For a well-prepared organisation of around 50 users, the process typically takes a couple of days of work, excluding any remediation. Larger or more complex environments take longer. A gap assessment at the outset gives a clear picture of the time and effort involved before you commit.

Cyber Essentials is a self-assessment questionnaire verified by an accredited assessor. Cyber Essentials Plus includes an independent technical audit of your systems carried out by an IASME-licensed Certification Body, confirming the controls declared are actually in place. Cyber Essentials Plus must be completed within 90 days of your Cyber Essentials certificate. Under current scheme rules, a second failure at CE Plus assessment results in revocation of the underlying Cyber Essentials certificate — meaning recertification at CE level would be required before attempting CE Plus again. Thorough preparation before CE Plus is therefore essential.

The five Cyber Essentials controls are: firewalls, secure configuration of devices and software, user access control, malware protection, and security update management. User access control now includes mandatory multi-factor authentication for all cloud services where it is available. All five controls must be correctly implemented across your IT environment, including cloud services and remote working devices.

Yes. The current Cyber Essentials scheme covers cloud services including Microsoft 365 and Google Workspace, as well as devices used for remote working. All devices that can access organisational data are in scope. Personal devices used for work are in scope where they access organisational data, unless your organisation enforces a technical policy preventing organisational data from being stored on unmanaged devices.

For most SMEs, standard Cyber Essentials certification is sufficient. Cyber Essentials Plus is typically required when a client or procurement framework specifically requires it, or when handling particularly sensitive data. DMS advises on which level is appropriate during the initial call.

For Cyber Essentials, if your submission is unsuccessful DMS identifies the controls that need attention, supports remediation, and resubmits on your behalf — with no limit on Cyber Essentials resubmissions when certifying through DMS. For Cyber Essentials Plus the position is different: a second assessment failure results in revocation of your Cyber Essentials certificate under current scheme rules, meaning you would need to recertify at CE level before attempting CE Plus again. DMS ensures thorough preparation before any CE Plus assessment to minimise this risk.

The cost of Cyber Essentials certification depends on the size of your organisation and whether any remediation work is required before submission. DMS will confirm pricing once we understand your environment — get in touch and we’ll establish what’s involved before any commitment.

Cyber Essentials certification is increasingly recognised by insurers as evidence of a baseline security posture. Some insurers require it as a condition of cover, while others offer reduced premiums for certified organisations. Additionally, UK organisations with a turnover under £20m that certify their whole organisation can opt in to receive 12 months of free cyber liability insurance arranged by IASME, underwritten by AIG, with a £25,000 limit of indemnity.

Cyber Essentials certification is most commonly required in construction, education, financial services, healthcare, legal and professional services, and any organisation supplying into government or enterprise supply chains. This includes construction companies and civil engineering firms, schools and education providers, financial services organisations, legal firms and solicitors, healthcare and social care organisations, charities handling personal data, and professional services firms. It is also increasingly required by cyber insurers as a condition of cover.