Skip to content
+44 20 3950 0000
Bitfell Technology

Do I actually need Cyber Essentials?

By Morgan Reid

Cyber Essentials gets mentioned a lot, often by people trying to sell it to you. Here's a straight answer on whether your business actually needs it — and what it does and doesn't do.

Cyber Essentials comes up in almost every security conversation we have, and it’s surrounded by more sales pressure than clarity. So here’s the honest version.

What Cyber Essentials actually is

Cyber Essentials is a UK government-backed certification scheme. It checks that you have five basic technical controls in place: firewalls, secure configuration, access control, malware protection, and security update management. That’s it. It is deliberately a baseline, not a gold standard — it covers the controls that would have stopped the large majority of common attacks.

There are two levels:

  • Cyber Essentials — a self-assessment, verified by a certification body.
  • Cyber Essentials Plus — the same controls, but independently tested by an assessor.

When you genuinely need it

You should treat it as effectively required if:

  • You want to bid for public-sector contracts. Many UK government contracts mandate it.
  • A larger client asks for it. Increasingly, bigger companies require it from their suppliers as a condition of doing business.
  • Your insurer wants it. Some cyber insurance policies expect it, or price it in.

When it’s still worth doing anyway

Even with no contractual push, the five controls are exactly the things every business should have. Going through certification forces you to confirm they’re actually in place — which is more than most firms can honestly say. For a small business it’s a low-cost, high-signal exercise.

What it doesn’t do

Cyber Essentials is a floor, not a ceiling. It won’t stop a determined, targeted attacker, it doesn’t cover staff training in any depth, and it says nothing about whether your backups actually restore. Treat it as the first rung, then build from there.

If you’re weighing up whether to certify — or you’ve been asked for it by a client and aren’t sure where to start — get in touch. We’ll tell you honestly whether it’s worth it for your situation.

cybersecurity cyber essentials compliance
← All insights

Keep reading

microsoft 365

Microsoft 365 backs up my data — doesn't it?

One of the most common — and most dangerous — assumptions we hear. Microsoft keeps your service running, but recovering your data after you delete it is a different question entirely.

Read article