To get Cyber Essentials certified: define scope, fix MFA on every cloud service, tighten admin accounts, patch everything, remove unsupported operating systems, then complete the IASME questionnaire through an accredited body. Cost from £320+VAT. Allow two to four weeks end-to-end for a typical small business. v3.3 "Danzell" auto-fails anyone without MFA where a cloud platform offers it.
Step 1 — Decide your scope
Scope is the part of your business you're certifying. Whole-organisation scope is cleanest — one certificate, no awkward explanations to clients. You can narrow scope to a department or a single office, but you can't exclude anything that processes the data you're trying to protect. If your accounts team uses the same Microsoft 365 tenant as the marketing team, they're both in scope.
Write your scope statement before you start answering any questions. It governs every answer after it.
Step 2 — Get the five controls straight
All Cyber Essentials questions map to five technical controls. Sort these first:
- Firewalls — every internet-connected device has a firewall, default passwords changed, unused services off.
- Secure configuration — devices built from a hardened baseline, guest accounts disabled, autoplay off.
- User access control — least privilege, admin accounts separate from day-to-day accounts, MFA everywhere cloud offers it.
- Malware protection — endpoint detection and response on every device. Defender for Business is fine; SentinelOne or similar is fine.
- Security update management — all software in support, high/critical patches applied within 14 days.
Step 3 — Handle the v3.3 "Danzell" MFA rule
From 27 April 2026, version 3.3 of the requirements auto-fails you if a cloud service offers MFA and you haven't turned it on. This includes Microsoft 365, Google Workspace, Xero, Sage, Dropbox, Slack, GitHub, your CRM, your VPN — every cloud tool the business touches. Audit the list before you submit. It's the single biggest cause of first-time failures in 2026.
Passwordless sign-in (passkeys, Windows Hello for Business, Microsoft Authenticator) is accepted as a stronger alternative to MFA-plus-password, so don't be afraid to skip the password where the platform supports it.
Step 4 — Kill unsupported software
Windows 10 reached end-of-life on 14 October 2025. Extended Security Updates run to October 2026 and cost around £50 per device per year for the first year, rising after. From a Cyber Essentials angle, devices not covered by ESU fail automatically. Upgrade to Windows 11 or replace the hardware before you submit. Our Windows 10 end-of-life guide walks through the options. Same logic applies to macOS older than the last two major releases, and any server operating system out of vendor support.
Step 5 — Separate admin accounts
Day-to-day user accounts must not have local or cloud-admin rights. In Microsoft 365, that means at least one named administrator account per admin, used only for admin work, with MFA enforced through Conditional Access. Break-glass accounts are allowed but must be documented and monitored. If every user is also a Global Administrator, you'll fail.
Step 6 — Pick an accredited certification body
Cyber Essentials is delivered through IASME and its accredited certification bodies. You pick one, pay them directly, and they mark your questionnaire. Costs in 2026:
- Micro (0–9 employees): from £320+VAT
- Small (10–49): around £400+VAT
- Medium (50–249): around £500+VAT
- Large (250+): from £600+VAT
Organisations under £20m turnover certifying through IASME get bundled cyber liability insurance — usually around £25,000 of cover. Worth noting when comparing.
Step 7 — Complete and submit the questionnaire
The self-assessment runs online. There are about 80 questions depending on answers. Budget half a day for someone who knows the estate. Common traps: misreading "internal IP range" questions, miscounting devices (include BYOD if it accesses business data), and forgetting cloud services sat outside Microsoft 365.
Submit, pay, and your assessor will respond within a week. If you pass, you're certified for 12 months. If there are gaps, you usually get 48 hours to clarify or remediate before the fee clocks over.
Step 8 — Plan for Cyber Essentials Plus or a renewal
Once you're CE-certified, two paths open up. Either push on to Cyber Essentials Plus for a hands-on technical audit (£1,400–£3,000), or calendar your renewal 11 months out. Either way, don't let the certificate lapse — insurers and clients increasingly ask for a current badge, not "we had one in 2024".
The full control-by-control spec sits on the NCSC Cyber Essentials overview. Our own cyber security team manages the whole process for West Sussex SMEs — readiness, questionnaire, handover to assessor, remediation.
FAQs
How long does Cyber Essentials take?
Most SMEs complete basic Cyber Essentials in two to four weeks. The questionnaire itself takes a few hours; the time is in fixing MFA, admin accounts and unsupported operating systems before you submit.
Can I self-assess without help?
Technically yes. In practice, most SMEs work with an MSP or consultant because wrong answers on the questionnaire cause a fail and you still pay for the next attempt.
What is scope?
Scope is the part of your business being certified. Whole-organisation is cleanest. Narrower scopes are allowed but can't exclude anything that handles the data you're trying to protect.
What happens if I fail?
You get feedback and have 48 hours to remediate and resubmit under most certification bodies. If that window closes, you pay for a fresh attempt.
Do I need to recertify every year?
Yes. Certificates last 12 months. Insurers and clients increasingly ask for a current badge, so diary the renewal 11 months after issue.