FAQs
News
Webinars
Trustpilot

Call: 0191 466 1050

Achieving Cyber Essentials Certification: Step-by-Step Guide for SMEs

by | Jan 15, 2026 | Uncategorized | 0 comments

If you already know that Cyber Essentials is on your to-do list, the next question is simple: how to get Cyber Essentials in a way that’s realistic for your team. This guide gives you clear Cyber Essentials certification steps from start to finish. It focuses on the practical Cyber Essentials process for small business owners who want to pass first time, win or keep contracts, and avoid turning the self-assessment into a stressful box-ticking exercise.

Whether you’re based in Newcastle, across the North East, or anywhere in the UK, we’ll walk you through preparation, scope, controls, the questionnaire, submission and renewal, with plain-English tips on where SMEs usually trip up and where Unite can help.

Step 1: Get clear on why you’re doing Cyber Essentials

Before you start any work, you need a simple answer to one question: why are you investing in Cyber Essentials now?

Common reasons include:

  • A client, framework or tender requires Cyber Essentials
  • You want a recognised baseline to prove you take security seriously
  • You’re planning to grow into supply chains that expect it

This answer matters because it influences:

  • Whether you start with standard Cyber Essentials or plan for Cyber Essentials Plus later
  • How wide your Cyber Essentials scope definition should be
  • How much time and budget you allocate

At this stage, you don’t need to dive into the technical detail. You just need a clear business driver and a named person who’ll own the project.

Step 2: Define scope and gather the essentials

The next part of how to get Cyber Essentials is understanding what’ll fall under the certificate. This is the most important early decision and a common place where SMEs make life harder than it needs to be.

2.1 Decide what’s in scope

Scope is about which parts of your organisation and which systems are covered. You’ll need to decide, for example:

  • Are all locations in scope, or just head office and a satellite office?
  • Are home workers and their devices included?
  • Are all cloud services in scope, or only those used for sensitive data?

Good Cyber Essentials scope definition balances realism and value. You’ve got to cover all systems that handle business data, but you don’t need to include every historic server that no one uses.

Real-world example:
A Newcastle accountancy practice initially tried to include every device anyone had ever touched. They ended up with 47 items on their asset list, including three laptops gathering dust in a cupboard and a server that hadn’t been switched on in two years. After a sensible scope review, they trimmed it down to 18 active devices and passed first time.

2.2 Make a simple asset list

Create a basic list of:

  • Users and roles
  • Laptops, desktops and tablets
  • Servers, including any on-site kit
  • Cloud services such as Microsoft 365, line-of-business systems and file storage
  • Firewalls and routers, both on-site and in the cloud

This list will drive your Cyber Essentials checklist UK and help you avoid scrambling for information when you tackle the questionnaire.

Step 3: Fix the basics in the five control areas

Cyber Essentials focuses on a small number of technical controls. You don’t need to be an expert, but you do need to show that the basics are in place across your scoped environment. This is the heart of the Cyber Essentials process for small business.

A practical way to approach this is to work through each area in turn and record what you change.

3.1 Firewalls and internet gateways

What you’ll need to check:

  • Confirm that all internet connections, including home-worker routers where in scope, are protected by a firewall
  • Remove unused open ports and risky rules
  • Disable default admin accounts and change default passwords

Where businesses often trip up:
They forget about older routers, guest Wi-Fi networks or direct connections into equipment like printers. One Gateshead professional services firm discovered they’d completely overlooked a printer with its own internet connection, that one device nearly scuppered their entire assessment.

3.2 Secure configuration

Here you focus on settings on devices and systems, for example:

  • Remove or disable unused software and services
  • Apply standard secure builds or configuration templates where possible
  • Turn on built-in security features such as device encryption

Where businesses often trip up:
Leaving devices with factory settings, or allowing users to run as local administrators when there’s no need. It’s surprisingly common, and surprisingly easy to fix once you know to look for it.

3.3 User access control

You need to show that accounts and access are managed properly:

  • Use named, individual accounts, not shared logins
  • Grant the minimum access needed for each role
  • Review who has administrator rights and reduce them where possible

Where businesses often trip up:
Old accounts that were never removed when staff left. We’ve seen businesses with “John-Sales-2019” accounts still active three years after John moved to a competitor. A quick audit usually finds half a dozen of these.

3.4 Malware protection

This is about preventing malicious software from running:

  • Ensure supported anti-malware is installed and updating on all in-scope devices
  • Turn on real-time scanning for files and downloads
  • Remove unsupported operating systems that can’t be protected properly

Where businesses often trip up:
Devices that are rarely connected to the network and therefore miss updates. That laptop your MD uses twice a year for site visits? It’s probably three years behind on definitions.

3.5 Security update management

You need to show that systems are kept up to date:

  • Turn on automatic updates where practical
  • Apply critical and high-risk patches within the timelines set by the scheme
  • Keep an eye on end-of-support dates and plan to replace unsupported systems

If you document the work you do in these five areas, you’ll find the later Cyber Essentials self-assessment questionnaire help much easier, because you’re not answering from memory.

Step 4: Complete the self-assessment questionnaire

Once you’ve worked through the technical controls, you’re ready for the self-assessment. This is where many SMEs start searching for how to pass Cyber Essentials first time, and with good reason. The questionnaire isn’t difficult, but it’s detailed.

4.1 Set up with a certification body

You’ll need to:

  • Choose a certification body and create an account
  • Confirm your chosen scope
  • Choose standard Cyber Essentials first, or plan for Cyber Essentials Plus later

Working with a partner that offers Cyber Essentials support North East or in your region can make this smoother, especially if you’re short on internal technical resource.

4.2 Answer carefully and consistently

Tips for completing the questionnaire:

  • Work through it with your asset list and configuration notes to hand
  • Answer honestly and consistently, conflicting answers are a red flag
  • Use the comments boxes to explain any edge cases or transitional situations

If you’ve followed your own Cyber Essentials checklist UK as you prepared, most questions should now be a case of describing what you’ve already done.

Real-world example:
A North East manufacturing business rushed their first questionnaire and gave contradictory answers about their firewall setup. They said “yes” to having a firewall in section 2, then described a configuration in section 4 that wouldn’t have been possible with that firewall. The assessor spotted it immediately. They had to resubmit with a proper explanation, adding two weeks to their timeline when they were up against a tender deadline.

Step 5: Deal with feedback and achieve certification

After submitting the self-assessment, the assessor will review your answers. At this stage you’ll either:

  • Be issued with your certificate, or
  • Receive feedback with items you must fix before you can pass

Many SMEs pass on the second attempt, which is normal. The important part is to respond quickly to feedback. This is where a partner who offers Cyber Essentials certification steps support can walk you through what needs changing and how to evidence it.

How long does Cyber Essentials certification last?

A common question is how long does Cyber Essentials certification last. The answer is that the certificate is valid for 12 months. After that you need to complete a new assessment and go through the Cyber Essentials renewal process.

Standard Cyber Essentials is an annual cycle. Cyber Essentials Plus involves an additional technical audit, but follows the same renewal pattern.

Step 6: Plan for renewal and keep it manageable

Once you’ve got your first certificate, the next piece of how to get Cyber Essentials is actually how to keep it.

Practical steps:

  • Put a reminder in your calendar around nine months after the award date
  • Keep a simple record of changes, for example, new systems or major updates
  • Review your five control areas every quarter so you’re not rushing at renewal

Treating the controls as part of normal IT and security management, rather than a once-a-year project, makes each renewal lighter and improves your overall security posture.

Common reasons SMEs fail Cyber Essentials first time

A lot of organisations search for how to pass Cyber Essentials first time because they’ve heard stories of failed attempts. Typical issues include:

  • Scope that’s too vague or too wide, which creates confusion
  • Devices on unsupported operating systems
  • Old user accounts that haven’t been removed
  • Firewalls or routers left with default settings and credentials
  • Incomplete records of where data is stored or which services are in scope

None of this is unfixable, but it’s much easier to tackle ahead of submission. A short readiness review with a partner can pick up most of these issues early.

A simple Cyber Essentials checklist for SMEs

To recap the Cyber Essentials certification steps, here’s a short checklist you can keep:

  1. Confirm why you’re doing Cyber Essentials and who owns it
  2. Define scope: locations, users, devices and cloud services
  3. Create a basic asset list and keep it up to date
  4. Work through each of the five control areas and record what you change
  5. Choose a certification body and complete the self-assessment carefully
  6. Fix any issues raised and resubmit if needed
  7. Note your renewal date and plan for the next cycle

If you follow this flow, you should find that Cyber Essentials requirements explained in the official guidance feel far less daunting, because you’ll have a plan and evidence ready.

FAQs: Cyber Essentials process and timing

1. How long does Cyber Essentials take for a small business?

For most SMEs, plan for four–eight weeks from decision to certificate. The main work is in preparing your environment and gathering information. Once you submit, the assessment itself is usually quite quick.

2. Do we need Cyber Essentials Plus straight away?

Not always. Many businesses start with standard Cyber Essentials, then move to Plus later when clients or contracts require it. You can treat Plus as an additional layer once you’re comfortable with the basics.

3. How often do we need to renew?

You need to renew every 12 months. That’s why it’s important to build the controls into day-to-day IT management, rather than rushing once a year.

4. Can a very small business achieve Cyber Essentials?

Yes. The scheme is specifically designed to be achievable for small organisations, as long as you’re willing to tidy up devices, accounts and basic configuration.

5. Can we get help with the Cyber Essentials self-assessment questionnaire?

Yes. Many providers, including Unite, offer Cyber Essentials self-assessment questionnaire help, where an engineer walks through questions with you and explains what’s being asked in plain English.

6. Does Cyber Essentials cover our suppliers as well?

Cyber Essentials focuses on your own systems, although many organisations use it as a baseline when assessing suppliers. For suppliers, you can ask for their own certificate or wider assurance.

7. What’s the difference between Cyber Essentials and Cyber Essentials Plus?

At a high level, standard Cyber Essentials is a self-assessment, while Cyber Essentials Plus adds an independent technical audit. If you’re unsure which route to take, a short discovery call can help you decide.

Not sure where to start? Get a Cyber Essentials readiness review

If you know you need Cyber Essentials, but you’re not sure how to turn the requirements into a concrete plan, Unite can help. Whether you’re in Newcastle, the North East or beyond, we can provide:

  • A short readiness review that checks your current position against the controls
  • Help to define a sensible scope for your first certificate
  • Support with remediation, configuration and the self-assessment
  • Ongoing assistance with the Cyber Essentials renewal process so each year is easier than the last

We’ve helped dozens of North East businesses through Cyber Essentials from tiny startups to established firms with complex environments. We know where the trip-ups are, and we know how to explain things without drowning you in jargon.


Book a Cyber Essentials readiness review and we’ll walk you through the exact steps to certification, in language your team can understand. Local support, practical guidance, no unnecessary complexity.