Cyber Essentials Certification for UK Tenders

Complete guide to Cyber Essentials and Cyber Essentials Plus certification for UK government tenders. Requirements, costs, timeline, and how to pass the assessment.

Register EarlyExplore Features
Cyber Essentials certification for UK tenders
80%
of attacks prevented
12
months validity period
1-4
weeks to certify
£300+
certification cost
🛡️

Five Key Controls

Master the core security requirements

Fast Certification

Get certified in as little as 1 week

💷

Affordable Entry

Starting from just £300 for basic level

🎯

Tender Essential

Required for 80% of government contracts

Cyber Essentials Certification for UK Government Tenders

Since 2014, Cyber Essentials has been mandatory for all suppliers bidding for UK government contracts involving sensitive or personal data. This guide covers everything you need to know about obtaining and maintaining Cyber Essentials for tender success.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme that demonstrates your organisation has implemented basic cyber security controls. It comes in two levels:

  • Cyber Essentials - Self-assessment verified by external certifying body
  • Cyber Essentials Plus - Includes hands-on vulnerability testing

When is Cyber Essentials Required?

Mandatory for:

  • All central government contracts handling personal data
  • Contracts marked as 'OFFICIAL' or above
  • Any contract specifically requesting it (increasing to 80% of all government tenders)
  • Ministry of Defence suppliers
  • NHS Digital suppliers

Often Required by:

  • Local authorities
  • Housing associations
  • Education institutions
  • Blue light services

The Five Key Controls

Cyber Essentials assesses five critical security controls:

1. Firewalls

  • Boundary firewalls and internet gateways
  • Personal firewall software on all devices
  • Configuration and rule management

2. Secure Configuration

  • Removing unnecessary software
  • Disabling auto-run features
  • Authentication for administrative accounts
  • Changing default passwords

3. User Access Control

  • User account management
  • Administrative privilege control
  • Authentication methods
  • Password policies

4. Malware Protection

  • Anti-malware software deployment
  • Regular signature updates
  • Scanning protocols

5. Security Update Management

  • Operating system patches
  • Application updates
  • Firmware updates
  • Update scheduling and testing

Certification Process

Cyber Essentials (Basic)

Timeline: 1-4 weeks

  1. Choose accredited certification body (£300-500)
  2. Complete self-assessment questionnaire
  3. Submit supporting evidence
  4. Receive external review
  5. Address any issues raised
  6. Receive certificate (valid 12 months)

Cyber Essentials Plus

Timeline: 2-6 weeks

  1. Achieve basic Cyber Essentials first
  2. Schedule vulnerability assessment (£1,500-3,000)
  3. External testing of your systems
  4. Remediate any critical vulnerabilities
  5. Retest if necessary
  6. Receive Plus certificate (valid 12 months)

Common Tender Requirements

Typical Questions:

  • "Do you hold a current Cyber Essentials certificate?"
  • "Please provide your Cyber Essentials certificate number"
  • "When does your certification expire?"
  • "Do you commit to maintaining certification throughout the contract?"

Required Evidence:

  • Certificate copy (PDF)
  • Certificate number
  • Certification body name
  • Issue and expiry dates
  • Scope of certification

Costs Breakdown

Cyber Essentials (Basic)

  • Certification fee: £300-500
  • Consultant support (optional): £500-1,500
  • Internal preparation time: 20-40 hours
  • Total: £300-2,000

Cyber Essentials Plus

  • Plus assessment: £1,500-3,000
  • Remediation costs: Variable
  • Consultant support: £1,000-3,000
  • Total: £2,500-6,000+

Annual Renewal

  • Recertification required every 12 months
  • Costs similar to initial certification
  • Often quicker process (1-2 weeks)

Preparation Checklist

Before You Apply:

  • [ ] Inventory all devices and software
  • [ ] Update all operating systems
  • [ ] Install antivirus on all devices
  • [ ] Configure firewalls properly
  • [ ] Document your IT policies
  • [ ] Review user access rights
  • [ ] Change all default passwords
  • [ ] Enable automatic updates where possible

Common Failure Points:

  • Out-of-date software versions
  • Unsupported operating systems (Windows 7, Server 2008)
  • Missing patches or updates
  • Weak password policies
  • Excessive admin privileges
  • No antivirus on some devices

Alternative Evidence

If you don't have Cyber Essentials yet, you can sometimes provide:

  • ISO 27001 certification
  • Evidence of application in progress
  • Detailed cyber security policy
  • Commitment to obtain within 3 months

However, this is increasingly rare - most buyers insist on current certification.

Benefits Beyond Tender Requirements

Business Advantages:

  • Reduced cyber insurance premiums (up to 20%)
  • Customer confidence and trust
  • Protection against 80% of common attacks
  • Marketing advantage
  • Supply chain credibility

Operational Benefits:

  • Improved security posture
  • Clear security baseline
  • Regular security reviews
  • Incident reduction
  • Staff awareness

Sector-Specific Requirements

Central Government

  • Cyber Essentials Plus often preferred
  • Annual penetration testing may be required
  • Additional NCSC guidance compliance

NHS and Healthcare

  • Must align with Data Security and Protection Toolkit
  • Patient data handling requirements
  • Clinical system considerations

Defence and Security

  • Cyber Essentials Plus minimum
  • Additional Defence Cyber Protection Partnership requirements
  • Supply chain security assessments

Maintaining Compliance

Throughout the Year:

  • Keep software updated monthly
  • Review user access quarterly
  • Test backup procedures
  • Monitor for new vulnerabilities
  • Document any IT changes

Pre-Renewal:

  • Review previous assessment feedback
  • Check for IT environment changes
  • Update asset inventory
  • Verify all controls still in place
  • Book assessment early (60 days before expiry)

Using RFP Quest

Our platform helps you:

  • Track certification expiry dates
  • Identify tenders requiring Cyber Essentials
  • Generate compliance statements
  • Store certificate copies securely
  • Alert you to renewal deadlines

FAQs

Q: Can we self-certify? A: No, certification must be through an IASME accredited body.

Q: What if we're a micro business? A: Requirements apply regardless of size, but costs may be lower.

Q: Can we exclude some systems? A: Only if they're completely isolated from systems handling contract data.

Q: How quickly can we get certified? A: Basic can be achieved in 1-2 weeks if systems are ready.

Q: What if we fail the assessment? A: You can remediate issues and resubmit, usually within 30 days.

Next Steps

  1. Assess your readiness - Use free online tools
  2. Choose certification body - Compare prices and services
  3. Prepare your systems - Follow the checklist above
  4. Book assessment - Allow adequate time
  5. Maintain compliance - Set up ongoing processes

Ready to win more government contracts? Get RFP Quest →

Ready to Win More Bids?

Join UK businesses preparing to use RFP Platform Quest. Register early for exclusive access when we launch in Q1 2026.

Register EarlyExplore Features