Let’s address the thing nobody wants to say out loud:
Most cyberattacks succeed because of embarrassingly preventable mistakes.
Not zero-days exploited by hoodie-wearing hackers (the poor hoodie is starting to get such a bad rep!) in dark basements.
Not sophisticated nation-state actors with unlimited budgets.
Not elaborate Ocean’s Eleven-style digital heists involving rappelling from ceiling tiles.
Just:
- Unpatched software (because “updates are annoying”)
- Weak passwords (looking at you, “CompanyName2024!”)
- Missing firewalls (disabled in 2019 “temporarily”)
- Admin rights distributed like supermarket loyalty cards
- Systems that haven’t been updated since David Cameron was PM
And yet, businesses across the UK still confidently declare:
“Oh, we’re pretty careful.”
“We have antivirus.” (From 2017. Expired.)
“Brian locks his laptop.” (Sometimes. ..When he remembers… Which is rarely.)
“We change our password annually.” (To Summer2025!, then Autumn2025!, you get the idea.)
The National Cyber Security Centre (NCSC) listened to this for years, watched the breach reports pile up like unwashed laundry, and finally thought:
“Right. That’s it. We’re writing the baseline down. In crayon if necessary.”
That baseline is Cyber Essentials.
It’s not sexy. It’s not cutting-edge. It won’t make you sound clever at dinner parties.
But it works.
This guide is your no-nonsense, actually-readable explanation of Cyber Essentials, written for people who:
- Care about security but hate security theatre
- Want government contracts (where it’s literally mandatory, not optional, not negotiable, full stop)
- Enjoy keeping client data safe more than explaining breaches to the ICO
- Prefer not being tomorrow’s cautionary tale in someone else’s cybersecurity presentation
- Actually want cyber insurance that pays out (instead of finding creative reasons not to)
No vendor fluff. No compliance waffle. No “synergistic paradigm shifts.”
Just clarity, consequences, and how to get certified without developing a drinking problem.
What This Guide Covers (AKA: Why This Is THE Cyber Essentials Page)
This is the central hub for understanding Cyber Essentials properly.
In this guide, you’ll learn:
- What Cyber Essentials actually is (in plain English)
- Why the UK government made it and why you should care
- The 5 technical controls explained properly
- Cyber Essentials vs Cyber Essentials Plus (and which you need)
- Requirements, costs, and timelines
- Why it’s now essential for tenders, insurance, and trust
- Common myths and costly mistakes
- How certification actually works
- What “good” looks like in 2026
If you want tactical deep dives, we’ll point you to those too.
This is your mothership.
The Cybersecurity Problem That Refuses to Die (Despite Our Best Efforts)
UK businesses lose billions annually to cyberattacks.
Not because attackers are brilliant supervillains with PhDs in computer science.
Because defences are about as solid as a chocolate teapot.
Here’s the uncomfortable truth that keeps security professionals up at night (apart from the energy drinks):
- 82% of data breaches involve a human element (Verizon DBIR) – humans being humans
- Most attacks exploit known vulnerabilities with patches that have been available for months (sometimes years)
- Phishing remains the #1 initial attack vector (because apparently we still can’t resist clicking “URGENT: Your Amazon Prime account has been suspended”)
- The majority of incidents involve basic security failures that would make a GCSE IT student wince
You know what stops most of these attacks?
The five Cyber Essentials controls.
These aren’t cutting-edge, bleeding-edge, AI-powered quantum blockchain defences running on neural networks in the cloud.
They’re the digital equivalent of:
- Locking the doors (novel concept, we know)
- Not giving the intern a key to the director’s office
- Fixing broken windows before winter arrives
- Actually turning on the burglar alarm you paid for
- Not writing the safe combination on a Post-it and sticking it on the safe
Revolutionary stuff.
And yet.
And yet.
Organisations still gleefully:
- Run unpatched systems (because what could possibly go wrong?)
- Give everyone admin rights (because “IT said no” is annoying)
- Use passwords like “P@ssw0rd123” (technically complex, practically useless)
- Disable firewalls “because they’re slowing things down” (yes, security does that)
- Assume malware protection is someone else’s problem (spoiler: it’s not)
The NCSC watched this circus performance year after year, studied the incident reports, analysed the breach patterns, and said:
“Here are the five things you absolutely must do. No debate. No excuses. No ‘but we’re different.'”
It’s the IT security equivalent of “eat your vegetables, brush your teeth, and look both ways before crossing.”
Boring? Yes.
Essential? Also yes.
Likely to save you from a spectacularly expensive disaster? Absolutely.
What Is Cyber Essentials (Without the Buzzwords or Soul-Crushing Boredom)
Cyber Essentials is a UK government-backed certification scheme that verifies you’ve actually implemented five basic security controls instead of just vaguely hoping for the best.
It was created by the National Cyber Security Centre (NCSC) – the people who genuinely know what they’re doing – and managed by IASME.
Think of it as:
The MOT for your IT security posture
Not perfect. Not comprehensive. And definitely not the automotive equivalent of a full Formula 1 pit crew.
But without it, you really shouldn’t be on the road.
Cyber Essentials proves:
- You’ve protected against common attack methods (the ones that actually happen, not the ones in spy films)
- You’ve implemented minimum viable security (the bare minimum to not be criminally negligent)
- You understand your digital attack surface (where the bad guys can poke you)
- You’re not a liability to clients, partners, or insurers (or at least, less of one)
It doesn’t make you bulletproof.
It doesn’t make you invincible.
It doesn’t even make you particularly special.
What it does is stop you being the embarrassingly low-hanging fruit that attackers harvest first while cackling at how easy you made it.
The Two Flavours: Cyber Essentials vs Cyber Essentials Plus (Choose Your Own Adventure)
Cyber Essentials comes in two versions, like a security choose-your-own-adventure book where one ending involves actual verification:
Cyber Essentials (Standard Edition)
Self-assessed, externally certified (Translation: You fill it in, we check your homework)
- You complete a questionnaire (it’s longer than you think)
- A certification body (like Morse) reviews it with a sceptical eye
- If you pass, you get certified and can brag about it
- Valid for 12 months (then we do this dance again)
Best for:
- Baseline compliance without the full shakedown
- Supply chain requirements (“just get the badge, Karen”)
- Demonstrating due diligence to people who won’t dig too deep
- Tender tick-box requirements where they don’t read the fine print
Honest assessment:
It’s CCTV footage you review yourself and promise is legit.
Cyber Essentials Plus (The “We Actually Check” Edition)
Independently tested and verified (Translation: We’re coming in, and we’re bringing scanning tools)
- Everything from standard CE
- Plus hands-on technical testing (actual humans, actual tests)
- Assessors probe your systems like a disappointed parent checking if you really cleaned your room
- Vulnerabilities must be fixed before certification (no, really, we check again)
- Valid for 12 months
Best for:
- Government contracts (where they’re not messing about)
- Handling sensitive data (and wanting to sleep at night)
- Enterprise client requirements (“show us you’re serious”)
- Cyber insurance premium reductions (insurers actually reward this)
- Organisations that want real assurance, not performative security
Honest assessment:
We bring the UV light to your hotel room. Prepare accordingly.
The key difference?
Cyber Essentials: “We solemnly swear we’ve done it.” (pinky promise)
Cyber Essentials Plus: “We’ve proven we’ve done it.” (with receipts)
One’s a declaration typed with crossed fingers.
The other’s a demonstration where we actually check.
Like the difference between:
- “I can totally do a backflip” vs. actually doing a backflip while we film it
- “Ordering tappas in fluent Spanish” vs. having a conversation in Spanish
- “I changed the oil” vs. showing us the dipstick
The 5 Cyber Essentials Controls (Actually Explained, With Sass)
Let’s unpack what you’re actually implementing (and why you should have done this already):
1. Firewalls (The Bouncer Your Network Desperately Needs)
What it is:
A barrier between your network and the howling chaos of the internet (and between network segments, because trust no one).
What it stops:
Unauthorised access to your systems. The digital equivalent of locking your doors instead of hanging a sign saying “PLEASE DON’T ROB US (the neighbours have better stuff).”
Why businesses spectacularly fail:
- Firewalls disabled “temporarily” in 2021 (it’s now 2026, Barry)
- No firewall on remote devices (because home Wi-Fi is totally secure, right?)
- Configuration hasn’t been reviewed since installation (set and forget… forever)
- “It was slowing things down” (yes, security does require processing power, welcome to reality)
- Someone googled “how to disable Windows Firewall” and felt very clever
What good looks like:
- Firewalls active on all internet-connected devices (yep, ALL of them)
- Default-deny rules (block everything, allow only what’s needed)
- Regular rule reviews (because your network isn’t static even if your thinking is)
- Documented exceptions (with actual justifications, not “Bob said it was fine”)
Real talk:
If your firewall is off, you’re basically leaving your front door open with a neon “FREE STUFF” sign. Don’t be that house.
2. Secure Configuration (Stop Using Default Settings, For The Love Of All That’s Holy)
What it is:
Removing unnecessary software, disabling unused services, changing default passwords, and generally not handing attackers a beautifully gift-wrapped entry point.
What it stops:
Attackers exploiting unnecessary features, default credentials (admin/admin, we’re looking at you), or bloated systems running services nobody needs or remembers installing.
Why businesses fail in ways that make us weep:
- Default admin passwords still in place (“who would guess ‘admin’??” — literally everyone, Trevor)
- Unused services left running (just in case we need that FTP server from 2003)
- Guest accounts active and unsupervised (free access for all!)
- Autorun enabled on everything (because automatically executing unknown files is definitely safe)
- Sample users from installation still exist (thanks for leaving the training wheels on)
What good looks like:
- Minimal software installation (if you don’t need it, DELETE IT)
- Services disabled unless actually required (required = actively used, not “might need it someday”)
- Strong, unique passwords (no, Summer1969! is not unique)
- Documented configurations (so people know WHY things are configured this way)
- Regular spring cleaning of digital junk
Real talk:
Secure configuration is digital Marie Kondo-ing. If it doesn’t spark joy (or serve a business function), bin it.
3. User Access Control (Stop Giving Everyone The Keys To Everything)
What it is:
Giving people the minimum access they need to do their job. Not what they want. Not what they think they need. What they actually, demonstrably require.
What it stops:
Malware, ransomware, and attackers doing the Macarena through your entire network after compromising one account.
Why businesses fail in utterly predictable ways:
- “Everyone’s an admin, it’s just easier” (easier for attackers too, genius)
- Shared credentials passed around like party favours (AccountingAdmin, password: Accounting123)
- No separation between admin and standard accounts (living dangerously 24/7)
- Leavers still have access months later (“has anyone told IT Sarah left?” “When did Sarah leave?” “February.” “It’s November.”)
- Junior marketing intern has domain admin rights (for reasons nobody can explain)
What good looks like:
- Standard user accounts for daily work (browse, email, cry over spreadsheets)
- Admin accounts only for admin tasks (used rarely, protected fiercely)
- Unique credentials per person (revolutionary concept)
- Regular access reviews (quarterly, with an actual checklist)
- Offboarding process that includes the words “disable account” on day one
Real talk:
Admin rights are not a status symbol. They’re a liability. Handing them out to everyone is like giving your toddler the car keys because they asked nicely.
4. Malware Protection (Because “We’re Careful” Is Not A Security Strategy)
What it is:
Software that detects and blocks malicious code before it ruins your day/week/quarter/year/career.
What it stops:
Viruses, ransomware, trojans, spyware, keyloggers, and other digital nasties with names that sound like rejected Pokémon.
Why businesses fail in face-palm-inducing fashion:
- Free antivirus from 2019 (expired, unloved, forgotten)
- Antivirus disabled “during that one project” (which finished in Covid)
- No scanning on servers (because what could possibly live there?)
- Definitions out of date (virus databases from the Cameron administration)
- “It kept flagging false positives so we turned it off” (bold strategy)
What good looks like:
- Antivirus on all devices (desktops, laptops, servers, tablets)
- Automatic updates enabled (let it update itself, don’t make this harder than it needs to be)
- Regular scans scheduled (daily or weekly, like brushing your teeth but for computers)
- Alerts monitored and acted on (not ignored, not dismissed, not filed under “probably fine”)
- Quarantine policies that don’t rely on users making good decisions
Real talk:
Running without malware protection in 2026 is like BASE jumping without a parachute because “heights are scary.” Yes, they are. That’s why you take precautions.
5. Security Update Management AKA Patch Management (Apply The Bloody Updates)
What it is:
Applying software updates within 14 days of release. Not when you feel like it. Not when the moon is in the seventh house. Within. Fourteen. Days.
What it stops:
Exploitation of known vulnerabilities – the ones literally published with step-by-step exploit instructions that attackers bookmark for light reading.
Why businesses fail in ways that keep security professionals drunk:
- “Updates break things” (sometimes yes, breaches break things worse)
- Manual processes that get forgotten (Steve was supposed to do it, Steve’s on holiday, Steve forgot)
- No visibility of what’s unpatched (ignorance is not bliss, it’s liability)
- Critical systems “can’t be rebooted” (they can, you’re just scared)
- Patch Tuesday becomes Patch Eventually becomes Patch Never
What good looks like:
- Automated updates where possible (for the love of all that’s holy, automate this)
- Documented patch windows (maintenance windows that actually happen)
- Testing process for critical systems (test in dev, patch in prod, sleep at night)
- Vulnerability tracking (know what’s unpatched and WHY)
- Escalation process when patches are delayed (with actual justification, not “we’ll get to it”)
Real talk:
Patches exist because software is imperfect. Attackers know this. They’re counting on you being too lazy/scared/busy to patch. Don’t prove them right.
Why Cyber Essentials Actually Matters (Beyond Just Having A Shiny Badge)
Cyber Essentials isn’t vanity certification you frame and forget.
It has real commercial and operational impact (fancy words for “it actually affects your business and bank account”).
1. Government Contracts (It’s Mandatory, Not Suggested, Not Optional, MANDATORY)
Since 2014, all central government contracts involving handling of personal data or provision of IT services require Cyber Essentials.
Not “preferably have it.”
Not “it would be nice if you had it.”
Not “we’re thinking about maybe requiring it.”
You must have it.
No certificate = No tender submission = No government money = Sad whimpering noises coming from the CFO’s office.
It’s not negotiable, debatable, or something you can charm your way around.
The short conversation goes:
“Do you have Cyber Essentials?”
“Well, we’re working towards—”
“That’s a no. Next.”
2. Supply Chain Requirements (Your Clients Are Asking, Stop Pretending They’re Not)
Increasingly, enterprise organisations require Cyber Essentials from suppliers because they don’t fancy being the headline “MAJOR CORPORATION BREACHED VIA THIRD-PARTY VENDOR.”
If you want on their Approved Supplier List, you need the badge.
Your choices:
- Get certified
- Lose the client
- Watch your competitor (who got certified) take the business
The conversation goes:
“We’d love to work with you, but our procurement policy requires—”
“Oh, we have Cyber Essentials. Here’s the certificate.”
“Excellent. Let’s proceed.”
OR
“We’d love to work with you, but our procurement policy requires—”
“We’re planning to get that next quarter probably maybe—”
“Thanks anyway. We’ll go with someone who takes security seriously.”
3. Cyber Insurance (Insurers Are Tired Of Paying For Preventable Stupidity)
Cyber insurance has gone from “nice to have” to “business critical” faster than you can say “ransomware.”
Insurers are now:
- Requiring Cyber Essentials for cover (full stop, end of discussion)
- Offering premium reductions of 10-20% for certification (real money, actual savings)
- Rejecting claims if you can’t prove basic controls (the ultimate “told you so”)
What insurers are thinking:
“You want us to cover you for a breach, but you can’t be bothered to implement basic security? Hard pass, too risky.”
4. Client Trust (Because “Trust Us” Doesn’t Work Anymore)
Your prospective client asks:
“How do we know you’re secure?”
Your options:
Option A: “Oh, we’re pretty careful. We take it very seriously. Security is our top priority. We’ve never had any issues.” (unconvincing, vague, sounds defensive)
Option B: “Here’s our Cyber Essentials certificate. Here’s when it was issued. Here’s when it expires. Here’s the scope it covers.” (credible, specific, verifiable)
One’s a vibes-based reassurance.
The other’s documented proof.
Guess which one wins contracts.
5. Reduced Attack Surface (The Controls Actually Work, Who Knew?)
Shockingly, implementing security controls genuinely reduces your risk.
This isn’t theatre. This isn’t box-ticking. It’s effective.
The NCSC states Cyber Essentials prevents around 80% of cyberattacks.
Not all attacks. Not sophisticated nation-state operations. Not the stuff that makes headlines.
But the common attacks that actually happen to actual businesses every single day.
Like:
- Automated scanning tools (looking for unpatched systems)
- Phishing leading to malware (that would be blocked)
- Brute force attacks (against weak passwords you no longer use)
- Exploitation of default credentials (that you changed)
The boring attacks that cost real money.
6. Legal Due Diligence (The ICO Is Taking Notes)
GDPR requires “appropriate technical and organisational measures” to protect personal data.
That’s deliberately vague.
But when the ICO investigates a breach, they ask:
“What security measures did you have in place?”
Possible answers:
A: “We, uh, we were careful?”
B: “Here’s our Cyber Essentials certification.”
Guess which one suggests you took your legal obligations seriously.
Cyber Essentials doesn’t guarantee GDPR compliance (nothing does, it’s a moving target).
But it’s strong evidence you implemented a recognized security baseline.
Legal translation:
“We did the thing the government’s own security agency says you should do.”
Cyber Essentials Requirements (What You’ll Actually Need To Stop Failing)
To get certified, you need to stop making excuses and actually implement:
Technical Requirements (The Actual Work Bit)
- Firewalls configured on all internet-facing systems (yes, including Bob’s laptop)
- Secure configurations applied to devices and software (factory settings don’t count)
- User access controls with separation of admin and standard accounts (not everyone needs to be admin, Susan)
- Malware protection active and updated (from this decade, preferably)
- Patch management process with 14-day maximum deployment (not 14 months, Steve)
Scope Definition (Where People Usually Mess Up)
You must define:
- In-scope devices – ALL devices connecting to your network or handling business data (the forgotten tablet in the drawer counts)
- Excluded systems – With actual justification (not “we forgot it existed”)
- Boundary definitions – Where your network starts and ends (surprisingly hard for some people)
Common scope mistakes:
- Forgetting the CEO’s laptop (because rules don’t apply to executives, apparently)
- Excluding “legacy systems” that are definitely still running (and definitely vulnerable)
- Not counting BYOD devices (bring your own disaster)
- Pretending the test environment doesn’t exist (narrator: it existed, and it was compromised)
Documentation (Yes, You Have To Write Things Down)
- Asset inventory (what you have, where it is, who uses it)
- Patch management process (documented, not just “Steve handles it”)
- Configuration standards (written down, version controlled, actually followed)
- Access control policy (who gets what access and WHY)
- Malware protection deployment (where it’s installed, how it’s configured)
Assessment Process (The Gauntlet)
- Self-assessment questionnaire – Detailed, technical, longer than you expect, cannot be completed while drunk
- Evidence submission – Screenshots, policies, configs (no, “trust me bro” is not evidence)
- Review by certification body – Like Morse, who actually know what they’re looking at
- Remediation if gaps found – Fix the things we found, all of them, not just the easy ones
- Certification when requirements met – Finally, the badge, sweet victory
Timeline reality check:
- “We’ll do this in a week” – Adorable, but no
- “A month should be fine” – Optimistic
- “Three months” – Realistic for most organisations
- “Six months” – If you’ve got legacy systems and organizational chaos
How Much Does Cyber Essentials Cost? (The Question Everyone Asks First)
Let’s talk money, because this is what keeps finance directors up at night (apart from the coffee).
Certification Body Fees (The Non-Negotiable Bit)
- Cyber Essentials: £300 – £600 (varies due to the size of your business)
- Cyber Essentials Plus: £1,000 – £4,000+ (depends on scope, complexity, and how much you’ve been neglecting security)
What you’re paying for:
- Someone to review your questionnaire with actual expertise
- Certificate that’s recognised by people who matter
- Not having to figure this out yourself
Implementation Costs without having an MSP (The Bit That Might Hurt)
If you’re starting from “we think we’re secure” rather than “we are demonstrably secure”:
- Small business (<10 devices): £2,000 – £5,000
- Medium business (10-50 devices): £5,000 – £15,000
- Larger/complex estates: £15,000+ (could be significantly more if you’ve been ignoring IT for a decade)
What this includes:
- Gap analysis (finding all the things you’re doing wrong)
- Remediation work (fixing said things)
- Policy creation (writing down what you should have written down years ago)
- Technical implementation (actually doing the work)
- Staff training (explaining why admin rights for everyone was a terrible idea)
Hidden Costs Nobody Mentions (Until You’re Halfway Through)
- Ongoing maintenance – Security isn’t a one-time event (sorry)
- Recertification – Annually, forever, until the heat death of the universe
- Software licensing – If you need new antivirus, firewalls, MDM, etc. (and you probably do)
- Time – Internal resources for questionnaire completion, evidence gathering, handwringing
- Opportunity cost – What else could your IT team be doing? (Probably fixing the printer, but still)
The costs people forget:
- Replacing that ancient server you’ve been ignoring
- Actually buying licenses instead of using expired ones or ones you ‘got off a mate down the pub’
- Time spent in meetings debating whether this is really necessary
ROI (Return on Investment, AKA “Why This Isn’t Just An Expense”)
Money you can now access:
- Government contracts you couldn’t bid on before (potentially worth thousands to millions)
- Enterprise clients who require certification (real revenue, actual contracts)
Money you save:
- Insurance premium reductions (10-20%, adds up quickly)
- Not paying ransomware demands (average: £100,000+)
- Not paying breach fines (average UK GDPR fine: £thousands to millions)
- Not hiring crisis PR after a breach (also expensive)
- Not explaining to customers why their data leaked (priceless)
The calculation:
- Certification cost: £5,000
- New government contract won: £50,000
- ROI: 900%
- CFO’s mood: Improved
Common Cyber Essentials Myths (Let’s Kill These With Fire)
Myth:
“It’s just a tick-box exercise”
Reality:
Only if you treat it like one, and then you’re the one who ends up ticked off (and breached). The controls genuinely reduce risk. This isn’t theatre unless you make it theatre.
Myth:
“We’re too small to need it”
Reality:
Small businesses are targeted more, not less, because you’re easier, more trusting, and statistically less protected. Attackers don’t check your revenue before attacking. They check if your doors are unlocked. Yours are.
Myth:
“We already have antivirus, we’re fine”
Reality:
That’s 1 of 5 controls. You’re 20% there. Congratulations on doing the bare minimum of the bare minimum. Here’s your participation trophy
Myth:
“It’s too technical for us”
Reality:
That’s why you work with people like Morse who literally certify organisations for a living. (Hi. We’re those people. We do this all day. We’ve seen worse than your setup. Probably.)
Myth:
“We tried and failed the assessment”
Reality:
Most failures are fixable. Common issues: everyone has admin rights, patching is “whenever Steve remembers,” firewall settings from 2015. None of these are insurmountable. They just require actual work.
Myth:
“Once we’re certified, we’re done forever
Reality:
Certification lasts 12 months. Then you do it again. Security isn’t a destination, it’s a journey (an annoying, repetitive journey that never ends, like commuting but with more potential for disaster).
Myth:
“Our IT person said we don’t need it”
Reality:
Your IT legend might be wrong. Or overworked. Or tired of arguing. Or all three. Get a second opinion from people who certify this for a living.
Myth:
“We’ll do it when we have time”
Reality:
You’ll do it when you lose a contract because you don’t have it, or when cyber insurance becomes mandatory, or when a client demands it, or when you get breached. Pick one. We recommend option “do it now while it’s still voluntary.”
Myth:
“It’s expensive”
Reality:
Compared to what? A data breach averaging £3.9M? The 60% of SME’s that go out of business within 6-months of a significant cyberattack? The government contract you can’t bid on? The enterprise client who goes with your competitor? The cyber insurance premium increase? Losing customer trust? Explaining to the ICO why you didn’t implement basic security? Suddenly £5,000 seems quite reasonable.
Myth:
“We’re in the process of getting it”
Reality:
You can’t say that for three years. Either you’re getting it or you’re not. “In the process” is business-speak for “we haven’t started but it sounds better than admitting that.”
Cyber Essentials for Tenders & Government Contracts (Where “Almost Certified” Doesn’t Cut It)
The brutal truth?
No Cyber Essentials = No bid submission for most public sector contracts.
Not “we’ll consider you anyway.”
Not “explain why you don’t have it.”
Hard stop. Do not pass go. Do not collect your successful new sales contract on your way out.
Where It’s Mandatory (The “Stop Pretending This Is Optional” List)
- Central government contracts (all of them involving data or IT)
- MOD suppliers (defense doesn’t mess around)
- NHS contracts (increasingly, and they check)
- Local councils (depends on contract value and type, but trending upward)
- Defence supply chain (if you supply someone who supplies MOD, guess what you need)
Procurement Policy Note (PPN) – The Rules Written In Stone
The Cabinet Office issued guidance requiring Cyber Essentials for contracts involving:
- Personal data (spoiler: most contracts)
- IT systems (spoiler: most contracts)
- Access to government networks (definitely these contracts)
Translation:
If you handle data or IT for government, you need certification. End of discussion.
What Buyers Actually Check (Spoiler: Everything)
- Certificate validity – Is it in date? (Expired certificates are as useful as expired milk)
- Scope matches contract – Does your certification cover the systems you’ll actually use? (Not just “head office”)
- Certification level – Plus often required for sensitive work (standard won’t cut it)
- Certification body – Is it a recognised, legitimate body? (Yes, people check this)
What Happens If You Don’t Have It (A Tragedy In One Act)
Scene: Your office, bid deadline approaching
You: “We’d like to submit for this contract.”
Procurement: “Great! Do you have Cyber Essentials?”
You: “We’re planning to get it next quarter—”
Procurement: “So… no?”
You: “But we’re very secure! We have processes! We take it seriously!”
Procurement: “That’s lovely. Do you have the certificate?”
You: “Not technically yet, but—”
Procurement: “Thank you for your interest. We’ll be “in touch”.”
[You don’t make the shortlist. Your competitor with certification wins. The end.]
The “We Almost Had It” Hall of Shame
Real excuses we’ve heard:
- “We were going to get it last year” (but didn’t)
- “We’re 90% of the way there” (only completion counts)
- “Can we submit and get it during the contract?” (absolutely not)
- “Our parent company has it” (not how it works)
- “We’ll get Plus next month” (you don’t have Standard yet, Derek)
None of these work.
None of them.
Choosing a Cyber Essentials Certification Body (Because They’re Not All Equal, Despite What They Claim)
Not all certification bodies are created equal.
Some are excellent. Some are adequate. Some make you wonder how they got accredited.
You want one that:
Actually Understands the Controls (Revolutionary Concept)
Some certification bodies treat it like form-filling: check boxes, collect fees, issue certificate, disappear.
Others (like Morse) actually live and breathe this stuff daily because we’re also the people who secure organisations, not just audit them.
Questions to ask:
- “How many assessments do you do monthly?” (If they pause, that’s a red flag)
- “What’s the most common failure you see?” (If they can’t answer immediately, run)
- “Can you explain the controls without reading from the NCSC website?” (Basic competence check)
Provides Guidance, Not Just Gatekeeping (We’re Here To Help, Not Exclusively Judge)
Certification shouldn’t be a mystery box where you submit things and cross your fingers.
Good certification bodies help you get compliant, not just reject you with cryptic feedback.
Red flags:
- “Figure it out yourself” attitude
- One-word rejection emails
- No pre-assessment support
- Disappearing after you pay the fee
Green flags:
- Clear guidance on requirements
- Sample evidence examples
- Remediation support
- Actual qualified humans who answer questions
Has a Track Record (And Can Prove It)
Ask:
- “How many organisations have you certified?” (If it’s single digits, maybe not)
- “What’s your average time to certification?” (If they say “one week,” run)
- “Do you support remediation or just audit?” (You want support)
- “What happens if we fail?” (You want a clear path forward, not judgment)
Doesn’t Vanish After Certification (The Ghost Problem)
You’ll need ongoing support for:
- Recertification (annually, remember?)
- Ongoing compliance advice (your environment changes)
- Answers when things break (they will)
- Updates on requirement changes (NCSC updates the scheme occasionally)
Questions to ask:
- “What support do you provide post-certification?”
- “Do you charge extra for recertification advice?”
- “Can I email questions or do I need to book a call three weeks in advance?”
Why Morse? (The Bit Where We Talk About Ourselves)
We’re not just a certification body.
We’re a Cyber Essentials Certification Body and an NCSC Assured Service Provider.
Translation into normal words:
We don’t just stamp forms and collect fees.
We:
- Audit organisations every single day (we know what actually fails)
- Implement security for businesses (we know what actually works)
- Certify other MSPs (we literally mark the IT industry’s homework)
- Understand the controls because we deploy them constantly
What this means for you:
- We’ve seen every possible failure mode (your mistakes aren’t unique, and that’s fine)
- We know how to fix them (quickly, properly, without drama)
- We can spot BS a mile away (don’t try to fake evidence, we’ll know)
- We actually want you to pass (failed assessments are annoying for everyone)
Our approach:
- Pre-assessment guidance (so you don’t waste time)
- Clear, specific feedback (no cryptic rejection messages)
- Remediation support (actual help, not just “do better”)
- Ongoing compliance advice (we don’t vanish post-certification)
We’re not the cheapest. We’re not the quickest, because details matter here.
We’re the ones who get you certified properly instead of setting you up to fail recertification.
Why Cyber Essentials Matters Even More in 2026 (Plot Twist: Things Got Worse)
The security landscape hasn’t improved. It’s deteriorated. Spectacularly.
Ransomware Is Industrial-Scale (And Getting Boring In Its Effectiveness)
Gone are the days of lone hackers in basements eating Pot Noodles.
Today’s attackers are:
- Organised (like actual businesses, with HR departments and everything)
- Funded (often better than your IT budget)
- Ruthlessly efficient (they’ve automated the boring parts)
- Frighteningly professional (customer support for ransomware victims, we wish we were joking)
They scan the internet 24/7 looking for:
- Unpatched systems (still shockingly common)
- Weak credentials (hello “Admin123”)
- Missing firewalls (surprisingly prevalent)
- Basically, anything without Cyber Essentials
Their process:
- Scan for vulnerable targets
- Find you (they make it look embarrassingly easy)
- Exploit (automated)
- Encrypt (automated)
- Demand payment (with helpful payment instructions)
Your defence:
Cyber Essentials removes you from step 2.
They move to easier targets. There are plenty.
Insurance Is a Hard Market (And Underwriters Are Cranky)
Cyber insurance premiums have gone from “reasonable” to “eye-watering” faster than petrol prices.
Underwriters are done with:
- Preventable breaches
- Basic security failures
- “We didn’t think it would happen to us”
Their current mood:
“Prove you’re not a cyber security idiot before we’ll cover you.”
How they prove it:
Cyber Essentials certification.
No certificate = Higher premiums or no cover or both. Ironically, IF they cover you without a certificate, come claim time, that may just be the info they need to refuse your claim…
Yes certificate = They actually return your calls.
Supply Chains Are Scrutinised (Because Nobody Wants To Be The Next Headline)
Your clients’ security is only as strong as yours.
And they finally understand this.
After watching:
- Target breached via HVAC vendor
- Multiple “third-party vendor” breach headlines
- Their own close calls
They’re now asking:
- “Do you have Cyber Essentials?” (and checking the certificate)
- “When does it expire?” (and setting calendar reminders)
- “What’s your incident response plan?” (and actually reading it)
- “Can we audit your security?” (and they’re not joking)
Your choices:
- Get certified (stay on approved supplier lists)
- Don’t get certified (watch contracts evaporate)
AI-Powered Attacks (Because Regular Attacks Weren’t Enough)
Large Language Models haven’t made everyone smarter.
But they’ve made phishing:
- Contextual (personalised to you, your role, your company)
- Grammatically correct (goodbye “Dear Sir/Madam I am prince”)
- Convincing (actually plausible scenarios)
- Scalable (thousands of personalised emails per hour)
The good news:
AI-powered phishing still can’t bypass:
- Patched systems (they exploit known vulnerabilities)
- Proper access controls (lateral movement blocked)
- Active malware protection (detects the payload)
- Firewalls (stop the callback home)
- Educated users (who verify before clicking)
The fundamentals still win.
Fancy AI can craft the perfect phishing email.
But it can’t magic past basic security controls.
Regulatory Pressure Is Mounting (The Vice Is Tightening)
GDPR fines aren’t theoretical anymore.
NIS2 is coming (or already here, depending when you read this).
The ICO is actively investigating security practices.
Regulators are asking:
“What security measures did you have in place?”
Acceptable answers:
- “Here’s our Cyber Essentials certification”
- “Here’s our detailed security framework based on recognized standards”
Unacceptable answers:
- “We were careful”
- “We have antivirus”
- “Nobody told us we needed to do anything”
Fines for inadequate security:
Up to £17.5M or 4% of global annual revenue, whichever is higher.
Suddenly that £5,000 certification cost looks rather economical.
The Morse Take (Where We Tell You What We Really Think)
Cyber Essentials isn’t advanced security.
It isn’t cutting-edge threat intelligence.
It isn’t zero-trust architecture or AI-powered behavioural analytics.
It’s baseline adult supervision for business IT.
The digital equivalent of:
- Wearing a seatbelt (basic safety)
- Locking your doors (basic security)
- Not leaving your wallet on the roof of your car (basic common sense)
If your business:
- Sends emails (you do)
- Stores customer data (you definitely do)
- Bids on government contracts (you want to)
- Wants cyber insurance that actually pays out (you really do)
- Prefers not being tomorrow’s breach headline (you absolutely do)
- Enjoys having clients who trust you (presumably yes)
- Likes money more than data breach fines (we’re guessing yes)
Then Cyber Essentials isn’t optional. It’s not “nice to have.” It’s not “on the roadmap for Q4.”
It’s table stakes.
At Morse, we don’t treat certification as a rubber-stamp dispensary.
We’re the people who audit other organisations’ security posture and decide whether they get certified or get a list of things to fix.
That means:
- We’ve seen every creative interpretation of “compliant” (some impressive, none successful)
- We know what actually fails businesses (usually the things they swore they’d already done)
- We know how to fix it properly (not just enough to pass, but enough to stay secure)
- We know the shortcuts that come back to bite you (all of them, we’ve seen the scars)
- We know what good looks like (and we won’t certify anything less)
Dot and Dash would absolutely roast you for treating this like a tick-box exercise
But they’d much rather help you get certified properly, stay certified, and actually be secure.
Because certified and secure beats certified and breached.
Every. Single. Time.
Next Step: Get Cyber Essentials Right (Or Keep Postponing It Until You Lose A Contract, Your Choice)
If you’re unsure whether you’re:
- Ready for certification (you’re probably not, but that’s fixable)
- Missing critical controls (you almost certainly are)
- Using the wrong scope (this trips up almost everyone)
- About to fail an assessment (possibly, but we can prevent that)
- Wasting money on a certification body that won’t help (entirely possible)
That’s not a failure.
It’s just unfinished work.
And unfinished work can be finished.
We won’t judge your current security posture.
(We’ve seen worse. Probably. Almost definitely.)
We’ll just tell you what needs fixing and how to fix it.
Dot. Dash. Done—properly.
(Not “Dot. Dash. Half-arsed.”)
Are You Cyber Essentials Ready? (Spoiler: Probably Not, But We Can Fix That)
This isn’t a sales pitch.
It’s a gap check.
Free. Quick. Honest.
(Possibly brutal, but in a helpful way.)