Cyber Essentials certification —
done properly.
Most businesses treat it as a form-filling exercise. We treat it as a genuine security improvement — and fix every gap before your assessor ever sees it.
Why Cyber Essentials matters
It's not just a certificate. It's becoming a requirement.
Cyber Essentials is the UK government's baseline cybersecurity certification — backed by the NCSC and covering five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. These aren't arbitrary checkboxes. Most cyberattacks don't rely on sophisticated techniques — they exploit outdated software, weak credentials, unmanaged devices, and misconfigured firewalls. Cyber Essentials forces businesses to close those gaps and independently verify that they have.
For many businesses it starts as something they're asked for — by a client, a procurement team, or an insurer. That's a legitimate reason to pursue it. But done properly rather than as a tick-box exercise, certification also delivers a meaningful improvement in actual security posture. WikiTech handle the full process: audit, remediation, submission, and assessor liaison — so you arrive certified having genuinely improved your security, not just answered a questionnaire.
Required for UK government contracts
Any business tendering for UK government contracts that involve handling personal data or providing certain technical services must hold Cyber Essentials certification. Without it, you can't bid.
Cyber insurance premium reductions
Many insurers now require Cyber Essentials as a baseline before offering cyber insurance at all — and certified businesses typically receive lower premiums than uncertified equivalents.
Increasingly required by larger clients
Enterprise procurement teams and supply chain compliance programmes are increasingly asking suppliers to evidence Cyber Essentials certification before onboarding. It's becoming a commercial requirement, not just a technical one.
Protection against the most common attacks
The NCSC estimates that Cyber Essentials protects against up to 80% of the most common cyberattacks. The five controls it requires are the basics — but most breaches exploit exactly these gaps.
Choosing the right level
Cyber Essentials vs Cyber Essentials Plus.
Both certifications are built on the same five controls. The difference is in how compliance is verified.
Cyber Essentials
Self-assessed against the five controls, reviewed and verified by an external assessor.
- Questionnaire completed and submitted by WikiTech on your behalf
- External assessor reviews and verifies your answers
- Certificate issued on approval
- Valid for 12 months — annual renewal required
- IASME certification fee based on organisation size
- Listed on the NCSC's public register of certified organisations
Cyber Essentials Plus
Everything in CE, plus independent technical verification by an assessor — hands-on testing of your actual systems.
- Everything included in Cyber Essentials
- Assessor performs independent technical testing of your live environment
- Vulnerability scanning, configuration checks, and penetration testing elements
- Higher level of assurance for clients, insurers, and procurement teams
- Required for some government frameworks and defence supply chain contracts
- WikiTech prepare your environment to pass the technical assessment
Our process
We don't just submit your answers. We make sure you pass.
Four steps from initial audit to certified — with WikiTech managing every part of it.
Pre-submission audit
Before anything is submitted, we review your environment against every Cyber Essentials requirement. We document exactly what you'd fail on — end-of-life hardware, missing MDM, firewall configuration, access controls, patch status — and produce a clear remediation plan with a fixed-price quote to resolve it.
Remediation
We fix the gaps. This might mean replacing an end-of-life firewall or router, implementing Intune for device management, configuring Conditional Access and compliance policies, tightening user account controls, or creating missing policies such as joiners/leavers guides. Nothing is submitted until your environment meets the standard.
Submission
We complete and submit the certification questionnaire on your behalf. We know what assessors look for and how to present your environment accurately and in the best light. We liaise directly with the assessor throughout — you don't have to deal with the process at all.
Certification & ongoing maintenance
Once certified, we manage your annual renewal and keep your environment maintained to the Cyber Essentials standard throughout the year. Renewal is a formality, not a scramble — because we haven't let the controls slip in the twelve months since you last certified.
Why independence matters
WikiTech are not your assessor. That's a good thing.
WikiTech are not an IASME-accredited assessor — and we deliberately keep it that way. Our job is to get your environment compliant. An independent, IASME-accredited assessor then reviews and certifies that you meet the standard. Two separate organisations, two separate sets of eyes.
That separation gives you double assurance: our expertise getting you to the standard, and an independent body confirming you've arrived. Your certificate means something — because it was issued by someone with no stake in whether you passed.
Common failure points
What most businesses get caught out on.
These are the most common reasons businesses fail Cyber Essentials — and exactly what our pre-submission audit is designed to catch and fix before submission.
End-of-life devices or software
Any device running an unsupported operating system — Windows 10 after October 2025, old macOS versions — is an automatic failure. This catches a lot of businesses off guard.
WikiTech fix: Device audit, upgrade or replacement planNo mobile device management
If staff use mobile phones or tablets to access company email or data, those devices must be managed and compliant. Unmanaged personal devices accessing company systems is a common failure point.
WikiTech fix: Microsoft Intune MDM deploymentWeak or missing MFA
Multi-factor authentication is now required on all internet-facing accounts — including Microsoft 365, email, remote access, and cloud services. Many businesses have MFA partially deployed but not across all accounts.
WikiTech fix: MFA audit and full Conditional Access rolloutFirewall or router configuration
Default firewall configurations, open ports that shouldn't be open, or consumer-grade routers used in a business context often fail the firewall requirements. Home routers in a hybrid-work environment are a common issue.
WikiTech fix: Firewall review, configuration or replacementAdmin account misuse
Staff using administrator accounts for day-to-day work, or accounts with admin privileges that don't need them, fails the user access control requirement. Principle of least privilege must be applied.
WikiTech fix: Account audit and privilege reviewMissing policies and procedures
Cyber Essentials requires documented policies — joiners/leavers processes, new user forms, acceptable use policies. Many businesses operate these informally and have nothing written down.
WikiTech fix: Policy documentation as part of remediationReal example
Certified — but not compliant.
A cautionary story about what happens when the same provider implements and certifies their own work.
Pricing
Transparent pricing — fixed before we start.
IASME certification fees are set by organisation size. Our time for scoping, remediation, and submission depends on the current state of your environment — we'll assess first and give you a fixed-price proposal before any work begins.
Staying certified
Certification is annual. We make sure renewal is effortless.
Cyber Essentials certification lasts 12 months. Many businesses that handle the initial certification themselves find that renewal becomes a problem — because the controls have drifted, devices have gone out of date, or staff changes have introduced gaps that nobody noticed.
For WikiTech clients, renewal is straightforward — because we maintain your environment to the Cyber Essentials standard throughout the year as part of managed IT. Patch management, device compliance, access reviews, firewall configuration — these aren't things we do once for the certification and then forget. They're part of how we run your IT.
When your renewal comes around, we carry out a pre-submission check, confirm everything is still in order, and submit. It's a formality, not a project.
What we maintain year-round for Cyber Essentials compliance
Patch management — operating systems and software kept up to date across all devices
Device compliance via Intune — enrolled, managed, and monitored year-round
MFA and Conditional Access — enforced across all accounts, reviewed when users join or leave
Firewall and network configuration — maintained, reviewed, and updated as your environment changes
Joiners and leavers — account provisioning and deprovisioning managed to standard
Pre-renewal audit — full check before submission so there are no surprises
Common questions
Cyber Essentials — questions we get asked.
How long does certification take?
Typically 4–8 weeks from initial assessment to certification, depending on how much remediation is needed. We complete the pre-audit, fix everything that would cause a failure, then submit. You're not left doing the form-filling yourself — we handle the whole process and liaise with the assessor directly.
Do we need Cyber Essentials or Cyber Essentials Plus?
Cyber Essentials is sufficient for most businesses — government contract eligibility, insurance requirements, and supply chain compliance. CE+ is required by some specific government frameworks and certain defence or regulated sector contracts. If you're unsure, we'll advise based on your situation.
What if we'd currently fail the assessment?
That's exactly what the pre-submission audit is for. We identify everything you'd fail on before anything is submitted, fix it as part of the engagement, and only submit once your environment meets the standard. You won't be failed and left to figure out remediation yourself.
Can you certify us even if you're not our IT provider?
Yes. We work with businesses who want Cyber Essentials certification independently of their managed IT arrangement. We carry out the audit, handle remediation, and manage the submission. If you want to move your IT to WikiTech at the same time, that's straightforward to arrange — but it's not a requirement.
Does Cyber Essentials actually improve our security?
Yes — if it's done properly. The five controls cover the basics that the majority of successful cyberattacks exploit. Businesses that take the requirements seriously rather than treating it as a tick-box exercise end up with meaningfully better security. That's how we approach it.
What about ISO 27001?
Cyber Essentials is a good starting point. ISO 27001 is a far more comprehensive information security management standard — typically required by larger enterprises and certain regulated sectors. WikiTech offer ISO 27001 gap analysis for businesses looking to understand what achieving the standard would involve.
Ready to get certified?
Book a free assessment and we'll tell you exactly where your environment stands against the Cyber Essentials requirements — and what it would take to get certified.