Cyber Essentials

The UK's baseline for cyber security, made simple.

Cyber Essentials is a government-backed certification that proves your business has the basic controls in place to defend against the most common cyber attacks. We help small businesses get there — by guiding your team, or doing the work ourselves.

Book a free 30-min call How it works

What it is

A simple framework. Five core controls.

Cyber Essentials covers the five technical areas where most breaches happen. Get these right and you'll defend against the bulk of common cyber attacks. Get them wrong and you're an obvious target.

  1. Firewalls

    Properly configured boundary firewalls and device-level firewalls between your network and the internet.

  2. Secure configuration

    Default passwords changed, unnecessary services disabled, devices and software set up to reduce attack surface.

  3. User access control

    Each person has the right level of access and no more. Admin accounts used only when needed. MFA where it matters.

  4. Malware protection

    Up-to-date anti-malware on every device, plus controls that prevent untrusted software from running in the first place.

  5. Security update management

    Operating systems, applications, and firmware patched promptly. Anything unsupported retired or replaced.

A UK government scheme, run by IASME

Cyber Essentials was developed by the National Cyber Security Centre (NCSC), the UK's national cyber security authority. The scheme is delivered by IASME, who train and accredit advisors and certification bodies. Bishop Consultancy is an IASME-qualified Cyber Essentials Advisor — and Cyber Essentials Certified ourselves.

Two levels

Cyber Essentials, or Cyber Essentials Plus.

Cyber Essentials

A self-assessment questionnaire, reviewed and certified by an IASME-accredited certification body. Most small businesses start here. Lower cost, faster, and sufficient for most contracts and cyber insurance policies that ask for it.

Best for most SMEs →

Cyber Essentials Plus

Same five controls, but technically verified by an external assessor through hands-on scans and tests of your systems. Required for some public sector contracts and larger enterprise tenders.

When the contract requires it →

Our approach

Cyber Essentials, on your terms.

Get the security controls in place. Then decide whether you also want the formal certificate.

Secure

Worried about ransomware or phishing? We'll get the controls in place — guiding your team through implementation, or doing the work ourselves. You'll be meaningfully safer than most UK businesses your size.

Best when the threat is real →

Secure & certified

Same controls — plus we'll guide you from gap analysis through to passing assessment. As an IASME-qualified Cyber Essentials Advisor (and certified ourselves), you've got the right person in your corner. Useful for contracts, tenders, and cyber insurance.

Best when the badge is required →

How we deliver

We'll guide you, or we'll do it.

Two delivery models, your choice. Both end with the same controls in place.

Advisory

You or your existing IT support do the implementation work. We tell you exactly what's needed, in what order, and why. We review your evidence before you submit.

When you have the team, just need direction →

Hands-on

We do the implementation work ourselves. You get the controls in place, a clear before-and-after report, and (if you want it) the certificate — without your team having to learn cyber security overnight.

When you'd rather just have it done →

What to expect

A clear, predictable process.

Both engagements share the same first phase. The certification path simply continues a few steps further.

Cyber Essentials engagement process Four shared steps: consultation, scoping and gap analysis, plan, and implementation. Then the path forks: the secure-only engagement ends, while the certification path continues through evidence review, submission, and certificate issuance. SHARED PHASE · BOTH ENGAGEMENTS 1 Consultation Free, 30 minutes No obligation 2 Scope & gap What's in, what's out, where you stand today 3 Plan Prioritised actions, agreed owners 4 Implement Advise or do. Your call. SECURE PATH SECURE & CERTIFIED PATH Engagement complete Controls in place. You're protected. 5 Evidence review We check your answers 6 Submit For IASME assessment 7 Certificate issued Valid 12 months

  1. Shared phase · both engagements

    1. 1

      Consultation

      Free, 30 minutes. No obligation.

    2. 2

      Scope & gap analysis

      What's in scope, what's out. Where you stand against the five controls.

    3. 3

      Plan

      Prioritised actions with agreed owners (you, us, or your IT support).

    4. 4

      Implement

      We advise or we do it. Your call.

  2. From here, the path forks
  3. ·

    Secure path: engagement complete

    Controls in place. You're protected. Stop here if you don't need the certificate.

  4. 5

    Evidence review

    We check your answers to the IASME questionnaire before you submit.

  5. 6

    Submit

    The questionnaire goes to IASME for formal assessment.

  6. 7

    Certificate issued

    Valid for 12 months. Add it to your website, tenders, and supplier records.

Renewals every 12 months

Cyber Essentials certificates expire after a year. We keep an eye on yours and remind you in plenty of time, so you're never caught out by a contract that needs an in-date certificate. Renewal is faster than first-time certification — we already know your environment.

Why Bishop

Independent. Local. Certified ourselves.

IASME-qualified

Trained and accredited by IASME — the body that runs Cyber Essentials on behalf of the UK government — to advise on the scheme.

Certified ourselves

Bishop Consultancy UK Ltd holds Cyber Essentials. We practise what we preach — you get the same standard we hold ourselves to.

Independent since 1991

35+ years of independent IT consulting. No software to upsell, no franchise targets, no big-firm overheads inflating your invoice.

FAQ

Common questions, honest answers.

How long does Cyber Essentials take?

For most small businesses, the work itself takes two to six weeks — depending on how many gaps need closing. The IASME assessment turnaround after submission is typically a few working days.

How much does it cost?

Every business is different, so we don't publish a fixed price. The IASME assessment fee itself is set by them and depends on company size; our advisory or hands-on fees on top depend on scope and how much remediation is needed. We'll give you a clear, fixed quote after the free consultation — no surprises later.

Will Cyber Essentials help with cyber insurance?

Often, yes. A growing number of UK insurers either require Cyber Essentials for cover, or offer better terms when you have it. It's also frequently asked for in supplier questionnaires from larger customers and public-sector buyers.

Can we keep our existing IT support and just use you for Cyber Essentials?

Absolutely. Our advisory engagement is built for exactly that — we tell your existing team what's needed and review their work. Many of our CE clients have an in-house IT person or another MSP doing the day-to-day. We just bring the cyber security expertise.

What's the difference between Cyber Essentials and ISO 27001?

Cyber Essentials covers the technical basics — five concrete controls, achievable in weeks, suitable for small businesses. ISO 27001 is a far broader information-security management standard with policies, audits, and ongoing governance — usually a year-plus project, suited to larger organisations or specific contractual requirements.

For most small businesses we work with, Cyber Essentials is the right starting point. We can talk you through whether ISO is worth pursuing later.

Ready to get started? Let's talk.

Book a free 30-minute call. We'll talk through your situation, what's likely to be in scope, and what a realistic Cyber Essentials engagement would look like for you.

Book a call or call 0330 223 5742