Cyber Essentials Hub

Controls
Checklist
Policies
Software
Certification

Purpose of Cyber Essentials

Cyber Essentials is a UK government‑backed scheme that specifies a basic set of cyber‑security controls. Organisations that implement the controls are far less likely to suffer common cyber attacks; the government notes that companies with the controls in place make 92 % fewer cyber‑insurance claims. Certification also shows customers and suppliers that you take security seriously and is a requirement for many UK public‑sector contracts.

Cyber Essentials

A self‑assessment that confirms you have the five technical controls in place.

Cyber Essentials Plus

Includes the same controls but adds an independent technical audit of a sample of devices and services.

Current Standard – v3.2

If you are applying for Cyber Essentials today, you must align your infrastructure with v3.2. However, if your certification is not due until the summer of 2026, you should begin adopting the v3.3 standards, particularly regarding how your team interacts with AI tools and how you manage IoT devices on your network.

Next Standard – v3.3 (From 27th April 2026)

The NCSC and IASME have confirmed that the next update to the standard, Version 3.3, will officially go live on 27th April 2026. This updated version will automatically apply to all new assessment accounts created on or after this date. If you create your assessment account on or before 26th April 2026, you will still be assessed against the current v3.2 requirements and will have six months from your registration date to complete the process.

As a business, it is vital to prepare for these changes early, particularly regarding the increased focus on AI governance, IoT firmware, and asset management. For any organisation planning to start their certification journey in late April or May 2026, we strongly recommend aligning your infrastructure and policies with the v3.3 requirements now to ensure a smooth transition and a successful audit.

Key Changes in 3.3

  • AI and LLMs: Version 3.3 introduces the first official mention of Artificial Intelligence. It mandates that any AI tool used for business data must be treated as “Software” and is subject to the same User Access Control and Security Update requirements.
  • Infrastructure as Code (IaC): For development-heavy firms, 3.3 acknowledges IaC. It allows for “Automated Auditing” of configurations if the build pipeline can prove it adheres to the Secure Configuration standards.
  • Asset Management: A stronger emphasis on maintaining an accurate Asset Register. While always “expected,” 3.3 makes it a technical failure if a device found on the network cannot be accounted for in the register.
  • Firmware is Software: Explicitly states that firmware for “Smart” devices (IoT) in the office (like smart printers or thermostats) is in scope for the 14-day patching rule if they are on the same network as the data.

Explore our Cyber Essentials resources

To dive deeper into each area of Cyber Essentials, explore our dedicated subpages for more detailed guides and practical resources.

  • Cyber Essentials Software Guide
  • Cyber Essentials Checklist
  • Policies and Templates
  • Certification process