How do I achieve Cyber Essentials in 2025?

We’ve had a few people come to us to ask what the process is to achieve Cyber Essentials in 2025, now depending on whether you are coming to achieve Cyber Essentials Basic and/or Cyber Essentials Plus, the process is slightly different.

Before we get into what the process is and how you can achieve this UK based certification, it’s good to understand a few points about the certification.

The Cyber Essentials Certification is a point in time-based assessment, which means you are marked and audited against what is in place in your business at the time of assessment, not yesterday, not tomorrow or next month.

You must renew your certification every 12 months to remain current, if you are achieving Cyber Essentials Plus, you must have a valid Cyber Essentials Basic certification which is not older than 90 days old.

The Cyber Essentials Certification is based upon employee size, and the pricing is priced in tiers which has been issued by IASME.

The National Cyber Security Centre (NCSC) has released a requirements guide which tells you what you need to do to be in compliance with Cyber Essentials, it is recommended that you review this before you go for certification.

Cyber Essentials Basic

If you are looking to achieve Cyber Essentials Basic, get in touch with InfoSec Governance and mention that you are looking to achieve the certification, if you can at the time, provide the following information as it will make the quoting process even easier. Otherwise we will reply back to you and ask for the following information.

  • Name of your company
  • The company address
  • Size of the business (number of employees)
  • Are you looking to achieve just Cyber Essentials Basic or Plus as well?
  • When are you looking to achieve the certification

Once we have the above information, we will provide a quotation for providing an initial pre-submission review (to check your answers) and certification, if you have met the pass criteria.

The next stage is, you agree to the quotation, we will confirm this and ask for a Purchase Order number, if its required and a point of contact’s name and email address, the person who will be completing the self-assessment.

Upon the receipt of this information, we will setup your company on the portal and a registration email will be sent to the point of contact, allowing them to log into the portal.

You will complete the questions, then before you click on the ‘Submit Answers’ button, if you contact InfoSec Governance, we will perform a pre-submission review and confirm your answers.  Any issues will be highlighted for you to remediate before the official submission.

You will then submit the questions; the form will be signed by a main signee of your business as a declaration of the answers are correct and InfoSec Governance will be notified of submission straight after.

Our auditors aim to mark and issue certification, if it has passed within a few hours of receipt.

Once marked and certificate issued, you will receive a separate email with your certificate and digital logos.

InfoSec Governance will then contact you around 11 months’ time to get in touch about your renewal process.

Cyber Essentials Plus

To achieve Cyber Essentials Plus you must already have a basic certification in place which is valid and is not older than 90 days old.  There is a 90-day deadline to achieve Cyber Essentials Plus after achieving your Basic certification, so starting the process straight after your basic certification is recommended.

If you had already stated that you wanted to achieve Cyber Essentials Plus as part of your basic certification, we will continue your certification process as defined below as soon as your achieve your basic certification.

If you want to achieve Cyber Essentials Plus and have not been quoted, we will ask for the same information as mentioned above in the Cyber Essentials basic quotation process, this being:

  • Name of your company
  • The company address
  • Size of the business (number of employees)
  • When are you looking to achieve the certification
  • When did you achieve Cyber Essentials Basic

Once we have the above information, we will provide a quotation for the provision of the audit and certification, upon successful auditing. As part of the service, we will provide 3 vulnerability scans as well as a remote based audit using Microsoft Teams.

Once the quotation has been accepted, we will arrange a date for your audit which will be via Microsoft Teams. We will also send an onboarding email which will explain what the process will be.

When we are around a week from the audit we will ask for an asset sheet to be populated with all the assets that are in scope, this includes, desktops, laptops, servers, mobile devices.  This asset list will help form what the sample set of devices will be.

Three working days before the audit, we will provide you a sample set of devices which will need to be audited.  Along with this, you will also have to install our vulnerability scanning software for the internal vulnerability scanning.

On the day of the audit, we will perform the audit against each sample device, generally this takes around 10 minutes per device on average.

Our audits will be looking for at least the following:

  • All applications and Operating Systems are patched and up to date within 14 days
  • No one is running as a local administrator for day-to-day tasks
  • Firewalls are enabled and in use on all devices
  • Antivirus is enabled and in use on all devices
  • Everyone has multi-factor authentication for cloud services
  • Web browsers and mobile devices are unable to execute applications from a download site

Once the audit has been completed we will inform you of any non-compliances or failures of the audit and provide you up to 30 days (or 90 days from basic certification date, whichever is first) to remediate any issues before we can provide a certification.

Once all remediations have been completed, our auditor will write and provide a findings report and issue your certification.

Please note however, if you pass the 90 days from the date of your basic certification, you will need to re-certify to Cyber Essentials Basic, at additional cost.

Like the Cyber Essentials Basic certification, we will get in touch around 11 months later to advise of renewal.

For more information on Cyber Essentials and our costs you can visit our website at https://isgovern.com

For more information on the question set, you can visit the IASME website at: https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/