What is Cyber Essentials and Is It Worth It?
If you’ve ever bid on a public sector contract, worked with a government-backed client, or responded to an RFP that included a security questionnaire, you will have come across Cyber Essentials. Chances are someone on the team Googled it, asked you what to do, and it got pushed down the list. This post answers the question properly.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, managed by the National Cyber Security Centre (NCSC) and delivered through IASME. It defines five technical controls that, when properly implemented, protect against the majority of common cyber attacks. According to NCSC data, these five controls block around 80% of the commodity attacks that UK organisations face.
The scheme was created to give organisations a practical, achievable baseline for cyber security. It is not an academic framework or a compliance exercise. It describes specific things you must have in place on your IT systems: a properly configured firewall, secure settings across your devices and software, controlled user access, up-to-date software, and malware protection. Pass the assessment, and your certificate tells clients, procurement teams, and insurers that you meet that baseline.
Cyber Essentials and Cyber Essentials Plus: the two tiers
There are two levels of certification.
Cyber Essentials is the entry-level tier. You complete a self-assessment questionnaire describing your IT setup, which is reviewed and verified by an IASME-accredited assessor. If your answers demonstrate that the five controls are in place, you receive the certificate. Once your IT is prepared, the process typically takes a few days.
Cyber Essentials Plus goes further. An independent auditor conducts technical verification of your environment, testing the controls rather than taking your word for them. CE Plus carries more weight in procurement and is increasingly required for government supply chain work and defence contracts.
For most agencies in the 15 to 60-person range, Cyber Essentials is the right starting point. CE Plus becomes relevant when a specific contract or tender requires it.
Why do creative and marketing agencies specifically need it?
The short answer: clients are asking for it, and the window to respond competently is getting shorter.
Creative agencies, PR firms, and marketing studios increasingly work with public sector organisations, listed companies, and large enterprise clients. These clients have started including Cyber Essentials in their supply chain requirements. An RFP that asks about your security posture and gets no clean answer from you is a question your competitor might answer better.
Beyond contract requirements, there is a practical reason. Agencies hold significant volumes of client data: brand assets, campaign materials, financial records, strategic briefs. A successful phishing attack or ransomware incident does not just affect your systems. It affects your clients. CE gives you a demonstrable, independently verified baseline that you can stand behind in a pitch, in a contract discussion, or in a client conversation after something goes wrong.
There is also a cyber insurance angle. A number of insurers now factor CE status into their underwriting process. Holding the certificate can influence both your premium and your ability to claim.
How do you get started?
The starting point is understanding what falls within scope. Cyber Essentials applies to your IT infrastructure: devices, servers, cloud services, and internet-facing systems that handle organisational data. For a 30-person agency with a mix of Macs, Windows machines, and a stack of SaaS tools, defining the scope correctly is usually the step that takes the most time.
From there, the process is straightforward: a gap assessment against the five controls, remediation of anything that does not meet the requirements, and then completing the self-assessment questionnaire with an IASME-accredited body. If you want a step-by-step walkthrough of the certification journey, Blog 6 in this series covers the process from gap assessment to certification.
One practical note: the version of the standard changed on 27 April 2026. The update, known as Danzell or v3.3, tightened the rules around MFA and brought cloud services firmly into scope. If you are planning your first assessment or a recertification, make sure you are preparing against the current standard. The next post in this series covers what changed and what it means for agency SaaS environments.
What this means for you
Cyber Essentials is not a complex or expensive undertaking for a well-run agency. The five controls cover things most businesses either already have in place or are close to having. The value is in the verification: knowing your setup meets the standard, having a certificate to evidence it, and removing a category of awkward question from your next pitch conversation.
If you manage IT and you have been meaning to get this done, the v3.3 update is a good reason to move now rather than wait. The requirements are tighter than they were, and agencies with cloud-heavy setups need a bit more preparation than before.
If you want to understand where your agency currently stands against the Cyber Essentials requirements, our 5-minute Cyber Check assessment gives you a clear picture with no preparation required.
I am raw html block.
Click edit button to change this html