Cyber Essentials Certification UK | Fixed Price, 30 Days

Q: How long does Cyber Essentials certification take?

We deliver Cyber Essentials in 30 days from kick-off for most UK SMBs. The first three days are scoping and gap analysis, the next two weeks are remediation, then we run a dry-run before formal submission to IASME.

Q: What happens if we fail Cyber Essentials on first submission?

Bluewater includes free re-submission. If anything is flagged by the IASME assessor, we fix it and resubmit at no extra cost - that is part of the fixed price.

Q: Do we need Cyber Essentials Plus instead of Cyber Essentials?

Cyber Essentials Plus is required for some central government and MoD contracts and is increasingly requested in supply-chain due diligence. If you do not have an immediate Plus requirement, base Cyber Essentials is the right starting point and is a prerequisite for Plus.

Q: Can a small business with 5 or 10 staff pass Cyber Essentials?

Yes. Cyber Essentials is designed for organisations of any size, and small UK SMBs with 5-100 staff routinely pass when the five controls are configured correctly. Smaller scope often means a faster, cheaper certification.

Q: What technology do we need in place for Cyber Essentials?

You need supported operating systems and applications, a managed firewall, anti-malware, MFA on cloud admin accounts, a documented patching cadence and basic user-access controls. Most UK SMBs already have most of these - we close the gaps.

Q: How do you bill for Cyber Essentials certification?

Fixed price, quoted within 48 hours of your enquiry. The price includes scoping, gap analysis, remediation guidance, submission, the IASME assessor fee and free re-submission if needed. No hourly billing, no scope creep.

The basics

What is Cyber Essentials?

Cyber Essentials is the UK government-backed cyber security certification scheme, created by the National Cyber Security Centre (NCSC) and administered by IASME. It sets out five technical controls that, when configured properly, stop the vast majority of common internet-based attacks against UK small and medium-sized businesses.

Those five controls cover firewalls and boundary protection, secure configuration of devices and software, user access control, malware protection, and security update management. The certification is a self-assessment questionnaire signed off by an IASME-approved assessor. Cyber Essentials Plus adds an independent technical audit on top of the same five controls.

For most UK SMBs, Cyber Essentials is no longer optional. It is required to bid for many central government contracts that handle personal data, it is a common procurement gate for enterprise customers and prime contractors, it unlocks cyber insurance discounts (and in some cases inclusion at all), and it gives your customers and supply chain measurable confidence that your basics are in order. It is also the natural prerequisite to ISO 27001 and to Cyber Essentials Plus.

The five controls

The five Cyber Essentials controls

Cyber Essentials is built on five technical controls. Get these right and you remove most opportunistic attack paths. Here is what each one means in practice - and what Bluewater configures for you.

Firewalls & boundary protection

Every device that connects to the internet needs a properly configured firewall - both at the network edge and on each laptop. Default passwords go, inbound rules get locked down, and remote-admin interfaces stop facing the open internet.

Boundary firewall configuration and review
Host-based firewall enforcement on every device
Default credentials replaced and documented

Secure configuration

Devices and cloud services should ship in a known-good state, with unused accounts and services disabled. We harden Windows, macOS and your core SaaS - Microsoft 365, Google Workspace - against the obvious mistakes.

Baseline configuration for endpoints and cloud tenants
Unused accounts, services and ports disabled
MFA enforced on every admin account

User access control

People should have the access they need to do their job and no more. Admin rights are separated from day-to-day accounts, leavers are removed promptly, and shared logins are eliminated wherever possible.

Joiners, movers and leavers process documented
Separate admin and standard user accounts
Privileged access reviewed on a defined cadence

Malware protection

Every in-scope device needs working anti-malware that updates automatically and blocks known-bad files and sites. For mobile, we lean on app-store sandboxing and managed device profiles instead of legacy AV.

Anti-malware deployed and verified on every endpoint
Definitions updating automatically and monitored
Mobile devices managed via MDM where in scope

Security update management

High and critical patches must be applied within 14 days. That means supported operating systems and applications only, with a documented patching cadence - not "we update when we remember".

Patch policy documented and enforced
End-of-life software identified and replaced
Automatic updates configured where appropriate

Why us

Why choose Bluewater for Cyber Essentials certification

Most CE providers hand you a long questionnaire and disappear. We do the opposite - we run the project, talk to the assessor for you, and stand behind a fixed price and a fixed window.

Direct line to a certified CE assessor

You talk to the person who actually signs off your certificate, not a sales team relaying messages. Questions get answered in hours, not weeks.

30 days, guaranteed window

From kick-off to submission in 30 days for standard SMB scopes. We give you a dated plan on day one and we hold to it.

Fixed price, quoted in 48 hours

One number, quoted within 48 hours of your enquiry. Includes scoping, remediation guidance, the IASME assessor fee and submission.

Free re-submission if anything fails

If the assessor flags anything, we fix it and resubmit at no extra cost. That is part of the price - not an upsell.

The plan

Your 30-day Cyber Essentials timeline

A predictable, dated plan from day one. Here is what happens, and when.

Days 1-3

Scope & gap analysis

We lock down what is in scope - users, devices, cloud services, locations - and run a structured gap analysis against the five controls. You get a written remediation plan with owners and dates.

Days 4-14

Remediation

We work alongside your team (or do it directly) to close the gaps: firewall configuration, MFA enforcement, patching cadence, leaver processes, MDM where needed. Daily progress against the plan.

Days 15-25

Questionnaire & dry-run

We complete the IASME self-assessment with you, evidence every answer, and run an internal dry-run review against the same criteria the assessor will use. Anything weak gets tightened.

Days 26-30

Submit & certify

Formal submission to IASME, assessor review, and your certificate issued. If anything is flagged, we remediate and resubmit free of charge - included in the fixed price.

Comparison

Cyber Essentials vs Cyber Essentials Plus

Same five controls. Different level of independent verification. Honest guidance on which is right for you.

Cyber Essentials

Self-assessment, assessor-verified

You complete the IASME questionnaire, the assessor reviews and signs off. Right for most SMBs starting their certification journey, for insurance, and for the majority of commercial procurement gates.

Self-assessment against the five controls
IASME assessor sign-off
Faster, lower cost
Prerequisite for Cyber Essentials Plus
Accepted for most commercial tenders

Cyber Essentials Plus

Independent technical audit

Everything in Cyber Essentials, plus an independent hands-on audit of a sample of your devices and cloud services by the assessor. Required for some central government and MoD contracts and increasingly requested in enterprise supply chains.

Independent vulnerability scan of in-scope devices
Authenticated test of patching and configuration
Sample-based endpoint audit
Required for some central gov / MoD work
Stronger supply-chain signal

Triggers

Who needs Cyber Essentials certification?

If any of these apply, Cyber Essentials is on your roadmap whether you planned it or not. Better to lead it than to scramble.

You bid for MoD or central government contracts handling personal data
Your cyber insurance renewal is asking for evidence of basic controls
A customer or prime contractor has made it a procurement requirement
You are preparing for ISO 27001 and want a structured starting point
You need Cyber Essentials Plus and have to certify base CE first
You handle client data and want a credible third-party signal of competence

FAQ

Cyber Essentials FAQ

How long does Cyber Essentials certification take?

For most UK SMBs, 30 days from kick-off to certificate. Days 1-3 are scoping and gap analysis, days 4-14 are remediation, days 15-25 are questionnaire and dry-run, days 26-30 are submission and assessor sign-off. Larger or more complex scopes may need longer - we tell you on day one if so.

What is the process for Cyber Essentials certification?

Scope your in-scope assets, gap-analyse against the five technical controls, remediate any issues, complete the IASME self-assessment questionnaire, run an internal dry-run, then submit for assessor review. Bluewater runs the project end-to-end and you get a direct line to the assessor throughout.

What happens if we fail Cyber Essentials on first submission?

We resubmit free of charge. If the IASME assessor flags anything, we remediate it and resubmit at no extra cost - that is built into the fixed price, not an optional extra. Our dry-run process is designed to make a first-time fail unlikely.

Do we need Cyber Essentials Plus instead of Cyber Essentials?

Cyber Essentials Plus is mandatory for some central government and MoD contracts and is increasingly requested in enterprise supply-chain due diligence. If you do not have an immediate Plus requirement, base Cyber Essentials is the right starting point - and it is a prerequisite for Plus in any case.

Can a small business with 5 or 10 staff pass Cyber Essentials?

Yes. Cyber Essentials is designed to be achievable at any size, and small UK SMBs routinely pass when the five controls are configured correctly. A smaller scope often means a faster, cheaper certification - there is less to evidence.

What technology do we need in place for Cyber Essentials?

Supported operating systems and applications (nothing end-of-life), a properly configured firewall, anti-malware on every endpoint, MFA on cloud admin accounts, a documented patching cadence, and basic user-access controls. Most SMBs already have most of this - we close the remaining gaps.

What is IASME and how does it relate to Cyber Essentials?

IASME is the sole accreditation body for Cyber Essentials, appointed by the NCSC. Every Cyber Essentials certificate is issued through an IASME-approved certification body and assessor. Bluewater works directly with a certified IASME assessor - you are not handed off to a third party.

How do you bill for Cyber Essentials certification?

Fixed price, quoted within 48 hours of enquiry. The price includes scoping, gap analysis, remediation guidance, the IASME assessor fee, submission and free re-submission if needed. No hourly billing and no scope creep - if scope changes materially, we agree it in writing first.

Next step

Get a quote in 48 hours.

Book a 15-minute call or run the free readiness check first - both go to the same place: a fixed-price Cyber Essentials quote within two working days.

Free readiness check

Cyber Essentials, properly. In 30 days. Fixed price.