← All guides
UK Cyber Essentials11 min read20 June 2026

Cyber Essentials Certification for SaaS: What to Expect, How to Pass, and When CE+ Is Worth It

UK Cyber Essentials covers 5 technical control areas and is increasingly required for UK government contracts and enterprise procurement. This guide covers CE vs CE+, the 5 control areas, what fails assessments, and how to prepare.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme run by the NCSC (National Cyber Security Centre) and administered through certifying bodies including IASME, QG Management Standards, Montpelier, and IT Governance. It was introduced in 2014 and has been updated regularly — the current version (v3.1, also called “Montpelier” after the latest scheme update) introduced significant changes including mandatory MFA for cloud services.

CE covers five technical control areas that protect against the most common types of cyber attack: commodity malware, phishing, exploiting known vulnerabilities, brute-force attacks, and attacks via internet-facing systems. NCSC research has consistently shown that implementing these five controls correctly would prevent around 80% of common attacks.

CE vs CE+: What’s the Difference?

FeatureCyber Essentials (CE)Cyber Essentials PLUS (CE+)
Assessment typeSelf-assessment questionnaire, reviewed by certifying bodyIndependent technical verification by assessor
External scanNo (you self-declare internet-facing systems are patched)Yes — authenticated external vulnerability scan of all internet-facing systems
Internal assessmentNoYes — assessor uses NCSC CE+ tool on a sample of devices
End-user device checkSelf-declaredTested on sample devices (Windows/macOS/mobile)
Email and web browsing testNot testedPhishing simulation and malicious URL blocking test
Cost (typical)£300–£500 (small organisation)£1,500–£4,000 (depends on scope and assessor)
RenewalAnnualAnnual
Required forMany public sector contracts, cyber insurance discountsMOD contracts, NHS Digital, some enterprise procurement requirements

When to go for CE+: If you’re selling into UK central government, MOD, or NHS, CE+ is typically required. Enterprise customers increasingly ask for CE+ as part of vendor security questionnaires. If you’re a cloud-native SaaS with a strong security posture, CE+ is often easier than you expect — the external scan is testing the same things you should already be doing.

The Five CE Control Areas

1. Firewalls

CE requires a firewall or equivalent network boundary control between your devices/network and the internet. For cloud-native SaaS, this means AWS Security Groups, GCP Firewall Rules, or Azure Network Security Groups. The requirements are:

  • Default-deny inbound: Only explicitly required ports/services should be open to the internet. Everything else blocked. This is often where companies fail — old management ports (SSH on 22, RDP on 3389) left open from initial setup.
  • Host-based firewall on all devices: Windows Defender Firewall, macOS firewall, or equivalent must be enabled on all employee laptops and desktops. This catches lateral movement threats on the local network.
  • No unapproved inbound services: Any externally-accessible service must be explicitly approved and documented. “I didn’t know that port was open” is a CE failure.
  • Firewall rules documented and controlled: Rules must be documented. Changes must go through a process. For cloud infrastructure, IaC-managed security groups satisfy this.

Most common CE failure in this area: Default SSH access (port 22) open to 0.0.0.0/0 on cloud instances. Close it. Use AWS Systems Manager Session Manager, GCP Identity-Aware Proxy, or a bastion host with IP allowlisting instead.

2. Secure Configuration

Attack surface reduction. CE requires that devices and software are configured securely — meaning defaults that create unnecessary risk are changed or removed.

  • Change all default passwords: No admin/admin, no password123, no device default credentials. This includes office routers, NAS devices, cloud console accounts, and any software with a default credential set. One of the top-failed CE controls.
  • Remove unnecessary services: Telnet, FTP, SNMP v1/v2 (unencrypted), and other legacy protocols must be disabled. Cloud instances: review what’s running and disable what’s not needed.
  • Separate admin accounts: Standard user accounts for day-to-day work; dedicated admin accounts for privileged tasks. Admin accounts should not be used for email and web browsing. This also ties into reducing blast radius if a phishing email is clicked.
  • Auto-run disabled: Windows AutoRun/AutoPlay for removable media must be disabled. Minor control but tested in CE+ device assessment.

3. User Access Control

The access control requirements in CE 2023 were significantly updated, particularly around MFA. The key requirements are:

  • Accounts only for legitimate users: No orphaned accounts. Prompt deprovisioning when employees leave. Regular access reviews.
  • Least privilege: Standard user accounts cannot install software or change security settings. This is enforced by not giving users local admin rights. For cloud infrastructure, IAM roles with minimal permissions.
  • MFA for all cloud services: This is the biggest change in CE v3.1. MFA is now mandatory for all cloud services accessible from the internet — Microsoft 365, Google Workspace, AWS Console, GitHub, Salesforce, etc. SMS MFA is acceptable. TOTP (Google Authenticator, Authy) or hardware keys are better. No exceptions.
  • MFA for all remote access: VPN, RDP, SSH — all require MFA. No MFA on your VPN is an automatic CE failure.
  • Password policy: Minimum 8 characters (or 6 if MFA is enforced). Admin accounts: minimum 12 characters. No mandatory rotation unless compromised (NCSC explicitly deprecated regular rotation). Account lockout after repeated failures.

Most common CE failure in this area: MFA not enforced on Microsoft 365 or Google Workspace for all users. Or MFA enabled but with a legacy authentication bypass that lets older mail clients connect without MFA. Disable legacy authentication.

4. Malware Protection

CE requires active malware protection on all in-scope devices that process or store organisational data.

  • Anti-malware on all devices: Windows: Windows Defender (built-in, free) is acceptable if active and up to date. macOS: requires a third-party solution (Malwarebytes, Sophos, Crowdstrike Falcon Go, SentinelOne, or similar) — macOS does not include a traditional AV. Linux workstations: ClamAV or commercial AV required.
  • Auto-updated definitions: Signatures must update automatically (at least daily). Manual updates or infrequent updates are a failure. Verify via MDM that auto-update is enforced.
  • Web browsing protection: CE v3.1 added web filtering as a malware protection control. DNS filtering (NextDNS, Cloudflare Gateway/for Teams, Cisco Umbrella) or browser-based malicious site blocking satisfies this. The free NextDNS plan or Cloudflare Gateway are zero-cost options.
  • Application controls (CE+ specific): CE+ assesses whether users can install arbitrary software. Standard user accounts (no local admin) is the CE approach to controlling this. Allowlisting is recommended but not mandatory for CE.

5. Patch Management

Patch management requirements in CE are specific and strict:

Asset typeCE requirementCommon failure
Operating systemsPatches applied within 14 days of releaseManual patching process that lags 30+ days
Applications (browsers, Office, etc.)Patches applied within 14 days of releaseChrome auto-updates off; Office on old version
Mobile OS (iOS, Android)Supported version required; patches within 14 daysEmployees on unsupported iOS/Android
Firmware (routers, firewalls)Up to dateOffice router on original firmware from 2019
End-of-life softwareProhibited — automatic CE failureWindows 7, Server 2008, EOL macOS

Most common CE failure in this area: Using an end-of-life operating system. Windows 7, Windows Server 2008/2012 R2 (without ESU), macOS versions no longer receiving Apple security updates — these are automatic CE failures. There is no exception process for EOL software. Either upgrade or scope it out of the assessment.

For cloud-native SaaS, the server-side patching challenge is different: you’re responsible for your OS patches on EC2/GCE instances. AWS Patch Manager, GCP OS Config, or equivalent must be configured. Managed services (RDS, Cloud SQL, Lambda) handle OS patching for you — document this explicitly for the assessor.

What CE+ Assessors Test

If you’re going for CE+, here is what the independent assessment actually involves:

  1. External vulnerability scan: The assessor will scan all your internet-facing IP addresses and domains using an NCSC-approved scanning tool. They’re looking for: open ports that shouldn’t be open, services without MFA, unpatched externally-visible services (outdated TLS, missing patches on web-facing apps), and known CVEs in your external-facing systems. Prepare by running your own external scan (Qualys Community, Shodan, nmap) before the assessment.
  2. Internal network assessment: The assessor uses the NCSC CE+ tool on your internal network. They check: devices visible on the network, open shares, unencrypted protocols, internal patch status.
  3. End-user device assessment: A sample of laptops are tested — typically 5 devices across Windows and macOS. Checks: OS version, patch status, AV status, browser version, disk encryption, firewall enabled, standard user account (not admin), auto-run disabled.
  4. Email and web browsing test: A test phishing email is sent and a test malicious URL is visited. Your malware protection and web filtering should block these.

How to Prepare in 30 Days

  1. Week 1 — Critical fixes: Enable MFA on all cloud services and remote access. Change all default passwords. Close unnecessary open ports on cloud security groups. Ensure all devices have active, auto-updating malware protection.
  2. Week 2 — Patch sweep: Update all operating systems and applications. Replace any EOL software. Update router/firewall firmware. Enable auto-updates on all devices via MDM or group policy.
  3. Week 3 — Configuration hardening: Remove local admin rights from standard user accounts. Disable auto-run/auto-play on Windows. Disable legacy authentication in Microsoft 365 / Google Workspace. Set up DNS filtering for web browsing protection.
  4. Week 4 — Documentation and submission: Complete the CE self-assessment questionnaire (via your chosen certifying body’s portal). Document your firewall rules, access control policies, and patch management process. Submit for certifying body review.

Cost Breakdown

ItemCECE+
Certifying body fee (IASME)£300 (1–24 employees), £450 (25–250)£1,500–£4,000+ (assessor-dependent)
MDM (Jamf, Mosyle, Intune)£0–£150/month (Mosyle Business free for <30 Apple devices)Same
DNS filtering£0 (NextDNS free plan, Cloudflare Gateway free)Same
macOS AV (if needed)£30–£80/device/year (Malwarebytes Teams, Sophos Home Premium)Same
Internal IT time~20–40 hours for gap remediation~30–60 hours (plus assessor access coordination)

Generate Your Cyber Essentials Gap Report

Use the Cyber Essentials Compliance Checklist Generator to assess your CE readiness across all 22 controls. Get a personalised gap report with prioritised remediation steps, certifying body guidance, and a 30-day remediation checklist.

Related generators: Information Security Policy, Network Security Policy, Access Control Policy, Password & Authentication Policy, Vulnerability Management Policy.

Related reading: Network Security Policy Guide, Password Policy Guide, ISO 27001 vs SOC 2 Guide.

⚠️ This guide is for informational purposes only and does not constitute official Cyber Essentials certification advice. CE requirements are updated periodically by NCSC — always check the current scheme requirements on the NCSC website and work with an NCSC-approved certifying body.

More guides