must be kept up to date with current definitions and must be actively scanning.
5. Security Update Management (Patching)
All software in scope must be licensed, actively supported by the vendor, and kept up to date. Unsupported software — where the vendor no longer issues security patches — must be removed from scope or replaced with a supported alternative. Critical and high-severity patches must be applied within 14 days of release. Assessors increasingly scrutinise software inventories against known end-of-life dates as part of the review process.
Scope: What Is — and Is Not — Covered by Cyber Essentials
Scope definition is one of the most consequential decisions in a Cyber Essentials assessment. A scope that is too narrow may not satisfy procurement buyers; one drawn broadly without the controls in place will result in a failed submission.
Typically in scope:
- All user devices (laptops, desktops, tablets, smartphones) used to access organisational data or services
- All servers hosted on the organisation's premises or in co-location facilities under its management
- Cloud services the organisation manages or configures — for example, Microsoft 365 tenant settings, AWS EC2 instances, or any IaaS or PaaS environment under organisational control
- Bring-Your-Own-Device (BYOD) handsets that access corporate email or data
- Devices used by home workers where the organisation has management control
Typically out of scope:
- Cloud services managed entirely by the provider where the organisation has no configuration responsibility (e.g. a SaaS application where the organisation only logs in as a consumer with no admin or configuration access)
- Operational Technology (OT) and Industrial Control Systems — separate NCSC guidance exists for these environments
- IoT devices not used for general computing tasks
A common and costly mistake is to exclude cloud services or remote-worker devices to simplify the assessment, then discover that the procurement buyer does not accept a limited-scope certificate as adequate assurance of whole-organisation security posture.
Who Needs IASME Cyber Essentials Certification?
There is no universal statutory mandate for Cyber Essentials under UK law as of May 2026, under provisions currently in force. However, it is effectively mandatory in several well-defined contexts.
Central Government Procurement
Any organisation bidding for UK central government contracts that involve handling personal data or delivering certain IT products and services must hold a current Cyber Essentials certificate. This requirement has been in place since 2014 and has been maintained and extended. The government's scheme overview on GOV.UK is explicit: organisations with a current certificate can bid for government contracts where handling of financial or personal data is involved. Organisations without one are disqualified at the procurement gateway.
Ministry of Defence Supply Chain
MOD prime contractors and their downstream suppliers are required to hold Cyber Essentials Plus as a condition of many defence contracts. Organisations in the defence supply chain should verify specific contract requirements; the level required has been tightened in recent contract cycles.
Financial Services and Regulated Sectors
A growing number of regulated financial services firms require Cyber Essentials from their suppliers as part of third-party risk management programmes, aligned with FCA operational resilience expectations. Healthcare organisations in England handling NHS data may find Cyber Essentials referenced within or alongside the Data Security and Protection Toolkit (DSPT).
Insurance
Several cyber liability insurers price premiums based on Cyber Essentials certification status, or require it as a minimum prerequisite for cover. For eligible organisations, the complimentary insurance that accompanies certification represents substantial value relative to the certification fee.
UK NIS Regulations and Pending NIS2 Transposition
The existing UK NIS Regulations 2018 apply to Operators of Essential Services and Relevant Digital Service Providers. The UK government's consultation on transposing the EU's NIS2 Directive into domestic law was still progressing through parliamentary process as of May 2026; any transposed obligations would be subject to their own phased implementation timelines and entity-type scoping. Cyber Essentials is not directly mandated under the UK NIS Regulations, but regulators commonly treat it as a baseline indicator of cyber hygiene, particularly for smaller entities in scope of the regulations.
Even where certification is not explicitly required, the scheme provides a structured, cost-effective framework for demonstrating due diligence to clients, boards, and insurers.
What Does IASME Cyber Essentials Cost in 2026?
Certification fees are tiered by organisation size. The entry-level fee for the smallest organisations starts at £320 +VAT, as published by the NCSC. Larger organisations pay higher fees reflecting the increased complexity of the assessment. IASME publishes current pricing bands on its website and fees are reviewed periodically.
| Organisation size | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Micro (up to 9 employees) | From £320 +VAT | Quoted by Certification Body |
| Small (10–49 employees) | Tiered fee — contact a CB or IASME | Quoted by Certification Body |
| Medium (50–249 employees) | Tiered fee — contact a CB or IASME | Quoted by Certification Body |
| Large (250+ employees) | Tiered fee — contact a CB or IASME | Quoted by Certification Body |
Cyber Essentials Plus pricing is quoted individually by the Certification Body, based on the number of sites, network subnets, and device count. It carries a meaningful premium over CE, reflecting the hands-on technical testing involved.
Free cyber liability insurance accompanies full-organisation Cyber Essentials or CE Plus certification for UK-based organisations with annual turnover under £20 million. This benefit — administered through IASME's insurance partner — provides 24/7 incident response support and financial protection against common cyber incidents. According to figures cited by the UK Government on GOV.UK, organisations with the Cyber Essentials controls in place make 92% fewer cyber insurance claims — making the certification a genuine risk-reduction measure as well as a procurement credential.
The Certification Process — Step by Step
Cyber Essentials: Self-Led Route
- Register on the IASME portal and select a Certification Body, or use IASME directly for the smallest organisations.
- Pay the appropriate certification fee.
- Complete the verified self-assessment questionnaire, answering questions across all five control domains for all devices and systems within the defined scope.
- Obtain board-level sign-off — a director or equivalent must formally attest to the accuracy of the submission. This is not optional.
- Submit to the assessor for review. The assessor reviews all answers and may request clarification.
- If satisfactory, the certificate is issued. If not, detailed feedback is provided and the applicant can remediate and resubmit within the validity window.
- Eligible organisations receive automatic cyber liability insurance activation upon certification.
Guided Route (with a Certification Body)
Engaging an IASME-licensed CB means the assessor supports the organisation through the questionnaire, identifies gaps, advises on remediation, and manages the submission process. This route is recommended for organisations with limited in-house IT expertise or those who have previously failed a self-led assessment. Many CBs offer a pre-assessment gap review as a standalone service before the formal assessment begins.
Cyber Essentials Plus Route
CE Plus requires an IASME-licensed Certification Body. The CB conducts hands-on technical testing of the live environment: external and internal vulnerability scanning, endpoint configuration checks across a sample of in-scope devices, and verification of MFA enforcement against cloud services in scope. The CB produces a formal test report and, on a pass, issues the CE Plus certificate. Organisations often pursue CE and CE Plus in a single engagement to reduce cost and disruption.
What Has Changed in 2025 and 2026
The scheme reached its ten-year anniversary in October 2024. IASME has continued to refine technical requirements and the supporting question set in response to the evolving threat landscape. Applicants in 2026 should be aware of the following developments.
Cloud Services and SaaS Scope Expectations Tightened
IASME has progressively tightened expectations around cloud-service scope. Organisations using Microsoft 365, Google Workspace, or equivalent platforms must now answer questions about their tenant configuration — including conditional access policies and MFA enforcement — rather than treating the platform as an out-of-scope vendor responsibility. The organisation's configuration of the SaaS environment is in scope; the underlying vendor infrastructure is not.
MFA Enforcement: Tightened Requirements
The MFA requirement now explicitly covers all accounts that can access organisational data or services over the internet. Assessors scrutinise MFA configuration more rigorously than in earlier iterations of the scheme. Authenticator-app or hardware-token MFA is the recommended approach; SMS-only one-time passwords may not satisfy assessors in all cases.
Unsupported Software: Windows 10 End-of-Life
The prohibition on unsupported software within scope has been consistently enforced and is actively checked. Windows 10 reached vendor end-of-life in October 2025. Organisations still running it on in-scope devices must either upgrade to a supported operating system or provide evidence of active Microsoft Extended Security Updates (ESU) coverage for the devices in question. Assessors are instructed to check operating system support status against current vendor end-of-life schedules.
Insurance Benefit Value Increased
IASME increased the value of the complimentary cyber liability insurance in 2024, reflecting rising costs associated with cyber incidents across the UK market. The enhanced benefit makes the certification financially compelling for eligible SMEs even before any procurement or regulatory consideration.
These changes do not represent a fundamental redesign of the scheme. The five controls remain constant. What has changed is the depth of evidence expected, and the tightening of scope definitions — particularly around cloud services and remote-working devices — to close gaps that organisations historically exploited to simplify their submissions without meaningfully improving their security posture.
What This Means for UK SMEs in Practice
For a small or medium UK business, IASME Cyber Essentials is the most cost-effective formal cyber security certification available. The practical implications are significant across several dimensions:
- Procurement access: Without a current certificate, central government contract opportunities are closed. Banks and larger private-sector buyers are increasingly following the same model, making certification a commercial necessity rather than an optional compliance exercise.
- Insurance value: The complimentary cyber liability insurance for eligible organisations — worth several times the certification fee for many eligible SMEs — provides financial cover and access to incident response expertise that smaller organisations would otherwise lack entirely.
- Regulatory credibility: Under the UK GDPR, holding current Cyber Essentials certification is meaningful evidence of due diligence in the event of a personal data breach. The ICO does not mandate it, but it substantiates a defence of having taken appropriate technical measures — a relevant consideration when the ICO assesses whether a fine is proportionate.
- Known limitations: Cyber Essentials does not address physical security, social engineering or insider threat risk, incident response planning, or business continuity. Organisations with higher risk profiles — regulated financial services, healthcare, critical national infrastructure — will typically need to layer ISO 27001, DSPT compliance, or NIS Regulations obligations on top of the Cyber Essentials baseline.
Pre-Assessment Checklist Before You Apply
Verify the following before submitting a Cyber Essentials self-assessment. A failed submission does not void the fee, so it is worth confirming readiness in advance.
- All devices accessing company data — including BYOD devices and home-working laptops — are included in scope, or a clear and defensible boundary has been drawn and documented
- All internet-facing services sit behind a properly configured firewall with unnecessary ports closed, default credentials changed, and inbound connections restricted to what is required
- All software and operating systems on in-scope devices are within active vendor support and have had applicable patches applied within the past 14 days
- Standard user accounts are used for day-to-day tasks; administrator-level accounts are separate, tightly controlled, and not used for email or web browsing
- Multi-factor authentication is enabled on all accounts that can access organisational data or services over the internet — including Microsoft 365, Google Workspace, and all SaaS tools
- Anti-malware (or an approved equivalent) is installed, active, and up to date on all in-scope devices
- A board director or equivalent senior individual is prepared to sign the formal declaration confirming the accuracy of the submission
- You have a current, documented inventory of in-scope devices and software — CE Plus testing will verify a sample, and CE assessors may request evidence
Next Steps
- Use the free Readiness Tool at iasme.co.uk to generate a tailored action plan based on your current technical posture before committing to a formal assessment.
- Select a Certification Body from the IASME-accredited network if you want guided support, are pursuing CE Plus, or have a tight deadline for a procurement submission.
- Remediate gaps before submitting — organisations typically find it worthwhile to conduct an internal review or a CB-led pre-assessment gap check before the formal submission, particularly if cloud services or BYOD devices are in scope.
- Renew annually — certificates lapse after 12 months. Supply chain buyers routinely check certificate validity dates in procurement portals; an expired certificate is treated as equivalent to having no certification at all.
- Plan what comes after CE — if your risk profile or contractual obligations require it, consider whether ISO 27001, UK GDPR documentation, or UK NIS Regulations compliance should follow as the next layer of your security programme.
SummitBridge Horizon supports UK and EU organisations through Cyber Essentials and Cyber Essentials Plus preparation, gap assessments, and complementary compliance programmes including ISO 27001, UK GDPR, and NIS2 readiness — see our compliance services.
Need help with this?
Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.
Book a Free Consultation