Cyber Essentials & Cyber Essentials Plus for UK SMEs
10 policies aligned to the 5 NCSC/IASME technical controls. Ready for self-assessment and CE Plus audit in days — not weeks.
InfoSec 38 Enterprise Pack pack
38 policies · £900 one-off
Covers CE, CE Plus and ISO 27001 in one pack · lifetime access
What is Cyber Essentials?
Cyber Essentials is the UK government-backed certification scheme, owned by the National Cyber Security Centre (NCSC) and delivered by the IASME Consortium. It verifies that your organisation has implemented five fundamental technical controls: boundary firewalls, secure configuration, user access control, malware protection, and security update management.
It comes in two tiers. Cyber Essentials (CE) is a self-assessment certification — you answer the IASME Question Set and an assessor marks it, typically £300–£500 depending on company size. Cyber Essentials Plus (CE+) adds an independent technical audit with vulnerability scanning and device sampling, typically £1,500–£3,000 for a UK SME.
Who needs Cyber Essentials?
- UK government suppliers — CE is mandatory for central government contracts handling personal data; CE+ is often required for MoD and sensitive contracts.
- NHS framework suppliers — DSPT and many NHS procurements specifically reference CE or CE+.
- Public sector suppliers — councils, universities, and housing associations increasingly require it in tenders.
- UK SMEs answering vendor risk questionnaires — it's the cheapest quick-win security credential enterprise buyers recognise.
- Cyber insurance applicants — many UK insurers now require CE as a baseline or offer premium discounts for it.
Policies you need for Cyber Essentials
The IASME Question Set doesn't list policies by name but assessors expect documentation behind every "yes" answer. These 10 policies cover every one of the five technical controls — all included in our Startup Essentials and ISO 27001 packs:
Password Policy
Length, complexity, MFA, password manager, breached-password checks.
Access Control Policy
Joiner/mover/leaver, least privilege, admin account separation.
Patch Management Policy
14-day patching SLA for critical/high vulnerabilities, inventory.
Malware Protection Policy
Endpoint protection, allowlisting, device-control standards.
Firewall / Boundary Firewalls
Default-deny, admin password change, documented rulesets.
Secure Configuration
Hardened builds, removal of default accounts and unused services.
BYOD Policy
Personal device rules, MDM, segregation of corporate data.
Incident Response Policy
Detection, triage, reporting, lessons-learned — CE annex expectation.
Acceptable Use Policy
What staff can and can't do with company devices and networks.
Remote Working Policy
Home/hybrid controls, public Wi-Fi, VPN and device standards.
Realistic timeline to certification
A prepared UK SME can achieve CE in 2–4 weeks and CE Plus in 4–8 weeks total. Policies are rarely the bottleneck — technical fixes are.
- Week 1: Buy a PolicySuite pack, get 10 bespoke policies in 48 hours, complete initial IASME Question Set to find gaps.
- Week 2: Fix common gaps — enforce MFA, enable auto-patching, remove local admin, harden firewalls.
- Week 3: Submit CE self-assessment (£300–£500), receive result within days.
- Week 4–6: If pursuing CE+, certification body runs external + internal scan and device sampling.
- Week 6–8: Remediate any CE+ findings (typically outdated browsers, missing patches, weak AV configs) and retest.
Policy packs for Cyber Essentials
Further reading
Frequently asked questions
What's the difference between CE and CE Plus?
Cyber Essentials is self-assessment against the IASME Question Set, marked by an assessor — typically £300–£500. CE Plus adds an independent technical audit: external vulnerability scan, internal authenticated scan, and sampled user-device testing, typically £1,500–£3,000 for a small SME. Many UK government contracts and NHS frameworks specifically require CE Plus.
What policies do I need for Cyber Essentials?
CE doesn't mandate a fixed list but assessors expect documented policies for password standards, patching, access control, malware protection, acceptable use, BYOD, incident response and remote working — backing up every "yes" in the Question Set. Our Startup Essentials pack covers all ten areas.
How long does Cyber Essentials take?
CE self-assessment typically takes 2–4 weeks for a prepared 10–50 person SME — most of that is fixing technical gaps. CE Plus adds another 2–4 weeks for the independent audit. PolicySuite cuts policy drafting to 48 hours so your effort goes into actual controls.
Is Cyber Essentials mandatory in the UK?
CE is mandatory for UK central government contracts handling personal or sensitive data, for MoD suppliers, and for most NHS supplier frameworks. Many UK enterprise buyers and councils also require it in RFPs. It is not legally mandatory for private-sector trading but is the de facto UK security baseline.
Who runs Cyber Essentials?
CE is owned by the NCSC and delivered by the IASME Consortium as sole Cyber Essentials Partner. You apply through an IASME-accredited Certification Body. Certificates are valid for 12 months and must be renewed annually.
Which PolicySuite pack is best for CE?
Startup Essentials (10 policies, £250) covers all five CE control areas. For CE Plus or companies heading towards ISO 27001, ISO 27001 Core Set (16 policies, £400) or InfoSec 38 gives deeper coverage. See live pricing on each product page.
Be CE-ready in days, not weeks
Get 38 bespoke policies covering CE, CE Plus, and ISO 27001 — lifetime access.
Get Started — £900