What Cyber Essentials actually is
Cyber Essentials is a UK government-backed cybersecurity certification administered through the National Cyber Security Centre. It works by assessing a business against five core control areas: multi-factor authentication, software patching, secure configuration, firewall settings, and malware protection. Getting certified means you’ve assessed your environment against those controls and had that position independently verified.
There are two levels. Cyber Essentials is a verified self-assessment — you complete the questions, a qualified certification body reviews your submission. Cyber Essentials Plus starts with that and adds independent technical testing: vulnerability scanning, device checks, a proper audit of whether the controls you’ve described are actually in place.
For most UK SMEs, Cyber Essentials is the right starting point. Cyber Essentials Plus becomes more relevant where clients, regulators, or government contracts require a stronger level of assurance.
The scheme is operated by IASME — the Information Assurance for Small and Medium Enterprises — as the official delivery partner for the NCSC. Around 400 licensed certification bodies across the UK carry out the actual assessments. That structure matters, because it means businesses get a nationally recognised standard with an operational certification network behind it, not just a self-administered checklist.
What’s changing on April 27
The five core control areas stay the same, but the rules around them get considerably stricter. The April 27 update tightens requirements specifically around multi-factor authentication, patching timelines, secure configuration, and the scope of the assessment. Cloud services — including Microsoft 365 and cloud-hosted applications — are now formally included in scope, not optional.
This isn’t a new law that affects everyone immediately. It’s a scheme and procurement standard that becomes tougher for anyone certifying or renewing under the new version. If your business has existing certification, your next renewal will fall under the stricter regime.
The businesses that will feel this most quickly are those supplying government, operating in regulated sectors, handling personal or sensitive data, or serving larger organisations with supply chain security requirements. But any SME relying heavily on cloud applications, remote working, or shared client data will need to take notice. The updated scope makes the requirements clearer and broader than before.
Cyber Essentials five control areas and April 2026 scope changes for UK SMEs
What happens if you don’t pursue it
Not being certified may not be illegal, but the commercial consequences are increasingly real. Businesses without certification can find themselves excluded from public sector opportunities before a commercial conversation even starts. Supplier due diligence pressure is growing, and procurement processes are asking the question more frequently.
There’s also a practical benefit that many UK business owners don’t know about. Businesses with UK headquarters that are Cyber Essentials or Cyber Essentials Plus certified and have a turnover below £20 million can access up to £25,000 of cyber liability insurance as part of the certification. That’s a meaningful benefit sitting unclaimed by businesses that simply haven’t pursued the process.
And beyond the commercial picture, there’s the straightforward operational reality: the gaps that certification uncovers don’t disappear because you haven’t looked for them — which in itself is a security risk/vulnerability for your business.
What getting certified actually involves
The process itself is more straightforward than most businesses expect. You define the scope — which means genuinely including all your devices, users, and cloud services — then work through the self-assessment questions, fixing any gaps before you submit. A qualified assessor reviews your submission and issues certification.
The real effort isn’t in filling in the form. It’s in making sure that your MFA, patching, access controls, firewall settings, and malware protection are genuinely in place and consistently applied. Most of the work happens in the preparation.
The gaps that most commonly catch SMEs off guard are:
- Incomplete multi-factor authentication across all accounts and services
- Software running beyond its supported lifecycle
- Poor scoping that misses parts of the environment
- Default passwords still present on network equipment
- Administrator accounts used for daily work rather than dedicated admin access
- Backups that exist on paper but have never actually been tested
These often look like small issues until the assessment requires a business to confront them formally.
With reasonable existing IT hygiene, basic Cyber Essentials certification can be achieved in a few weeks. If there’s remediation to carry out first, it takes longer. An experienced IT partner makes the preparation phase considerably faster and more focused, because the real challenge is knowing exactly what to fix, not navigating the submission itself.
Where SiFutures stands
We’re pursuing joint Cyber Essentials certification for both Si Futures UK and Si Futures South Africa. The rationale is straightforward: both entities operate under aligned IT governance, shared controls, and the same management framework. Certifying only the UK entity would give an incomplete picture of how our services are actually delivered, and scope integrity is one of the areas where certification bodies focus most closely.
Once we’re certified, it gives our clients independent assurance that our baseline controls are in place and regularly reviewed. It also means we can help clients pursue their own certification with genuine first-hand experience of what the process requires — not just an advisory understanding of it.
Cyber Essentials is increasingly part of the price of entry in the UK market. It’s a trust signal as much as a compliance requirement — and without it, you risk being excluded from opportunities before the real conversation has a chance to happen.
If you’re a UK-based business that hasn’t yet looked at Cyber Essentials, the time to start is now — before the April 27 changes make the process harder and the commercial consequences of not having it more visible. A threat readiness assessment is a good place to start.
