Understanding Cyber Essentials
Government Contracts
What is Cyber Essentials?
Cyber Essentials is a foundational cybersecurity certification that demonstrates an organisation’s commitment to protecting itself against common online threats. For any company—regardless of size or sector—it signals to clients, partners, and regulators that basic security controls are in place, such as firewalls, secure configurations, access management, malware protection, and patching. In today’s threat landscape, where reputational damage and data breaches can cripple operations, Cyber Essentials isn’t just a badge—it’s a business imperative. It builds trust, supports compliance, and is often a prerequisite for bidding on government contracts, making it a strategic asset for growth and resilience.
Is Cyber Essentials a mandatory?
In the UK, Cyber Essentials certification is mandatory for organisations that:
- Bid for certain government contracts, especially those involving the handling of sensitive or personal information. This includes contracts with departments such as the Ministry of Defence (MoD), NHS, and other public sector bodies under the Public Procurement Notice (PPN) 01/14.
- All UK law firms that hold a Criminal Legal Aid contract will be required to have Cyber Essentials certification in order to continue delivering services under the Legal Aid Agency (LAA).
- Operate within the government supply chain, where Cyber Essentials is often a prerequisite to demonstrate baseline cyber hygiene and protect against common threats.
- Provide services involving IT infrastructure, cloud platforms, or data processing for public sector clients. These organisations must show they meet minimum security standards to be considered for procurement.
While not legally required for all businesses, many private sector organisations now request Cyber Essentials certification from their suppliers to ensure robust cybersecurity practices across their supply chain. It's increasingly seen as a mark of trust and professionalism, especially for SMEs looking to win contracts or build credibility.
What certification is available
There are two tiers:
- Cyber Essentials (Basic): Self-assessment questionnaire reviewed by a certification body.
- Cyber Essentials Plus: Includes the same questionnaire but adds a technical audit of your systems by an external assessor.