Cyber Essentials for UK business, practical guide.
What Cyber Essentials is, what it costs, when you actually need it. How Telexico's connectivity, network and managed-firewall setups directly support 3 of the 5 controls. Honest scope: we don't issue the certification, but the network setup we deploy is what gets you through it.
- 📋 The 5 technical control areas
- 🔐 What "secure configuration" actually means
- 💷 Cost ranges (CE vs CE Plus)
- 📊 Who genuinely needs it
- 🛠 How network setup affects controls 1 & 2
- 🤝 Who issues the certification
- ♻️ Annual re-certification reality
- 🚦 First-attempt fail patterns
What Cyber Essentials actually is.
Cyber Essentials is a UK government-backed cybersecurity certification scheme administered by IASME on behalf of the National Cyber Security Centre (NCSC). It demonstrates that a business has implemented basic cybersecurity controls across five technical areas. Achievement of Cyber Essentials is increasingly required for UK government contracts and expected by many enterprise customers.
Two levels exist: Cyber Essentials (self-assessment questionnaire reviewed by an accredited certification body, ~£300-600 typical cost) and Cyber Essentials Plus (independently audited with on-site assessor verification, ~£1,500-3,500+ typical cost depending on business size).
It's not a sophisticated framework — it's a baseline. Anyone working with UK government, larger enterprise clients, or wanting to demonstrate basic cybersecurity hygiene to insurers and prospects should consider it. For general SMEs without specific contract requirements, it's still a useful baseline but not strictly necessary.
What Cyber Essentials actually checks.
1. Firewalls
Every device internet-connected protected by a firewall. Default admin passwords changed. Unnecessary services disabled. Inbound/outbound rules properly configured. This is directly affected by how your business router/firewall is set up.
2. Secure configuration
Devices and software configured securely. Unused user accounts removed. Default settings changed where they pose risks. Auto-run / auto-launch features disabled where appropriate. Network segmentation in place.
3. User access control
Administrative privileges only granted to those who need them for the work they do. Separate user accounts for admin tasks vs everyday work. Strong password policy. Multi-factor authentication where supported.
4. Malware protection
Antivirus on all devices (Windows, macOS where relevant). Kept updated. Scans run regularly. Application allow-lists where appropriate. Email filtering for known malicious attachments.
5. Security update management
Software and operating systems patched within 14 days of patches being released. Out-of-support software replaced. Patching policy documented. Critical security updates applied promptly.
3 of the 5 controls are network-setup outcomes.
Most UK SMEs failing Cyber Essentials on first attempt fail on controls 1 (firewall) and 2 (secure configuration) — both of which are direct outcomes of how the network is set up. Telexico's standard managed-broadband setup addresses these directly:
Control 1 — Firewall. Our managed business broadband includes business-grade routers with proper firewall configuration as standard: default credentials changed, unnecessary services disabled, port-blocking by default, inbound rules tightened. This addresses the firewall control out of the box. Domestic-grade routers from ISPs often fail this — they leave services running that shouldn't be public-facing.
Control 2 — Secure configuration. Our network setups use VLAN segmentation (separating guest WiFi, EPOS, IoT, corporate traffic), proper WPA3 SSID security on business WiFi, managed switch configurations with documented baselines. This directly supports the secure configuration requirement. The assessor will look at "is your network properly segmented? Are guest networks isolated from corporate traffic?" — our setups demonstrate this directly.
For Cyber Essentials Plus, where an assessor physically tests configurations, we can demonstrate the firewall and configuration directly to the assessor. We've worked with IASME-accredited certification bodies and know what they look for.
Controls 3, 4, 5 (user access, malware, patching) are primarily endpoint and IT-management functions — outside our core scope. For these, we typically refer customers to specialist IT-managed-services partners who handle endpoint security, antivirus deployment, and patch management. This is where most UK SMEs need additional help beyond pure connectivity/network setup.
Certification cost expectations.
Cyber Essentials (self-assessment)
Application fee: £300-600 typical depending on business size.
Internal time: 4-12 hours staff time to complete the self-assessment questionnaire.
Annual: requires renewal every 12 months.
Typical total first-year cost: £500-1,000 all-in.
Cyber Essentials Plus (audited)
Audit fee: £1,500-3,500+ depending on business size and complexity.
Assessor visit: typically 1-2 days on-site testing.
Internal time: 8-24 hours preparation + audit support.
Typical total first-year cost: £2,000-4,500 all-in.
Many UK businesses offset some of the cost through cyber insurance discounts (many insurers offer 10-20% premium reduction for certified businesses) and government contract eligibility (Cyber Essentials is often a hard minimum for procurement bids). For businesses with these specific drivers, the certification typically pays back its cost within 12-18 months through insurance savings plus new business opportunities.
Review my current setup.
Not ready to switch yet? Send us your current contracts, bills, or photos of your existing equipment. We'll review what you have, what you're paying, and where you could simplify, consolidate or improve — without any pressure to buy anything from us.
We benchmark your existing broadband, phones, mobile and IT against current UK market pricing and what your business actually needs.
Real engineer review of your current connectivity, voice setup, WiFi, security and continuity — strengths, gaps, and where you're overpaying or underprotected.
We tell you honestly what's available at your postcode — FTTP, leased line, alt-net carriers — and which makes commercial sense for your operation.
For businesses still on ISDN or aging on-premises PBX — an honest cost-and-feature comparison before the 2027 BT switch-off forces a rushed decision.
No hard sell. No fixed package pressure. If we're not a better fit, we'll tell you straight — and recommend what is.
Frequently asked questions
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme administered by IASME on behalf of the National Cyber Security Centre (NCSC). It demonstrates that a business has implemented basic cybersecurity controls across five technical areas: firewalls, secure configuration, user access control, malware protection, and security update management. It's commonly required by UK government contracts and increasingly expected by enterprise customers. Two levels exist: Cyber Essentials (self-assessment, ~£300-600 typical cost) and Cyber Essentials Plus (independently audited, ~£1,500-3,500+ typical cost depending on business size).
Does Telexico provide Cyber Essentials certification?
We don't issue Cyber Essentials certifications directly — that's done by IASME-accredited certification bodies (a separate specialism with specific assessor qualifications). What we do provide is the underlying connectivity, network, firewall and managed-IT services that help our customers achieve and maintain certification. Most UK SMEs failing Cyber Essentials on first attempt fail on items 1 (firewall/router) and 2 (secure configuration) — both of which are direct outcomes of how the network is set up. We can fix that side; the actual certification application then goes through an accredited body.
What are the five Cyber Essentials technical controls?
1. Firewalls — every internet-connected device protected by a firewall, with passwords changed from default, unnecessary services disabled. 2. Secure configuration — devices and software configured securely, unused accounts removed, default settings changed. 3. User access control — administrative privileges only granted to those who need them, separate user accounts for admin tasks. 4. Malware protection — antivirus on all devices, kept updated, scans regular. 5. Security update management — software and operating systems patched within 14 days of patches being released.
How does Telexico's standard setup help meet these controls?
Three of the five are directly affected by network setup. (1) Firewalls: our managed business broadband includes business-grade routers with proper firewall configuration — default credentials changed, unnecessary services disabled, port-blocking by default. This addresses control 1 out of the box. (2) Secure configuration: our network setups use VLAN segmentation (separating guest, EPOS, IoT, corporate traffic), proper SSID security on WiFi, and managed switch configurations — which directly addresses control 2. (3) For multi-site or larger operations, our managed networking includes centralised management, monitoring, and consistent configuration — which makes ongoing compliance auditing significantly easier. Controls 3, 4, 5 (user access, malware, patching) are typically endpoint/IT-management functions outside our core scope, though we can refer to specialist IT partners.
How much does Cyber Essentials certification cost?
Costs vary by certification body but typical 2026 UK rates: Cyber Essentials (self-assessment): £300-600 application fee depending on business size, plus internal staff time to complete the assessment (typically 4-12 hours). Cyber Essentials Plus (audited): £1,500-3,500+ depending on business size and complexity, including the assessor visit and testing. Re-certification is required annually. Total first-year cost for a typical UK SME aiming at Cyber Essentials Plus: typically £2,000-4,000 all-in. Many businesses can offset some of this through cyber insurance discounts and government contract eligibility.
Do we need Cyber Essentials?
Mandatory in some cases, recommended in others. (1) UK government contracts — Cyber Essentials is a mandatory minimum for many government-tier procurements. If you bid for public-sector work, you typically need it. (2) Enterprise B2B contracts — many large UK enterprises now require Cyber Essentials of their suppliers, particularly for technology/services contracts. (3) Cyber insurance — many insurers offer significant premium discounts for Cyber Essentials-certified businesses. (4) Regulated sectors (healthcare, financial services) — often expected alongside other compliance frameworks. (5) General SME without these specific drivers — it's still a useful baseline of cybersecurity hygiene, but not strictly necessary. Honest answer: assess your specific business context before pursuing certification.
What does Telexico do that helps with Cyber Essentials practically?
Concretely: business-grade managed routers with default passwords changed, unnecessary services disabled, firewall properly configured. VLAN segmentation for WiFi (guest WiFi never sees corporate traffic). Managed switches with documented configurations. WiFi 6 access points with WPA3 security and proper SSID setup. Monitoring and logging that supports audit trails. Documentation of network configuration for the assessor to review. For Cyber Essentials Plus, the assessor will test things like 'do you have a properly configured business firewall' — we can demonstrate this directly. We work with IASME-accredited assessors as partners and can refer you to one for the formal certification process.
Tailored around your business.
Send us your current setup. We'll review what you have, what you pay, and where we can simplify, consolidate or improve it — no hard sell, no fixed-package pressure.