Simple, cost-effective Cyber Essentials compliance

Flexible packages, plus get all the security tools you need to meet Cyber Essentials certification as part of the package.

Trusted Cyber Essentials Certification

CREST approved
PEN TEST approved
Offensive Security OSCP
ISO 27001 Certified
Cyber Essentials Certification
Cyber Essentials Plus Certification

Get a fast Cyber Essentials quote

Why choose Bulletproof as your Cyber Essentials Assessor?

Cost-effective Certification

Great value certification with tailored packages to suit every budget.

Experienced Certified Assessors

Get support from our certified Cyber Essentials assessors.

Security Tools Included

Protect your business with included cyber protection tools.

Helps Grow Your Business

Certification inspires customer trust & helps win new business.

What is Cyber Essentials?

Cyber Essentials is a Government-backed certification scheme, designed to set a strong security baseline and help businesses operate securely online. As a certification standard, Cyber Essentials and Cyber Essentials Plus demonstrate your business’ commitment to cyber security, enhancing your reputation with customers, stakeholders and supply chain partners. Cyber Essentials certification also includes free cyber insurance available to UK companies, if the certification covers the entire organisation (additional conditions apply).

Cyber Essentials is also required for many Government and public-sector contracts, making it a key driver of new sales and business growth. Cyber Essentials Plus is an extended version of Cyber Essentials, with additional security controls, that unlocks more public-sector opportunities.

Get the right Cyber Essentials compliance package

As an official Cyber Essentials Certification Body, we offer the right level of support to simplify your journey to achieving certification.

No hidden costs: Bulletproof always includes the full cost of Cyber Essentials certification in all of our packages. Certificates range from £200-£250 depending on the size of your organisation.

Includes

  • Cyber tools required to pass:
    • Anti-virus protection
    • Training
    • Vulnerability scanning
    • Phishing simulator
    • Threat dashboard
    • Asset tracker
    • + more
  • Cyber Essentials certification
  • Up to 25k FREE cyber insurance
  • Cyber Essentials Plus certification
  • Tailored policy documents
  • Remote support
  • Free retest

Cyber Essentials

£55
/ month(ex VAT)
  • Free additional cyber protection tools
  • Cyber Essentials certification
  • Up to 25k FREE cyber insurance1
  • Cyber Essentials Plus certification
  • Tailored policy documents
  • Remote support3 2 hrs included
  • Free retest1 free retest

Cyber Essentials Plus

£160
/ month(ex VAT)
  • Free additional cyber protection tools
  • Cyber Essentials certification
  • Up to 25k FREE cyber insurance1
  • Cyber Essentials Plus certification
  • Tailored policy documents
  • Remote support34 hrs included
  • Free retest1 free retest

Cyber Essentials Plus Premium

£195
/ month(ex VAT)
  • Free additional cyber protection tools
  • Cyber Essentials certification
  • Up to 25k FREE cyber insurance1
  • Cyber Essentials Plus certification
  • Tailored policy documents
  • Remote support36 hrs included
  • Free retest2 free retests

Cyber Essentials Plus Upgrade

You must already have Cyber Essentials certification
£160
/ month(ex VAT)
  • Free additional cyber protection tools
  • Tailored policy documents
  • Cyber Essentials certification
  • Up to 25k FREE cyber insurance1
  • Cyber Essentials Plus certification
  • Remote support34 hrs included
  • Free retest1 free retest

Tailored Policy Documents Only

£40
/ month(ex VAT)
  • Free additional cyber protection tools
  • Cyber Essentials certificationN/A
  • Up to 25k FREE cyber insurance1N/A
  • Cyber Essentials Plus certificationN/A
  • Tailored policy documents
  • Remote support3N/A
  • Free retestN/A

Here’s what our customers say about us


What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Both Cyber Essentials and Cyber Essentials Plus demonstrate that your organisation is taking cyber security seriously and has the five technical controls in place: access controls, firewalls and routers, malware protection, secure configuration, and software updates.

Cyber Essentials is an independently verified self-assessment questionnaire and the goal is to get all questions correct/compliant to obtain a pass.

Cyber Essentials Plus is the next step after Cyber Essentials. It can be thought of as an independent verification of everything that was claimed in Cyber Essentials. This extra level of scrutiny means your Cyber Essentials Plus badge will hold more weight with potential customers.

Whilst Cyber Essentials Plus is the more expensive of the two, it is held in higher regard and much of the work is done by the Certification Body. If you feel a bit overwhelmed and don’t know where to start, don’t worry – we have a range of packages to help you through the process.


What’s involved in Cyber Essentials certification?

With over 80% of UK businesses vulnerable to avoidable security threats, the Cyber Essentials framework has been designed as a strong security baseline for every business in every industry. Mapping against five simple technical controls means it’s easy to achieve Cyber Essentials certification. These include:

  • Access control
  • Firewalls and routers
  • Malware protection
  • Secure configuration
  • Software updates

Issued to Bulletproof by The IASME Consortium Ltd.

Download Cyber Essentials Questions

Download the latest 2023 Cyber Essentials question set, called ‘Montpellier’. In April 2023 it replaced the previous ‘Evendine’ question set.

Download now

How to get Cyber Essentials certification

How to get Cyber Essentials certification

Whether you’re starting from scratch with your business security, or you’re looking to renew your Cyber Essentials certification, Bulletproof has you covered. The easiest route to Cyber Essentials certification is with consultant-led compliance support. With remote or on-site assistance, tailored policy documents and free retests, it’s never been easier to get Cyber Essentials certification.

Get a quote today

Submit your requirements via the form below and we'll be in touch to help you gain your Cyber Essentials certification.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.

Frequently asked questions

  • Enhanced security – helps protect your organisation from the most common internet based cyber attacks such as phishing, malware, ransomware, password guessing and network attacks.
  • Simple and cost effective – a simple process with a Cyber Essentials certification fee starting from £200.
  • Gain and retain business – an increasing number of public, private and third sector contracts are mandating or actively encouraging Cyber Essentials from their suppliers.
  • Aligns with GDPR – recognised by the Information Commissioner’s Office as a scheme that can provide security assurances that help protect personal data.
  • Flexible scheme – regardless of sector or size, the scheme reviews basic, yet effective, technical controls an organisation has in place. The scheme also recognises that not all organisations have a dedicated IT department, or an in-depth knowledge of cyber security.

You can request support by emailing the request to ce@bulletproof.co.uk at any time after you have been set up. An assessor will be assigned and reach out to arrange a Teams meeting to go over the assessment with you. You are also welcome to reach out to your assessor if you have any further questions throughout the process.

Cyber Essentials focuses on fundamental IT controls, whereas ISO 27001 takes a more holistic approach, incorporating policies and procedures. As ISO 27001 is much more involved, you’ll find it easier to obtain Cyber Essentials/Cyber Essentials Plus certification if you’re already ISO 27001 compliant.

We recommend achieving Cyber Essentials certification in addition to ISO 27001 as it demonstrates your commitment to good security practices, and some business/customers may only look for your Cyber Essentials certification, or not understand the difference between Cyber Essentials and ISO 27001.

Comparing ISO 27001 and Cyber Essentials Standards
ISO 27001Cyber Essentials
What is itAn international standard that sets out the requirements of an Information Security Management System to manage information security risk in a systematic way. The standard isn’t mandatory however many contracts/tenders do stipulate it as a requirement.An NCSC backed UK assurance scheme addressing five technical security controls to help businesses address the most common cyber security vulnerabilities. Cyber Essentials is mandatory for government contracts.
RiskISO 27001 adopts a risk-based approach where organisations set their risk acceptance criteria and risk methodology. This determines how risks are addressed.Cyber Essentials aims to address the most common vulnerabilities found in organisations. It is not a risk-based approach.
RecognitionISO 27001 is an international standard recognised around the world.Cyber Essentials is a UK based scheme and is not well known worldwide.
Time to implementMonthsDays – weeks
Certification processCertification is provided by a Certification Body. This involves a Stage 1 and Stage 2 audit, and annual surveillance audits. Certification lasts for 3 years, as long as the organisation passes the audits.Complete a self-assessment questionnaire (or undergo vulnerability scans and a workstation assessment if taking Cyber Essentials Plus) and be assessed by a IASME Cyber Essentials Assessor. Certification must be repeated annually.
CostsMed/HighLow
ScopeScope is defined by the organisation but the standard encompasses the business and is not just focused on IT.Focuses on 5 key areas (shown below) and is more IT focused.
  • Secure internet connection
  • Secure devices and software
  • Access control
  • Malware protection
  • Security update management
ApplicabilityAimed at all businesses.Aimed at all businesses, but particularly targets smaller businesses that may have not previously considered cybersecurity.

No, in the absence of a physical office space you list just one home network, ideally directors’ network e.g., ‘Director’s network in London’. You will then need to add a small back up statement such as ‘all staff are currently working from home based in the UK’.

Further questions around networks and managing networks will relate to the main network and all homeworkers.

Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.

Yes, you must ensure that you use separate administrator accounts from the standard user account, such as when installing software. Using administrator accounts all-day-long exposes the device to compromise by malware.

No, all operating systems in scope of your Cyber Essentials must be up to date and in support. Failing to do so will not be compliant.

No, you must still provide processes and descriptions where asked. When a third party manages your IT, you should confirm with them all processes to ensure that they are meeting the standards required for Cyber Essentials.

Yes, all devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should ensure that contractors meet your security standards, the standards that will allow you to pass your Cyber Essentials assessment.

Yes, we can. You will want to ensure you have remote support so we can discuss this in a call. There is also guidance in the IT infrastructure document. For the avoidance of doubt, the scope should include any internet facing devices, including mobiles and anything considered as part of a BYOD.

Once you have your logins you will be able to access the IASME portal and be able enter your answers.

Once you have completed your answers, please submit the assessment. We will then assign an assessor and you will be scheduled for marking. Once marked you will get your results from the IASME portal, you will either pass, fail, or get asked for more information.

If you fail or get asked for more information you will have a chance to review your answers and update them using the guidance notes the assessor leaves for you.

You can then resubmit and once again you will be scheduled for marking with hopefully a pass being the result. You may get asked for more information again which will require you to readdress it, if you fail twice though that would mean you would have to repurchase Cyber Essentials to be able to retry.

We aim to mark an assessment within 48 hours of it being submitted, not including weekends or bank holidays. This can vary depending on how many assessments we have at one time.

You will still be under the same guidelines as above, if you require your certification by a specific date, you must take this into consideration. Start your assessment in good time to allow enough time to, complete, submit, be marked, remediate, resubmit, and pass!

No, you just need to list the equipment of your provided office network. You must then confirm under network equipment if your home workers connect to the network using a VPN. Any commercial VPN (e.g. NordVPN) is not acceptable. The solution must be an enterprise/corporate product that secures all connections between EUDs and the Internet. If you do not have a VPN, you must confirm that your workers have their software and/or hardware firewalls enabled.

Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.

Yes, the standard protection provided by Apple devices does not meet the standards of Cyber Essentials and additional software should be installed to provide adequate protection.

No, to meet compliance you must ensure that all critical updates are applied within 14 days of release. If this is not possible you would not be compliant with Cyber Essentials.

Yes, all devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should track these devices to ensure your staff are using supported models and OS are up to date.

The certificate will be part of a public register. You can display the Cyber Essentials and Cyber Essentials Plus badge on your website and/or in your email signatures.


Related resources


Trusted cyber security & compliance services from a certified provider