Let's talk
Oxford Infosec

Cyber EssentialsWill we pass first time?

Cyber Essentials comes up the moment you bid for public sector work, fill in a procurement questionnaire, or ask an insurer for cover. It's the UK government-backed scheme that shows you have the basic controls in place to stop the most common attacks, and usually the quickest, cheapest credential to put on the table.

We take small, fast-moving companies through Cyber Essentials self-assessment and the hands-on Cyber Essentials Plus audit, get the controls and evidence in shape, and keep them there so annual recertification never turns into a fire drill. The goal is simple: pass first time, and keep passing.

In short

  • 01A recognised UK certificate, achieved on the timeline your tender, contract, or insurer needs.
  • 02A scope drawn around how you actually operate, with the auto-fail risks fixed before you submit.
  • 03Controls kept in shape year-round, so recertification is a refresh rather than a rebuild.

What problems we solve

Cyber Essentials looks simple on paper. But the scheme has tightened, and the April 2026 update adds auto-fail conditions that catch out companies who think they're already compliant. You're in the right place if any of these sound familiar:

01

MFA isn't on everywhere

Where it's available but not enforced, that's an automatic fail under the 2026 rules.

02

We patch, but not on a clock

Miss the 14-day window for critical and high-risk updates and it's now an automatic fail.

03

We're not sure what's in scope

SaaS tools that store or process your data can't be scoped out. Miss them and the audit fails.

04

Staff use their own devices

Personal and remote devices that touch company data fall in scope and have to be assessed.

05

Nobody owns the assessment

Answers come back inconsistent, evidence is patchy, and the assessor pushes back.

06

We can't see what's deployed

Plus vulnerability scans surface unpatched software nobody knew was running.

How Cyber Essentials certification works

01Cyber Essentials
4 to 8 weeks

Certification

We agree the scope, inventory your devices and cloud, and walk the Danzell question set to find gaps and auto-fail risks, then close them, prepare the evidence, and liaise with the assessor through to your certificate.

02If you need Plus
+2 to 4 weeks

Plus audit prep

Where a contract calls for Cyber Essentials Plus, we run an internal dry run of the technical tests, vulnerability scans, device sampling, and MFA checks, and fix anything that would fail before the live audit.

03Minimum term
12-month minimum

Maintenance and recertification

We keep patching, MFA, and scope in shape year-round, then shepherd each annual renewal so it stays a light touch-up.

Those are the broad strokes. The full service description spells out every activity, assumption, and exclusion.

Read the full service description

Companies we've worked with.

AmpereBeamBiographicaChalfenGeneral IndexHarbr DataJudge.meLightsonicResponsible MarketingSyntassoThe Key GroupZaptic

What we assess

We check each area against the scheme's requirements and the 2026 auto-fail conditions, so nothing trips you up at submission.

01Firewalls and network boundaries
02Secure configuration
03Security update management
04User access control
05Multi-factor authentication
06Malware protection
07Device and endpoint hardening
08Cloud service scope and configuration
09Backup and recovery
10Documentation and evidence

Who it's for

5 to 200 employees: from a first tender to businesses needing Plus for higher-assurance contracts

Mostly cloud-based: Microsoft 365 or Google Workspace, SaaS tools, and laptops

Selling to public sector: or into regulated supply chains where the certificate is contractual

Asked for it directly: by a customer or insurer, often with a deadline attached

After proportionate assurance: practical controls that match how you run, not enterprise overlays

What's not included

  • Certification body assessment fees
  • Other certifications (ISO 27001, SOC 2, PCI DSS)
  • Major technical remediation or redesigns
  • Tooling and licence procurement
  • Penetration testing
  • 24/7 incident response
Read the full service description

You work with a named lead consultant who delivers Cyber Essentials and Cyber Essentials Plus to small businesses day in, day out, supported by hands-on technical specialists for the Plus audit. Where it makes sense, the same consultant who runs your wider security or ISO 27001 work leads the certification too, so there's no bringing a new consultant up to speed each year.

Term and pricing

Phase 1: Certification (CE)

4–8 weeks

Fixed fee

Phase 1: Plus audit prep

+2–4 weeks

Fixed fee (additional)

Phase 2: Maintenance

12-month minimum

Monthly retainer

Certification body fees (IASME assessment and any Plus audit) are paid directly to the certification body and aren't included. Use the calculator for an indicative estimate.

Estimate the cost

Common questions

Cyber Essentials FAQs

See if you'd pass today.

A short conversation is usually enough to tell whether you're ready for Cyber Essentials, what would need fixing first, and which level fits the work you're chasing. If something else suits you better, we'll say so.

Estimate the costGet in contact