Cyber Essentials
Readiness & Certification
Get your business ready for Cyber Essentials certification. I'll prepare you, guide you through it, and keep you compliant afterwards.
What is Cyber Essentials?
The UK government-backed scheme that proves your business takes security seriously
Cyber Essentials is a certification scheme managed by the National Cyber Security Centre (NCSC). It proves your business has the essential security controls in place to protect against the most common cyber threats. The scheme covers five technical areas - and if you get those right, you're certified.
Certification is valid for 12 months and is increasingly expected by clients, insurers, and supply chain partners. Government contracts require it. Larger companies are pushing it down to their suppliers. And cyber insurers are starting to ask about it before underwriting cover.
The April 2026 Danzell (v3.3) update raised the bar significantly - MFA is now an automatic fail if not enabled everywhere, and cloud services can no longer be excluded from scope. If you haven't been assessed under the new rules, your old certificate may not reflect your current risk.
Why It Matters for Your Business
It's no longer just a badge. For a growing number of businesses, it's a requirement.
Win More Contracts
Government contracts require it. Larger companies are pushing it down their supply chains. Without it, you're excluded before you even bid.
Insurance Benefits
Certification includes automatic cyber liability insurance up to £25,000. Many insurers offer reduced premiums for certified businesses.
Prevent Real Attacks
The five controls address the most common attack methods. Properly implemented, they stop the vast majority of commodity cyber threats targeting small businesses.
Prove It to Clients
A government-backed badge on your website and proposals shows you take data protection seriously. Trust you can point to, not just claim.
(IASME fee, micro business)
then annual renewal
to get right
included free
The Five Controls
Cyber Essentials is built around five technical areas. Get these right and you're certified.
Firewalls
Properly configured boundary firewalls protecting your network from unauthorised access.
Secure Configuration
Devices set up securely with unnecessary services disabled and default passwords changed.
Access Control
User accounts managed properly with MFA, least privilege, and strong authentication.
Patch Management
Critical updates applied within 14 days. Operating systems, apps, and firmware kept current.
Malware Protection
Active antivirus and anti-malware on all devices, properly configured and up to date.
What Changed in April 2026
Cyber Essentials v3.3 (Danzell) is now live. The bar has been raised.
MFA is mandatory everywhere
If a cloud service offers multi-factor authentication and you haven't enabled it for all users, you automatically fail. No exceptions, even if MFA requires a paid upgrade.
14-day patching deadline
High-risk and critical security updates must be applied within 14 days of release. Miss the window on any device in scope and it's an automatic fail.
Cloud services can't be excluded
Any cloud service that stores or processes your business data is in scope. Microsoft 365, Xero, your CRM, even LinkedIn and Facebook if used for business. No loopholes.
Stricter scoping rules
Exclusions must be documented and justified. Your assessment needs to reflect your real working environment, including home workers and personal devices used for work.
How I Get You Certified
A straightforward process, done properly, with no surprises.
Free Readiness Chat
We talk through your current setup: what devices you use, which cloud services, how your network is configured. I'll give you an honest picture of where you stand and what needs fixing before you apply.
Gap Assessment
I run through the full Cyber Essentials question set against your actual environment. Every gap is identified, documented, and prioritised. You'll know exactly what needs doing and in what order.
Remediation
I fix what needs fixing. MFA enabled across all cloud services, patching brought up to date, firewall rules reviewed, user accounts tidied up, scope documented. Hands-on, not just advice.
Certification Support
I help you complete the self-assessment questionnaire accurately and submit it to the certification body. If the assessor has questions, I'm there to help you respond.
Stay Compliant
Certification lasts 12 months. With a GNL Protect plan, your security controls are maintained year-round so renewal is a formality, not a scramble.
What It Costs
Simple, transparent pricing for small businesses.
CE Readiness Package
Everything you need to prepare and pass
- Full gap assessment against the current Danzell (v3.3) question set
- Cloud service and device scope mapping
- MFA audit and deployment across all in-scope services
- Patch compliance review and remediation
- Firewall and access control review
- Guided completion of the self-assessment questionnaire
- Submission support and assessor liaison
- Plain English summary report of everything we did
Pricing depends on the size and complexity of your setup. Most small businesses fall between £400 and £800 +VAT for the full readiness package, plus the IASME certification fee (£320–£600 depending on business size). Call Graham for an honest quote with no obligation.
Already on GNL Protect? You're halfway there.
If you're a GNL Protect client, your devices are already monitored, patched, and running ESET security software. That covers three of the five Cyber Essentials controls out of the box.
Your CE readiness assessment will be faster, cheaper, and simpler because the heavy lifting is already being done. Protect clients receive a discounted readiness package.
Common Questions
Straight answers to what people usually ask first
Is Cyber Essentials a legal requirement?
Not for most businesses, but it's mandatory for government contract suppliers handling personal data. Beyond that, more clients, insurers, and supply chain partners are requiring it as a baseline. If you handle anyone else's data, it's increasingly expected.
How long does certification take?
For a typical small business, the readiness work takes one to two weeks. The actual assessment is reviewed within three working days of submission. If you fail, you get feedback and can resubmit quickly. Most businesses pass first time when properly prepared.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Both cover the same five controls. The basic level is a verified self-assessment - you answer questions about your setup and an assessor reviews your answers. Plus adds a hands-on technical audit where an assessor actually tests your systems. Most small businesses start with basic.
Do I need to do this every year?
Yes. Certificates are valid for 12 months. The good news is that if you're on a GNL Protect plan, your controls are maintained continuously so renewal is a quick review rather than starting from scratch.
I'm a sole trader with one laptop. Do I still need this?
If you handle client data, process payments, or want to work with larger organisations, yes. The certification cost for micro businesses starts at £320 and the process is straightforward. It's also a genuine competitive advantage if your competitors don't have it.
Will you do the assessment itself?
No. The actual certification assessment is carried out by an independent, IASME-licensed certification body. That independence is what gives the certificate its credibility. My role is to prepare you so thoroughly that passing is a formality.
What about the new Cyber Security and Resilience Bill?
The Bill is expected to become law later in 2026 and will bring managed service providers under direct regulatory oversight for the first time. For small businesses, the indirect effects are real - larger clients and supply chain partners will increasingly ask for evidence of baseline security controls. Cyber Essentials is the most straightforward way to demonstrate that.