Cyber Essentials Certification Guide for UK Businesses
A plain English guide to getting Cyber Essentials certified — what it is, what it costs, and how to prepare your team.
Official NCSC documentation
The full Cyber Essentials Requirements for IT Infrastructure v3.3 is published directly by the National Cyber Security Centre.
Download the official document from NCSC →What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme. It was introduced in 2014 and is overseen by the National Cyber Security Centre (NCSC). The scheme is designed to help organisations of all sizes protect themselves against the most common cyber attacks.
There are two levels of certification. Cyber Essentials is a self-assessment where you answer questions about your security controls. Cyber Essentials Plus adds a hands-on technical audit by an accredited assessor. Both are valid for 12 months.
Certification is administered through IASME, the official accreditation body appointed by the NCSC. Accredited certification bodies carry out the assessments and issue certificates.
Why Cyber Essentials matters for UK businesses
Required for government contracts
Most UK public sector contracts that involve handling sensitive or personal data require Cyber Essentials certification. Without it, you cannot bid.
Demonstrates commitment to cybersecurity
Certification shows clients, partners, and insurers that your organisation takes cybersecurity seriously and has implemented basic controls.
Protects against common attacks
The five controls covered by Cyber Essentials defend against the vast majority of commodity cyber attacks — the untargeted, automated attacks that affect most businesses.
Insurance requirements
An increasing number of cyber insurance providers require or offer discounts for Cyber Essentials certification.
What's new in Danzell v3.3
Danzell v3.3 is effective from 27 April 2026. It introduces significant changes including new auto-fail conditions and expanded scope requirements. CrownSync CE Readiness is fully updated for all v3.3 changes.
Danzell v3.3 applies to all assessment accounts created on or after 27 April 2026. Accounts created before that date use the previous Willow question set and have 6 months to complete certification.
Auto-fail items (certification is impossible until fixed)
- ✕MFA not enabled on cloud services where available
- ✕High/critical patches not applied within 14 days
- ✕Unsupported software in use (including Windows 10, end of life 14 October 2025)
- ✕No firewall at the network boundary
- ✕Default passwords not changed on any device or network equipment
- ✕Shared user accounts (multiple people using the same credentials)
New in v3.3 specifically
- •Cloud services formally defined — cannot be excluded from scope
- •Social media accounts used for business are cloud services
- •Passwordless authentication (passkeys, FIDO2, biometrics) now recognised
- •Password length: 12 characters (no MFA) or 8 characters (with MFA)
- •Password expiry and complexity requirements removed
- •Scope must include a detailed description and all legal entities
The five Cyber Essentials controls
Cyber Essentials focuses on five technical controls. Every organisation in scope must demonstrate compliance with all five.
Firewalls and internet gateways
A firewall creates a buffer zone between your internal network and external networks. Every device that connects to the internet must be protected by a correctly configured firewall.
Secure configuration
Computers and devices should be configured to reduce vulnerabilities. Default passwords must be changed, unnecessary software removed, and automatic updates enabled.
User access control
User accounts should only have the access they need. Administrator accounts should only be used for administrative tasks, and access should be removed when no longer required.
Malware protection
Malware protection software should be installed on all devices. This includes anti-virus, anti-malware, and application whitelisting where appropriate.
Patch management (Security Update Management)
Software and devices must be kept up to date. Security patches should be applied within 14 days of release, and unsupported software must be removed from scope.
How much does Cyber Essentials cost?
| Item | Typical cost |
|---|---|
| Cyber Essentials (self-assessment certification) | £300–£600 |
| Cyber Essentials Plus (technical audit) | £1,500–£3,000+ |
| Consultant to help you prepare | £1,000–£5,000 |
| CrownSync CE Readiness | Free during launch |
Certification fees are paid directly to the accredited certification body. CrownSync is a preparation tool — it helps you get ready before you apply.
The Danzell v3.3 question set
Danzell is the name of the official question set used for Cyber Essentials self-assessment. It is maintained by IASME and defines the exact questions that certification bodies ask during the assessment process.
Version 3.3 of the Danzell question set takes effect on 27 April 2026. It updates several areas including cloud services, thin client configurations, and mobile device management to reflect the current threat landscape.
CrownSync CE Readiness is aligned to the Danzell v3.3 question set. The assessment adapts to your organisation — you only see questions that are relevant to your setup. A sole trader sees fewer questions than a 50-person company with servers and cloud services.
Who needs Cyber Essentials?
Mandatory for central government contracts
Procurement Policy Note PPN 014 requires Cyber Essentials for all UK central government contracts involving the handling of sensitive or personal information or the delivery of ICT products and services. This applies to contracts with central government departments, executive agencies, and non-departmental public bodies.
Increasingly required for NHS and public sector
NHS trusts and Integrated Care Boards increasingly require Cyber Essentials from suppliers, particularly those providing digital services or handling patient data. Local authorities are also adopting similar requirements. While not universally mandatory across all NHS contracts, the direction of travel is clear.
Cascading through supply chains
The requirement filters through supply chains. Organisations holding government contracts increasingly require their own suppliers to hold Cyber Essentials — meaning the requirement extends well beyond direct government suppliers into the broader UK supply chain.
Recommended for all UK organisations
The NCSC recommends Cyber Essentials for all UK organisations regardless of sector as the baseline standard for cyber security. With 43% of UK businesses experiencing a cyber breach or attack in 2025, certification is increasingly expected by clients and insurers regardless of contractual obligation.
How long does it take?
Small (under 10 employees)
1–2 weeks
With the right tool and a single point of contact
Medium (10–50 employees)
2–4 weeks
Requires coordination across departments
Larger (50+ employees)
4–8 weeks
Multiple stakeholders, IT team involvement
Step by step — how to get certified
- 1
Prepare using a readiness tool (like CrownSync)
- 2
Fix any gaps identified in your controls
- 3
Get board-level sign-off on your readiness
- 4
Apply through an IASME-accredited certification body
- 5
Complete the self-assessment questionnaire
- 6
Receive your Cyber Essentials certificate
Official guidance and resources
CrownSync actively supports the NCSC and IASME's mission to make UK businesses more cyber secure. The links below go directly to official NCSC and IASME resources. CrownSync is an independent preparation tool — we are not affiliated with NCSC or IASME, but we refer all users to their official guidance.
A note on insurance questions
The official Danzell v3.3 question set includes two insurance questions — A3.2 (cyber insurance opt-in) and A3.3 (insurance contact email) — which are available to UK organisations with gross annual turnover under £20m. CrownSync does not currently include these questions.
When you submit your assessment through an IASME-accredited certification body, you will need to answer A3.2 and A3.3 directly on their platform. These questions do not affect your Cyber Essentials readiness score or gap analysis.
Find more information about the included cyber liability insurance at iasme.co.uk.
Deep dive guides
Detailed guides on the most important topics in Cyber Essentials Danzell v3.3.
Danzell v3.3 Changes
Everything that changed in the Cyber Essentials Danzell v3.3 update effective 27 April 2026.
Auto-Fail Questions
Every automatic-fail condition under Cyber Essentials Danzell v3.3 and how to fix each one.
MFA Requirements 2026
Which cloud services need MFA, what counts as MFA, and how to enable it for all users.
14-Day Patching Requirement
How to meet the Cyber Essentials 14-day patching requirement and evidence it to your assessor.
Cloud Services Scope
What counts as a cloud service under Danzell v3.3 and which services cannot be excluded.
Cyber Essentials Cost 2026
IASME fee bands by organisation size and what is included in the certification fee.
Start your Cyber Essentials preparation today
CrownSync CE Readiness walks your team through the official Danzell v3.3 question set, identifies gaps, and helps you get board sign-off — completely free during our launch period.
Get started freeNo credit card required. Full access to all features.