Cyber Essentials for Bidders

Cyber Essentials is a UK government-backed cybersecurity certification scheme designed to help organisations protect themselves against common cyber attacks. It was developed by the National Cyber Security Centre (NCSC) and is administered through accredited certification bodies.

The scheme has two levels: Cyber Essentials (a self-assessment questionnaire verified by a certification body) and Cyber Essentials Plus (which includes a hands-on technical assessment of your systems by an external assessor).

Certification covers five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. These are foundational measures that protect against the most common cyber threats.

Cyber Essentials certification is mandatory for certain UK government contracts. Specifically, it's required for contracts that involve handling personal information or providing certain IT products and services. Many contracting authorities also require it for other sensitive contracts at their discretion.

Even where not strictly mandatory, Cyber Essentials is increasingly expected in public sector tenders. Having the certification demonstrates a baseline level of cybersecurity maturity and removes a potential barrier to bidding.

Some higher-value or higher-risk contracts may require Cyber Essentials Plus rather than the basic level. Check the tender documents carefully — the specific requirement will be stated in the selection criteria or conditions of participation.

The process for Cyber Essentials (basic) is straightforward:

1. Choose an accredited certification body — the NCSC website lists approved bodies
2. Complete the self-assessment questionnaire — this covers your firewalls, software configuration, access controls, malware protection, and patching
3. Submit for verification — the certification body reviews your answers
4. Receive your certificate — valid for 12 months

For Cyber Essentials Plus, the process includes an additional on-site or remote technical assessment where the assessor tests your systems directly.

Typical timelines: Cyber Essentials basic can be completed in 1–2 weeks if your IT systems are already reasonably well managed. Cyber Essentials Plus typically takes 2–4 weeks including the technical assessment. Plan ahead — don't wait until a tender deadline is approaching.

Typical costs: Cyber Essentials basic costs between £300 and £600 depending on the certification body and your organisation size. Cyber Essentials Plus costs between £1,500 and £3,000 including the technical assessment.

Most organisations that fail Cyber Essentials do so because of preventable issues. Common failure points include:

• Unpatched software — ensure all operating systems, browsers, and applications are running the latest security updates
• Weak access controls — use multi-factor authentication where possible, remove unused accounts, and enforce password policies
• Misconfigured firewalls — ensure default passwords are changed and unnecessary ports are closed
• No malware protection — all devices must have active, up-to-date anti-malware software
• BYOD devices — if staff use personal devices for work, those devices must also meet Cyber Essentials requirements

Start your preparation by running through the self-assessment questionnaire before formally submitting. This lets you identify and fix issues in advance.