Blog
Compliance
Cyber Essentials
ISO 27001
June 21, 2026
Approx 7 min read

Cyber Essentials: why it wins UK contracts

A buyer reaches the security section of their supplier checklist and asks one question: do you hold Cyber Essentials? For a lot of UK work, the answer decides whether your bid is read or set aside. That is the commercial reality behind this piece on what Cyber Essentials is and why it wins UK contracts. Get the certificate and you stay on the shortlist. Skip it and, for in-scope work, you are screened out before anyone looks at your price.

Cyber Essentials is the UK's baseline security standard. It is the price of entry for much of UK government procurement and a growing share of UK enterprise procurement. The value is in the deals the certificate lets you bid for.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme. It shows an organisation has five core technical controls in place to defend against the most common internet-based cyber attacks: firewalls, secure configuration, security update management, user access control and malware protection. Certification runs at two levels, one self-assessed and one independently audited.

The scheme is owned by the National Cyber Security Centre and delivered through its partner, IASME. Certificates are issued by a network of licensed Certifying Bodies, whose qualified assessors mark each submission. The five controls are deliberately basic. The National Cyber Security Centre's position is that most common attacks rely on basic weaknesses, and these controls close them.

Cyber Essentials vs Cyber Essentials Plus

Both levels cover the same five technical controls. The difference is how the controls are verified.

Cyber EssentialsCyber Essentials PlusControls assessedThe five core controlsThe same five controlsHow it is verifiedSelf-assessment, independently checked by a qualified assessorIndependent technical audit and vulnerability testing of your systemsTypical useLower-risk contracts and general buyer assuranceHigher-risk contracts handling sensitive dataSequenceStands alone, or as the first stepRequires a verified Cyber Essentials assessment first

Cyber Essentials is self-declared and then checked. Cyber Essentials Plus puts your systems through a hands-on technical audit, so the buyer is relying on tested evidence rather than your word. A verified Cyber Essentials assessment is a prerequisite for the Plus audit, so the two run in sequence rather than as alternatives.

Who needs Cyber Essentials, and which markets it gates

Since 2014, the UK government has required suppliers bidding for certain public contracts to hold Cyber Essentials or demonstrate equivalent controls. That requirement is now set out in Procurement Policy Note 014. It is selective by design. The Note states the scheme should not be applied to every contract as a matter of course, so it gates in-scope work, not all government work.

The trigger is the data and systems involved. Under Procurement Policy Note 014, certification is expected where a contract handles the personal information of citizens, such as home addresses or payment details, the personal information of government staff and ministers, or ICT systems processing information at the OFFICIAL classification. Lower-risk contracts call for Cyber Essentials. Where the risk is higher, buyers ask for Cyber Essentials Plus. The level follows the sensitivity of the work.

The requirement no longer stops at government. The National Cyber Security Centre notes that a growing number of organisations now require their suppliers to be certified before they can bid for work. In October 2024, six major UK banks signed the Cyber Essentials Supply Chain Commitment, asking the firms in their supply chains to certify. For a supplier, the effect is the same on both sides of that line: no certificate, no bid.

One distinction matters. For in-scope government work, Cyber Essentials is contractually required. In the wider market it is a procurement prerequisite that buyers choose to impose. No law obliges every UK business to hold it. The pressure is commercial, and that is exactly why it moves deals.

How Cyber Essentials helps you win and keep contracts

The certificate earns its cost through the work it opens up. It shows up commercially in four ways.

Unblocks the deal in front of you. When a buyer or tender names Cyber Essentials as a condition of bidding, the certificate is the difference between a live opportunity and an automatic rejection. Hold it, and your pitch gets read on its merits.

Buyers stop screening you out at the door. UK central government procurement is closed to uncertified suppliers for in-scope contracts under Procurement Policy Note 014. Certification is the key to that market, and enterprise supply chains are heading the same way. One credential can move you from locked out to eligible across a large pool of buyers.

A faster security review follows. A recognised baseline certificate answers a large block of any buyer's security questionnaire up front. Part of the due-diligence conversation becomes a document you already hold, so the review moves faster and the sale closes sooner.

Trust that compounds over time. An independent, government-backed certificate is recognised proof that you take security seriously. It earns buyer confidence early and gives you a platform to move up to bigger, more security-conscious contracts, and onward to Cyber Essentials Plus and ISO 27001.

There is a tangible extra for smaller firms. A UK-based organisation with turnover under £20m that certifies its whole organisation is entitled to free cyber liability insurance arranged by IASME, with a £25,000 total liability limit and a 24-hour incident helpline.

What getting Cyber Essentials involves

The path is short to describe. You define your scope, the systems and people the certificate will cover. You put the five controls in place and gather the evidence that proves it. Then you submit to a licensed Certifying Body. Cyber Essentials is self-assessed and assessor-verified. Cyber Essentials Plus adds the independent technical audit on top.

Most of the effort is gathering evidence and keeping it current. A certificate is valid for 12 months, so the controls have to stay in place rather than pass once and lapse. Recertifying each year is what keeps you meeting a buyer's conditions over the life of a relationship.

Naq runs Cyber Essentials and Cyber Essentials Plus alongside the other standards UK buyers ask for, including ISO 27001, NHS DSPT and GDPR. Because Naq is an IASME Certifying Body, the assessment can run under one roof rather than being handed to a separate assessor, and the evidence you gather maps across to the other frameworks a buyer might ask for next.

Frequently asked questions

Is Cyber Essentials mandatory for UK government contracts?

It is required for in-scope contracts under Procurement Policy Note 014, not for every government contract. The trigger is contracts handling citizens' or government staff personal data, or ICT systems at the OFFICIAL classification. It is a procurement requirement on the relevant contracts, not a law that applies to all businesses.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both cover the same five technical controls. Cyber Essentials is self-assessed and independently checked by a qualified assessor. Cyber Essentials Plus adds an independent technical audit and vulnerability testing of your systems. A verified Cyber Essentials assessment is a prerequisite for the Plus audit, so the two run in sequence.

How long does Cyber Essentials last?

A Cyber Essentials certificate is valid for 12 months. You recertify annually to keep it current and to keep meeting any procurement conditions that depend on it. Recertifying means the five controls have to stay in place over time, not simply pass once.

Do I need Cyber Essentials to sell to UK enterprises, not just government?

Increasingly, yes. The National Cyber Security Centre notes that a growing number of organisations require suppliers to be certified before they can bid. In October 2024, six major UK banks signed the Cyber Essentials Supply Chain Commitment, asking their supply chains to certify.

Sources- Procurement Policy Note 014, Cyber Essentials in government procurement (GOV.UK, Cabinet Office)- Cyber Essentials scheme guidance and the five technical controls (National Cyber Security Centre)- Cyber Essentials certification and free cyber liability insurance terms (IASME)

Written by
The Naq Team
Share
Share
Compliance
ISO 27001
Cyber Essentials
NHS DSPT v8
Multi-Framework Compliance Strategy: Save Time and Money
April 16, 2026
Compliance
MOD SBD
Cyber Essentials
ISO 27001
MOD supplier compliance gates: JOSCAR to Secure by Design
May 4, 2026
Compliance
DCB 0129
NHS DTAC v2
NHS DSPT v8
What is DCB 0129 clinical risk management?
June 21, 2026
Compliance
NHS DTAC v2
A Guide to the NHS Digital Technology Assessment Criteria (DTAC)
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy