Cyber Essentials was created by the UK's National Cyber Security Centre (NCSC) and is backed by the UK government. The premise is straightforward: there are five technical controls that, if implemented correctly, would prevent the large majority of common cyber attacks. The certification verifies you have them in place.
It's been around since 2014, has had a few updates since then, and remains one of the most practical security frameworks available to UK small businesses — not because it's comprehensive, but because it's focused on the things that actually cause most incidents.
The five controls Cyber Essentials covers
The certification assesses five technical areas:
Firewalls
Boundary firewalls and internet gateways — the controls that protect your network from internet traffic. For most cloud-first small businesses on Google Workspace with no on-premise servers, this is primarily about configuring network routing correctly and not exposing unnecessary services to the internet.
Secure configuration
Removing unnecessary software and services, changing default credentials on routers and devices, and ensuring devices are set up securely rather than left on manufacturer defaults. This overlaps significantly with what a Google Workspace security audit covers — default Admin Console settings that leave you exposed are exactly the kind of thing Cyber Essentials flags.
User access control
Who has admin access to what, and is it the minimum necessary? Standard users shouldn't be running with admin privileges on their devices. Super Admin access in Google Workspace should be limited to those who genuinely need it. This control maps directly to the Admin Console access settings covered in a full Workspace security review.
Malware protection
Anti-malware software on all devices, and controls to prevent malicious code from running. For Windows devices, this is typically Windows Defender combined with an endpoint security product like Huntress. For macOS, the picture is similar. For a cloud-first business, the primary malware risk is browser-based and document-based — so controls around browser security and email scanning are also relevant here.
Patch management
Keeping all software and operating systems up to date. Unpatched software is one of the most common attack vectors — vulnerabilities in outdated software are actively exploited within days of disclosure. Cyber Essentials requires a 14-day patch window for high-severity vulnerabilities.
"If you've properly addressed these five controls, you've blocked around 80% of the attack methods used against UK small businesses. That's the point of the scheme — not perfection, but the biggest improvements for the least effort."
Cyber Essentials vs Cyber Essentials Plus
There are two levels of the certification:
Cyber Essentials — self-assessment. You answer a questionnaire about your technical controls, it's verified by a certification body, and you receive the certificate. Costs around £300 for most small businesses. Takes a few hours to complete if your controls are already in place.
Cyber Essentials Plus — independently verified. A qualified assessor tests your controls technically — scanning devices, verifying configurations — rather than just reviewing your answers. More rigorous, costs more (typically £1,500–£3,000 depending on business size), and more credible as a signal to clients.
For most small businesses, Cyber Essentials (self-assessed) is the right starting point.
Who needs it — and who should consider it
Mandatory if you're bidding for UK government contracts that involve handling personal information or providing certain ICT products and services. If you want to supply central government, Cyber Essentials is a baseline requirement.
Increasingly expected in professional services. Law firms, accountancies, and regulated businesses are increasingly asked by larger clients or regulators to demonstrate basic cyber hygiene. Cyber Essentials provides a recognised framework for doing that.
Worth considering if:
- Your clients ask about your security practices and you don't have a clear answer
- You're in a tender process where security credentials are evaluated
- Your cyber insurance insurer asks about your security posture (some offer discounts for certification)
- You want a structured way to check your security controls against a recognised standard
Already meeting most of the requirements?
A properly secured Google Workspace already satisfies several Cyber Essentials controls. The free GetBulwark audit tells you exactly where you stand.
Book the free auditHow Google Workspace maps to Cyber Essentials
If you're on Google Workspace and have completed a proper security hardening — MFA enforced, email authentication configured, Admin Console settings reviewed, third-party app access controlled — you're already satisfying several of the Cyber Essentials controls. Specifically: user access control, parts of secure configuration, and elements of malware protection (Google's built-in email scanning addresses the document-based malware control).
The controls that Google Workspace alone doesn't address are: device-level patch management (your laptops and phones still need to be kept updated), endpoint malware protection (requires a separate product like Huntress), and firewall configuration (primarily relevant if you have any on-premise infrastructure).
For a cloud-first business using Google Workspace as their primary platform, getting from "properly configured Workspace" to "Cyber Essentials ready" is a relatively short journey. The audit will tell you the gap — the certification itself is then a matter of completing the questionnaire accurately.
