How long does Cyber Essentials take to achieve?

Cyber Essentials self-assessment typically takes 2-4 weeks for a prepared 10-50 person SME — most of that is fixing technical gaps found while answering the questions. CE Plus adds 2-4 more weeks for the independent audit. PolicySuite cuts policy-drafting time to 48 hours so you spend your effort on fixing actual controls, not writing documents.

Who runs Cyber Essentials in the UK?

Cyber Essentials is owned by the National Cyber Security Centre (NCSC) and delivered by IASME Consortium as the sole Cyber Essentials Partner. You apply through an IASME-accredited Certification Body. Certificates are valid for 12 months and must be renewed annually.

Which PolicySuite pack is best for Cyber Essentials?

The Startup Essentials pack (10 policies) covers all five technical control areas for CE self-assessment. For CE Plus or companies wanting headroom towards ISO 27001, the ISO 27001 Core Set (16 policies) or InfoSec 38 Enterprise Pack gives deeper coverage plus Annex A alignment. See live pricing on each pack's product page.

Cyber Essentials & Cyber Essentials Plus for UK SMEs

Q: What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment certification: you answer the IASME Question Set and an assessor marks it. Cyber Essentials Plus adds an independent technical audit — external vulnerability scan, internal authenticated scan, and testing of a sample of user devices. CE costs around £300-£500, CE Plus typically £1,500-£3,000 for a small SME. Many UK government contracts and NHS frameworks specifically require CE Plus.

Q: What policies do I need for Cyber Essentials?

Cyber Essentials does not mandate a specific policy list but the IASME Question Set asks how you implement the 5 technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. Auditors expect documented policies for password standards, patching, access control, malware, acceptable use, BYOD, incident response and remote working to back up your answers.

Q: Is Cyber Essentials mandatory in the UK?

Cyber Essentials is mandatory for any UK central government contract handling personal or sensitive information, for MoD suppliers, and for most NHS supplier frameworks. Many UK enterprise buyers and public sector councils also require it in RFPs. It is not legally mandatory for private sector trading but is effectively the de facto baseline.

10 policies aligned to the 5 NCSC/IASME technical controls. Ready for self-assessment and CE Plus audit in days — not weeks.

Cyber Essentials CE Plus NCSC / IASME

InfoSec 38 Enterprise Pack pack

38 policies · £900 one-off

Covers CE, CE Plus and ISO 27001 in one pack · lifetime access

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is Cyber Essentials?

Quick answer. Cyber Essentials is a UK government-backed certification scheme delivered by the National Cyber Security Centre (NCSC) through accredited bodies (IASME being the principal partner). It tests five technical-control families — firewalls, secure configuration, user access control, malware protection and security update management. Cyber Essentials Plus adds an external technical audit; both require an underlying set of documented policies.

Cyber Essentials is the UK government-backed certification scheme, owned by the National Cyber Security Centre (NCSC) and delivered by the IASME Consortium. It verifies that your organisation has implemented five fundamental technical controls: boundary firewalls, secure configuration, user access control, malware protection, and security update management.

It comes in two tiers. Cyber Essentials (CE) is a self-assessment certification — you answer the IASME Question Set and an assessor marks it, typically £300–£500 depending on company size. Cyber Essentials Plus (CE+) adds an independent technical audit with vulnerability scanning and device sampling, typically £1,500–£3,000 for a UK SME.

Who needs Cyber Essentials?

Quick answer. UK SMEs bidding for central-government contracts above £5,000 (mandatory under PPN 09/14), defence-supply firms (DEFCON 658), NHS suppliers handling patient data, and a growing list of councils and housing associations that ask for it in tenders. Cyber-insurance underwriters increasingly prompt for it too. Cyber Essentials Plus is expected for higher-sensitivity engagements; the basic certificate is enough for most SME tenders.

UK government suppliers — CE is mandatory for central government contracts handling personal data; CE+ is often required for MoD and sensitive contracts.
NHS framework suppliers — DSPT and many NHS procurements specifically reference CE or CE+.
Public sector suppliers — councils, universities, and housing associations increasingly require it in tenders.
UK SMEs answering vendor risk questionnaires — it's the cheapest quick-win security credential enterprise buyers recognise.
Cyber insurance applicants — many UK insurers now require CE as a baseline or offer premium discounts for it.

Policies you need for Cyber Essentials

Quick answer. NCSC and IASME do not prescribe a fixed list, but the audit tests the policies behind the five technical-control families. Most UK SMEs maintain 8 documented policies for Cyber Essentials Plus: information security, access control, acceptable use, malware protection, patch management, secure configuration / hardening, mobile device / BYOD and incident response. All eight are included in our cyber-essentials-aligned packs.

The IASME Question Set doesn't list policies by name but assessors expect documentation behind every "yes" answer. These 10 policies cover every one of the five technical controls — all included in our Startup Essentials and ISO 27001 packs:

Password Policy

Length, complexity, MFA, password manager, breached-password checks.

Access Control Policy

Joiner/mover/leaver, least privilege, admin account separation.

Patch Management Policy

14-day patching SLA for critical/high vulnerabilities, inventory.

Malware Protection Policy

Endpoint protection, allowlisting, device-control standards.

Firewall / Boundary Firewalls

Default-deny, admin password change, documented rulesets.

Secure Configuration

Hardened builds, removal of default accounts and unused services.

BYOD Policy

Personal device rules, MDM, segregation of corporate data.

Incident Response Policy

Detection, triage, reporting, lessons-learned — CE annex expectation.

Acceptable Use Policy

What staff can and can't do with company devices and networks.

Remote Working Policy

Home/hybrid controls, public Wi-Fi, VPN and device standards.

Realistic timeline to certification

Quick answer. 4–8 weeks from day zero to a Cyber Essentials certificate. Week 1–2: gap-check against the NCSC question set, fix obvious technical issues (MFA on admin, autoupdates, firewall rules). Week 3: PolicySuite generates the 8 supporting policies in 48 hours. Week 4–5: distribute, collect acknowledgements. Week 6–8: submit IASME assessment + remediation. Cyber Essentials Plus adds 2–4 weeks of external technical testing.

A prepared UK SME can achieve CE in 2–4 weeks and CE Plus in 4–8 weeks total. Policies are rarely the bottleneck — technical fixes are.

Week 1: Buy a PolicySuite pack, get 10 bespoke policies in 48 hours, complete initial IASME Question Set to find gaps.
Week 2: Fix common gaps — enforce MFA, enable auto-patching, remove local admin, harden firewalls.
Week 3: Submit CE self-assessment (£300–£500), receive result within days.
Week 4–6: If pursuing CE+, certification body runs external + internal scan and device sampling.
Week 6–8: Remediate any CE+ findings (typically outdated browsers, missing patches, weak AV configs) and retest.

Policy packs for Cyber Essentials

Startup Essentials

10 policies · £250 · CE baseline coverage

ISO 27001 Core Set

16 policies · £400 · covers CE+ with ISO headroom

InfoSec 38 Enterprise Pack

38 policies · £900 · enterprise-grade depth

NIST CSF Alignment Pack

12 policies · £400 · for UK firms with US buyers

PolicySuite vs GRC platforms vs consultant vs DIY

Quick answer. Cyber Essentials consultancies typically charge £1,500–£5,000 plus the IASME assessment fee for an end-to-end engagement with policies. GRC platforms (Vanta, Drata) are over-spec for Cyber Essentials and assume bring-your-own policies. DIY templates rarely match the NCSC question wording. PolicySuite generates the 8 audit-aligned policies in 48 hours from £250–£400, leaving the IASME assessment fee as the only external cost.

UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.

	PolicySuite	GRC platforms (Vanta, Drata, SecureFrame)	Compliance consultant	DIY templates
Typical cost	£250–£1,500 one-off	£10k–£40k per year	£5k–£30k one-off	£0 + your time
Pricing model	Lifetime purchase	Annual seat-based	Project fee	Free (indefinite effort)
Time to policies ready	48 hours	4–8 weeks setup	8–16 weeks	Months — rarely finished
UK-specific content	✓ Built for UK SMEs	Partial — US-originated	✓ If UK consultant	Partial — ICO templates only
Bespoke to your business	✓ LLM-tailored from your answers	Partial — fill-in-the-blank	✓ Yes — manual	✗ Generic template
Framework coverage	197 frameworks · 8 jurisdictions	20–50 frameworks	Whatever the consultant knows	Up to you to find
Audit-ready evidence	✓ Acknowledgements, distributions, version history	✓ Strong — but seat-priced	✗ You track it yourself	✗ You track it yourself
Suits <50-person SMEs	✓ Designed for UK SMEs	✗ Price-prohibitive at SME scale	Sometimes — depends on scope	✓ If you have the time
Cost to switch away	✓ You own the docs — export anytime	✗ Lose access on cancellation	✓ You own the docs	✓ You own the docs

See full head-to-head comparisons →

Frequently asked questions

What's the difference between CE and CE Plus?

Cyber Essentials is self-assessment against the IASME Question Set, marked by an assessor — typically £300–£500. CE Plus adds an independent technical audit: external vulnerability scan, internal authenticated scan, and sampled user-device testing, typically £1,500–£3,000 for a small SME. Many UK government contracts and NHS frameworks specifically require CE Plus.

What policies do I need for Cyber Essentials?

CE doesn't mandate a fixed list but assessors expect documented policies for password standards, patching, access control, malware protection, acceptable use, BYOD, incident response and remote working — backing up every "yes" in the Question Set. Our Startup Essentials pack covers all ten areas.

How long does Cyber Essentials take?

CE self-assessment typically takes 2–4 weeks for a prepared 10–50 person SME — most of that is fixing technical gaps. CE Plus adds another 2–4 weeks for the independent audit. PolicySuite cuts policy drafting to 48 hours so your effort goes into actual controls.

Is Cyber Essentials mandatory in the UK?

CE is mandatory for UK central government contracts handling personal or sensitive data, for MoD suppliers, and for most NHS supplier frameworks. Many UK enterprise buyers and councils also require it in RFPs. It is not legally mandatory for private-sector trading but is the de facto UK security baseline.

Who runs Cyber Essentials?

CE is owned by the NCSC and delivered by the IASME Consortium as sole Cyber Essentials Partner. You apply through an IASME-accredited Certification Body. Certificates are valid for 12 months and must be renewed annually.

Which PolicySuite pack is best for CE?

Startup Essentials (10 policies, £250) covers all five CE control areas. For CE Plus or companies heading towards ISO 27001, ISO 27001 Core Set (16 policies, £400) or InfoSec 38 gives deeper coverage. See live pricing on each product page.

Be CE-ready in days, not weeks

Get 38 bespoke policies covering CE, CE Plus, and ISO 27001 — lifetime access.

Get Started — £900

References and primary sources

Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.

NCSC Cyber Essentials — the UK government scheme owner.
IASME (delivery partner) — the body that operates the certification scheme.
PPN 09/14 (gov.uk) — the procurement policy note that mandates Cyber Essentials for many UK public-sector contracts.
NCSC 10 Steps — the broader baseline guidance Cyber Essentials sits within.

In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.