Get Cyber Essentials
certified. Without
the headache.
Cyber Essentials is a UK government-backed certification that proves your business takes security seriously. We handle the technical controls, policies and configuration — so you can get certified without it taking over your week.
Cyber Essentials
UK government-backed certification. Included in our Protect package.
Covered by ProtectPlain English.
No jargon.
Cyber Essentials is a UK government-backed certification scheme that helps businesses protect themselves against the most common cyber attacks. It was developed by the National Cyber Security Centre (NCSC) and is now recognised across government, public sector and an increasing number of private businesses.
It's built around five technical controls that, when properly implemented, protect against the vast majority of common cyber threats — things like phishing, ransomware and unauthorised access.
Think of it as a baseline standard. Not a guarantee of perfect security, but a clear, credible signal that your business has the fundamentals right. For many of our clients, getting certified opens doors — to contracts, to tenders, and to the peace of mind that comes from knowing your basics are covered.
Government-backed scheme
Developed by the NCSC — the UK's authority on cyber security.
Protects against 80%+ of attacks
The five controls protect against the most common attack types targeting small businesses.
Two levels: Basic and Plus
Cyber Essentials (self-assessed) and Cyber Essentials Plus (independently verified). We help with both.
Built for businesses like yours
Designed to be achievable for small and medium-sized businesses — not just large enterprises.
Four very good reasons
to get certified.
Cyber Essentials isn't just a box-ticking exercise. For most of our clients, it makes a real, practical difference to their business.
Win more contracts
Central government suppliers must hold Cyber Essentials. An increasing number of private sector clients require it too — particularly in construction, finance and professional services.
Actual security
This isn't just a certificate for the wall. The five controls, properly implemented, genuinely reduce your risk. Most successful attacks exploit the same basic weaknesses — Cyber Essentials closes them.
Protect your reputation
A cyber incident doesn't just cost money — it damages the trust you've spent years building. Being certified signals that you take data security seriously, before anything goes wrong.
Cyber insurance
Many insurers now offer reduced premiums — or require certification — for cyber liability policies. Getting certified can directly reduce your costs and improve the cover available to you.
Five controls.
Plain English explained.
Cyber Essentials is built around five technical areas. Here's what each one means in practice — and why it matters.
Firewalls
Boundary firewalls and internet gateways that control what traffic can enter and leave your network. Stops attackers getting in through open doors.
Secure configuration
Making sure devices are configured securely — removing unnecessary software, changing default passwords, disabling features that aren't needed.
User access control
Ensuring people only have access to the data and systems they actually need. Limiting what an attacker can reach if they compromise an account.
Malware protection
Protecting devices against viruses, ransomware and malicious software through up-to-date endpoint protection and safe browsing controls.
Patch management
Keeping software and operating systems up to date. Most successful attacks exploit known vulnerabilities that patches have already fixed — but nobody installed.
From zero to certified.
We handle the hard part.
You don't need to become a security expert. That's what we're here for. Here's how a typical Cyber Essentials journey looks with ISS.
Gap assessment
We review your current setup against the five controls and give you a clear, honest picture of where you stand and what needs to change.
Technical remediation
We implement the required controls — firewall configuration, Microsoft 365 security, patch management, endpoint protection and access controls.
Policy support
We help you put the right security policies in place — the documented guidance your team needs to maintain good security habits day to day.
Certification & beyond
You complete the self-assessment questionnaire with our support and submit for certification. We then maintain your controls so you stay compliant.
Cyber Essentials readiness
is built in.
Our Protect package is specifically designed around the Cyber Essentials framework. Everything you need to get certified — and stay certified — is included as standard. No add-ons, no extra project quotes.
- Cyber Essentials readiness — controls aligned to NCSC requirements
- Microsoft 365 security configuration
- 24-hour endpoint detection & response
- Cyber Essentials IT policy support
- Network vulnerability scanning
- User security awareness training
- Microsoft 365 identity threat monitoring
Things people ask
about Cyber Essentials.
A few questions that come up when businesses are considering Cyber Essentials for the first time.
Do I need Cyber Essentials to work with ISS?
No. Cyber Essentials is a separate service we offer — it's not a requirement for support. That said, we do recommend it for most businesses, particularly if you tender for contracts or handle customer data.
How long does Cyber Essentials take?
The process typically takes 4–6 weeks from start to certification, depending on how ready your IT environment is when we begin. We'll do an initial gap assessment so you know what needs fixing before the formal assessment starts.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment verified by an external body. Cyber Essentials Plus involves hands-on technical testing of your systems by an accredited assessor. Plus is more rigorous and is increasingly required for public sector and defence contracts.
Will we definitely pass first time?
We can't guarantee it — the assessment is independent. What we can do is make sure you're genuinely ready before you submit. We don't put clients in for assessment until we're confident they'll pass.