> For the complete documentation index, see [llms.txt](https://docs.oxfordinfosec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oxfordinfosec.com/cyber-essentials.md).
# Cyber Essentials and Cyber Essentials Plus
## Introducing the Service
If you're bidding for UK public sector work, responding to procurement questionnaires, or trying to satisfy an insurer, Cyber Essentials is usually the cheapest and quickest credential to put on the table. It's a UK government-backed scheme that demonstrates you have the basic technical controls in place to defend against the most common internet-borne attacks.
Oxford Infosec takes small, fast-moving companies through Cyber Essentials self-assessment and the hands-on Cyber Essentials Plus audit, then keeps the controls and evidence in shape so annual recertification doesn't turn into a fire drill. Our consultants are familiar with the IASME-administered scheme, the NCSC requirements, and the practical realities of getting a small business over the line on the first attempt.
Our approach is pragmatic and risk-driven. We focus on the controls actually required by the scheme, calibrated to how your business genuinely operates, rather than reshaping your environment to fit a generic checklist.
This service description reflects the **April 2026 update (Requirements for IT Infrastructure v3.3, Danzell question set)**, which applies to all assessment accounts created on or after 27 April 2026.
## What Problem Does This Solve?
Cyber Essentials looks simple on paper, and for a well-run business it is. But the scheme has tightened materially over recent years, and the April 2026 update introduces new automatic-fail conditions that catch out companies who think they're already compliant.
Typical challenges for growing organisations:
| Challenge | Consequence |
| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| **MFA isn't fully rolled out across cloud services** | Automatic fail under the 2026 rules where MFA is available but not enforced |
| **Patching is informal** | Missing the 14-day window for critical and high-risk updates is now an automatic fail |
| **Cloud scope is unclear** | SaaS tools that store or process company data can't be excluded; missing them means a failed audit |
| **BYOD and remote working aren't documented** | Personal devices accessing company data fall in scope and need to be assessed |
| **No internal owner for the assessment** | Questions get answered inconsistently; evidence is patchy; the assessor pushes back |
| **Cyber Essentials Plus testing surfaces unknown gaps** | Vulnerability scans find unpatched software the team didn't know was deployed |
Oxford Infosec scopes the assessment correctly, gets the controls in place, prepares the evidence, and walks you through the assessor's questions so you pass first time and keep passing every year.
## Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials has two levels. Both certify the same five technical controls; the difference is how that compliance is verified.
| Level | How it's verified | Typical use case |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------- |
| **Cyber Essentials** | Self-assessment questionnaire (Danzell), reviewed by an IASME-licensed assessor | Most UK public sector tenders, supply chain requirements, baseline insurance |
| **Cyber Essentials Plus** | Independent technical audit including external vulnerability scan, internal device scans, and configuration checks | Higher-assurance public sector work, MOD supply chain, customers requiring independent testing |
Many small businesses start with Cyber Essentials and add Plus when a specific contract requires it. We can help you decide which is right for the deals you're actually chasing.
## What's Changed in the April 2026 Update
The 2026 update is the most significant in several years and matters for anyone certifying or recertifying after 27 April 2026:
| Change | What it means in practice |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Mandatory MFA on cloud services** | Where MFA is available on a cloud service (free, bundled, via federation, or paid), it must be enforced. Otherwise it's an automatic fail |
| **14-day patching is now an auto-fail** | High-risk and critical security updates for OS, firmware, and applications must be applied within 14 days of release |
| **Passwordless and passkeys encouraged** | The scheme is steering organisations toward passkeys and phishing-resistant MFA as the default |
| **Cloud services cannot be scoped out** | The definition of cloud has been clarified; if a service stores or processes your data, it's in scope |
| **Minimum 12-character passwords** | Increased from the previous 8-character minimum where MFA isn't in place |
| **Backups elevated in the requirements** | Backup guidance now sits up front in the document, signalling its importance for ransomware resilience |
| **Continuous vulnerability management for Plus** | Cyber Essentials Plus expects ongoing scanning and remediation, not a once-a-year tidy-up before the audit. Failed samples trigger expanded re-testing |
| **Danzell question set** | Replaces the previous Willow question set; familiar in shape but with the changes above embedded |
We track these changes as they're confirmed by IASME and the NCSC, so the controls and evidence we put in place are aligned to the version of the scheme you'll be assessed against.
## Fit for Small Businesses
This service is designed for organisations that need a credible Cyber Essentials or Cyber Essentials Plus certificate without spinning up an internal compliance function. Typically that means:
* **5 to 200 employees**: from very small teams responding to a first tender, up to growing businesses needing Plus for higher-assurance contracts
* **Mostly cloud-based**: Microsoft 365 or Google Workspace, SaaS tools, laptops, and a small set of cloud-hosted services
* **Selling to UK public sector or regulated supply chains**: where Cyber Essentials is a contractual requirement
* **Looking for proportionate assurance**: practical controls that match how the business actually runs, not enterprise overlays
Cyber Essentials is the right answer when you need a recognised UK certificate quickly, when an insurer or customer is asking specifically for it, or when you want a credible baseline before you take on more demanding frameworks.
If you already have ISO 27001 or SOC 2 in place, Cyber Essentials is usually a small additional step. If your underlying security is patchy, our Security Foundations service is often the better starting point: it gets the controls right, after which Cyber Essentials becomes a documentation and evidence exercise rather than a remediation project.
## Outcomes: What You Get
### A certificate you can rely on
| Outcome | What this means |
| ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| **You achieve certification on your target timeline** | Scoping, remediation, and submission aligned to your tender, contract, or insurance deadline |
| **The certificate reflects how you actually operate** | Scope drawn around the real environment, with cloud services properly captured rather than wished away |
| **You pass first time** | Auto-fail conditions identified and resolved before the questionnaire is submitted or the Plus audit begins |
| **You stay certified year on year** | Annual recertification is a refresh, not a rebuild, because the controls have been maintained throughout |
### Credibility with buyers and insurers
| Outcome | What this means |
| ------------------------------------------------- | ----------------------------------------------------------------------------------------- |
| **You can bid for UK public sector contracts** | Cyber Essentials is required for many central government contracts handling personal data |
| **You can answer security questionnaires faster** | Evidence is mapped to the controls buyers and insurers typically ask about |
| **Your insurance position improves** | Many cyber insurers offer better terms (or any terms) once Cyber Essentials is in place |
### Confidence in the basics
| Outcome | What this means |
| -------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| **MFA is genuinely everywhere** | Across email, identity, admin consoles, and any in-scope SaaS, with phishing-resistant options where supported |
| **Patching is on a working cadence** | Critical and high-risk updates inside 14 days, with visibility of what's deployed and what's missing |
| **Devices are managed and configured** | Endpoint protection, secure baselines, encryption, and timely patching across laptops and mobiles |
| **Cloud is in scope and hardened** | Tenant-level configuration reviewed against the scheme requirements, not just defaults |
| **Backups would actually help you** | Critical data backed up, protected from ransomware, and restorable when you need it |
## How It Works
The service is split into the initial certification and the ongoing maintenance that keeps you certified at each annual renewal.
### Phase 1: Certification
Phase 1 typically takes four to eight weeks for Cyber Essentials, and an additional two to four weeks for Cyber Essentials Plus, depending on your starting point and the complexity of your environment.
| Category | Activity |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Kick-off and Scoping** | A short alignment call to agree:
- Level: Cyber Essentials only, or Cyber Essentials Plus.
- Boundary: which users, devices, networks, and cloud services are in scope. Whole-organisation scope is preferred; sub-set scopes are agreed and documented where genuinely justified.
- Accountability: nominate a senior contact to approve decisions and own internal coordination.
- Timeline: target submission and audit dates, working back to remediation deadlines.
|
| **Asset and Cloud Inventory** | Document the user devices, servers, network equipment, and cloud services in scope. Particular attention to BYOD, contractor devices, and SaaS tools that store or process company data, all of which are easy to miss and now explicitly in scope under v3.3. |
| **Gap Assessment** | Walk through the Danzell question set against your current environment. Identify where you already comply, where there are gaps, and where you have auto-fail risk under the 2026 rules (notably MFA coverage and 14-day patching). |
| **Remediation Support** | Guide and validate the work needed to close gaps: enforcing MFA across cloud tenants, tightening device configuration, deploying or tuning endpoint protection, formalising the patching process, removing default and unused accounts, and confirming firewall settings on remote workers' devices. |
| **Documentation** | Produce or refresh the supporting documentation the assessor expects: asset list, scope statement, patching policy, password and MFA policy, BYOD policy, and a short user-facing acceptable use note. |
| **Questionnaire Completion** | Draft answers to the Danzell question set, gather supporting evidence, and walk the nominated approver through every answer so they can sign off with confidence. |
| **Plus Pre-audit (if applicable)** | For Cyber Essentials Plus, run an internal dry run of the technical tests: external vulnerability scan, sampled internal device scans, browser and email-handling tests, account separation, and MFA verification. Fix anything that would fail before the live audit starts. |
| **Submission and Assessor Liaison** | Submit the questionnaire, manage assessor queries, coordinate any retesting, and handle the Cyber Essentials Plus audit logistics through to issuance of the certificate. |
### Phase 2: Maintenance
Cyber Essentials is an annual certification. The controls have to be in place every day of the year, not just at submission. Phase 2 keeps them there.
| Category | Activity |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Patching Oversight** | Check that the 14-day window for high-risk and critical patches is being met across operating systems, firmware, and applications, and flag drift early |
| **MFA and Access Reviews** | Periodic checks that MFA remains enforced across all in-scope cloud services, including newly adopted SaaS tools and federated logins |
| **Device and Endpoint Configuration** | Sample checks on device baselines: encryption, screen lock, endpoint protection, software firewall, and removal of unused or default accounts |
| **Cloud Scope Maintenance** | Update the cloud services inventory as new tools are adopted; confirm that any new service handling company data is brought into scope and configured |
| **Vulnerability Management (Plus)** | Operate continuous external and internal vulnerability scanning; track and close findings ahead of the next audit window |
| **Documentation Refresh** | Keep policies, asset list, and scope statement current; capture changes from major business events (new offices, M\&A, significant tooling changes) |
| **Incident and Change Advisory** | Provide guidance for incidents and major changes that could affect the certification scope or controls |
| **Annual Recertification** | Re-run the gap assessment, refresh evidence, complete the latest question set, and shepherd the renewal through to certification |
| **Standards Watch** | Monitor IASME and NCSC updates so changes to the requirements are reflected in your controls before the next assessment, not after |
## Service Governance Cadence
Cyber Essentials is lighter-weight than ISO 27001 or SOC 2, but it still benefits from a regular rhythm. The cadence below is typical for a small business; smaller organisations often combine sessions into a single short call.
| Activity | Purpose | Frequency |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------- | ---------------------------------- |
| **Patching and MFA spot check** | Confirm 14-day patching is being met and MFA remains enforced across in-scope services | Monthly |
| **Scope and asset review** | Refresh the asset list and cloud services inventory; capture any new tools or shadow IT | Quarterly |
| **Policy and evidence refresh** | Light-touch review of supporting policies and evidence ready for renewal | Quarterly |
| **Vulnerability scan review (Plus)** | Review external and internal scan results; track remediation against the 14-day window | Monthly (Plus only) |
| **Pre-renewal readiness** | Full walkthrough of the latest question set against the current environment ahead of the renewal window | Annually, 6–8 weeks before renewal |
| **Recertification** | Submit Cyber Essentials, complete Cyber Essentials Plus audit, and update the certificate | Annually |
## What's Not Included
This service is focused on Cyber Essentials and Cyber Essentials Plus. Where relevant, we indicate what to do instead.
| Out of scope | Why / Who does this |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Other certifications** | ISO 27001, SOC 2, ISO 42001, PCI DSS, etc. See our separate service descriptions; many controls overlap, so adding Cyber Essentials later is straightforward |
| **Major technical remediation** | Network redesigns, application security fixes, or building new infrastructure are separate engagements. We'll flag what's needed and prioritise it |
| **Procurement of tooling and licences** | MDM, endpoint protection, vulnerability scanners, password managers, and similar tools are licensed by you. We help you choose and configure them |
| **Certification body fees** | IASME assessment and Cyber Essentials Plus audit fees are payable to the licensed Certification Body. We help select one if you don't have a relationship |
| **Penetration testing** | Cyber Essentials Plus includes vulnerability scanning, not penetration testing. Formal pen testing is a separate, specialist engagement |
| **Incident response retainer** | We provide best-endeavours guidance during incidents. Round-the-clock incident response is a separate service |
| **Legal and contract drafting** | Drafting or red-lining BYOD, acceptable use, or supplier security clauses sits with your own counsel |
| **HR process execution** | Background checks, disciplinary action, and similar HR activities sit with you |
| **Travel and on-site expenses** | The service is delivered remotely. Any on-site work is agreed in advance and billed separately |
| **Managed IT services** | We don't provide ongoing managed IT or help-desk services. We work alongside your existing IT provider or in-house team |
## Assumptions
| Assumption | What this means for you |
| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| **You have a senior sponsor for the assessment** | Someone authorised to approve the scope, sign off the questionnaire, and unblock decisions during remediation |
| **You provide timely access to systems and people** | We need to see cloud admin consoles, device management, and a representative sample of devices, and to talk to the people who run them |
| **Whole-organisation scope is the default** | Sub-set scopes are agreed only where genuinely justified and clearly demarcated, in line with IASME guidance |
| **Cloud services storing or processing company data are in scope** | They cannot be excluded under v3.3; any new cloud service adopted during the term needs to be brought into scope and configured accordingly |
| **MFA is technically possible across in-scope cloud services** | Where it isn't, we'll need to plan a path to a service that supports it; otherwise the assessment will fail under the 2026 rules |
| **You implement remediation actions you own by agreed dates** | We guide and validate; hands-on changes (turning on MFA, enrolling devices, applying patches) are carried out by your team or your IT provider |
| **The certification body relationship is yours** | Oxford Infosec is not a Certification Body. We help you choose and liaise with one, but assessment fees and contracts sit between you and them |
| **Engagement is delivered remotely** | On-site days are scheduled in advance and billed separately if required |
| **Communications are in English and in UK working hours** | Aligns with the scheme, the assessor relationship, and our delivery team |
| **Security incidents and major changes are disclosed promptly** | Both can affect the certificate; we need timely awareness to advise on impact and any required notifications |
## Who Delivers the Service
You'll work with a named Lead Consultant experienced in delivering Cyber Essentials and Cyber Essentials Plus to small businesses, supported by hands-on technical specialists for the Plus audit preparation. Where appropriate, the same consultant who delivers your wider security or ISO 27001 programme will lead the Cyber Essentials work, so you don't have to explain your environment twice.
## Term and Pricing
| Phase | Term | Pricing |
| ------------------------------- | ---------------- | ------------------------------------------------------------------ |
| **Phase 1: Certification (CE)** | 4–8 weeks | Fixed fee, scoped after a short discovery call |
| **Phase 1: Plus Audit Prep** | +2–4 weeks | Fixed fee, additional to the CE fee |
| **Phase 2: Maintenance** | 12-month minimum | Monthly retainer, calibrated to scope and whether Plus is in place |
Certification body fees (IASME assessment and, where applicable, Cyber Essentials Plus audit) are paid directly by you to the Certification Body and are not included in our fees.
## Combining with Other Services
Cyber Essentials sits naturally alongside our other services:
* **Security Foundations**: if the underlying controls aren't in place yet, Security Foundations gets them right first. Cyber Essentials then becomes a documentation and evidence exercise rather than a remediation project.
* **ISO 27001**: Cyber Essentials is a useful early step on the road to ISO 27001. Most of the technical controls overlap, and a Cyber Essentials Plus certificate is welcome evidence during an ISO audit.
* **SOC 2**: for companies selling into both UK and US markets, Cyber Essentials covers UK procurement requirements while SOC 2 addresses US buyer expectations. The control overlap is significant.
* **vCISO**: a vCISO provides ongoing strategic oversight, while this service handles the certification mechanics. Together, they make sure the certificate is backed by a real security programme.
* **DPO as a Service**: many Cyber Essentials controls touch personal data. A DPO ensures the privacy obligations sit alongside the technical controls properly.
For many small businesses chasing UK public sector or supply-chain work, Cyber Essentials is the most cost-effective certificate to get in place first. It opens doors quickly and gives you a credible baseline you can build on.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.oxfordinfosec.com/cyber-essentials.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.