4–8 weeks audit to certification
Fixed price agreed before any work begins
Full process audit, remediation & submission
Annual renewal managed by WikiTech
CE & CE+both levels supported
IASMEaccredited certifying body
Remediation includedwe fix what you’d fail on
ISO 27001gap analysis also available
Why Cyber Essentials matters

It’s not just a certificate. It’s becoming a requirement.

Cyber Essentials is the UK government’s baseline cybersecurity certification, backed by the NCSC and covering five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. These aren’t arbitrary checkboxes. Most cyberattacks don’t rely on sophisticated techniques. They exploit outdated software, weak credentials, unmanaged devices, and misconfigured firewalls. Cyber Essentials forces businesses to close those gaps and independently verify that they have.

For many businesses it starts as something they’re asked for by a client, a procurement team, or an insurer. That’s a legitimate reason to pursue it. But done properly rather than as a tick-box exercise, certification also delivers a meaningful improvement in actual security posture. WikiTech handle the full process (audit, remediation, submission, and assessor liaison) so you arrive certified having genuinely improved your security, not just answered a questionnaire.

Required for UK government contracts

Any business tendering for UK government contracts that involve handling personal data or providing certain technical services must hold Cyber Essentials certification. Without it, you can’t bid.

Cyber insurance premium reductions

Many insurers now require Cyber Essentials as a baseline before offering cyber insurance at all, and certified businesses typically receive lower premiums than uncertified equivalents.

Increasingly required by larger clients

Enterprise procurement teams and supply chain compliance programmes are increasingly asking suppliers to evidence Cyber Essentials certification before onboarding. It’s becoming a commercial requirement, not just a technical one.

Protection against the most common attacks

The NCSC estimates that Cyber Essentials protects against up to 80% of the most common cyberattacks. The five controls it requires are the basics, but most breaches exploit exactly these gaps.

Choosing the right level

Cyber Essentials vs Cyber Essentials Plus.

Both certifications are built on the same five controls. The difference is in how compliance is verified.

Level 1

Cyber Essentials

Self-assessed against the five controls, reviewed and verified by an external assessor.

  • Questionnaire completed and submitted by WikiTech on your behalf
  • External assessor reviews and verifies your answers
  • Certificate issued on approval
  • Valid for 12 months; annual renewal required
  • IASME certification fee based on organisation size
  • Listed on the NCSC’s public register of certified organisations
Best forBusinesses seeking baseline certification, government contract eligibility, or insurance compliance.
Level 2

Cyber Essentials Plus

Everything in CE, plus independent technical verification by an assessor: hands-on testing of your actual systems.

  • Everything included in Cyber Essentials
  • Assessor performs independent technical testing of your live environment
  • Vulnerability scanning, configuration checks, and penetration testing elements
  • Higher level of assurance for clients, insurers, and procurement teams
  • Required for some government frameworks and defence supply chain contracts
  • WikiTech prepare your environment to pass the technical assessment
Best forBusinesses in regulated sectors, defence supply chain, or those required by clients to hold CE+.
Our process

We don’t just submit your answers. We make sure you pass.

Four steps from initial audit to certified, with WikiTech managing every part of it.

01

Pre-submission audit

Before anything is submitted, we review your environment against every Cyber Essentials requirement. We document exactly what you’d fail on (end-of-life hardware, missing MDM, firewall configuration, access controls, patch status) and produce a clear remediation plan with a fixed-price quote to resolve it.

02

Remediation

We fix the gaps. This might mean replacing an end-of-life firewall or router, implementing Intune for device management, configuring Conditional Access and compliance policies, tightening user account controls, or creating missing policies such as joiners/leavers guides. Nothing is submitted until your environment meets the standard.

03

Submission

We complete and submit the certification questionnaire on your behalf. We know what assessors look for and how to present your environment accurately and in the best light. We liaise directly with the assessor throughout, so you don’t have to deal with the process at all.

04

Certification & ongoing maintenance

Once certified, we manage your annual renewal and keep your environment maintained to the Cyber Essentials standard throughout the year. Renewal is a formality, not a scramble, because we haven’t let the controls slip in the twelve months since you last certified.

Why independence matters

WikiTech are not your assessor. That’s a good thing.

WikiTech are not an IASME-accredited assessor, and we deliberately keep it that way. Our job is to get your environment compliant. An independent, IASME-accredited assessor then reviews and certifies that you meet the standard. Two separate organisations, two separate sets of eyes.

That separation gives you double assurance: our expertise getting you to the standard, and an independent body confirming you’ve arrived. Your certificate means something, because it was issued by someone with no stake in whether you passed.

A word of caution

Some providers mark their own homework.

Some IT providers and certifiers perform both roles: they implement the controls and act as the assessor who signs off your certification. The scheme allows for this in certain circumstances, but it undermines the purpose of independent verification.

If the same organisation that set up your IT is also certifying that it meets the standard, the independence the certification is built on disappears. There is a clear incentive for them to pass you, and as the case study below illustrates, that can mean businesses holding a certificate that reflects neither their actual security nor a genuine independent review.

WikiTech will never act as your assessor. We help you get there; IASME certify that you have.

Common failure points

What most businesses get caught out on.

These are the most common reasons businesses fail Cyber Essentials, and exactly what our pre-submission audit is designed to catch and fix before submission.

End-of-life devices or software

Any device running an unsupported operating system (Windows 10 after October 2025, old macOS versions) is an automatic failure. This catches a lot of businesses off guard.

WikiTech fix: Device audit, upgrade or replacement plan

No mobile device management

If staff use mobile phones or tablets to access company email or data, those devices must be managed and compliant. Unmanaged personal devices accessing company systems is a common failure point.

WikiTech fix: Microsoft Intune MDM deployment

Weak or missing MFA

Multi-factor authentication is now required on all internet-facing accounts, including Microsoft 365, email, remote access, and cloud services. Many businesses have MFA partially deployed but not across all accounts.

WikiTech fix: MFA audit and full Conditional Access rollout

Firewall or router configuration

Default firewall configurations, open ports that shouldn’t be open, or consumer-grade routers used in a business context often fail the firewall requirements. Home routers in a hybrid-work environment are a common issue.

WikiTech fix: Firewall review, configuration or replacement

Admin account misuse

Staff using administrator accounts for day-to-day work, or accounts with admin privileges that don’t need them, fails the user access control requirement. Principle of least privilege must be applied.

WikiTech fix: Account audit and privilege review

Missing policies and procedures

Cyber Essentials requires documented policies: joiners/leavers processes, new user forms, acceptable use policies. Many businesses operate these informally and have nothing written down.

WikiTech fix: Policy documentation as part of remediation
Real example · anonymised client

Certified, but not compliant.

A cautionary story about what happens when the same provider implements and certifies their own work.

£500/month for cyber assurance. £1,500/year for renewal. And they should never have passed.

When WikiTech took on a new client who held Cyber Essentials certification, we expected to manage a straightforward annual renewal. What we found instead raised serious questions about how they’d passed in the first place.

Previous MSP charging£500/monthcyber assurance retainer
Annual renewal fee£1,500/yearcharged by same provider

What WikiTech found when we came to do the renewal

MFA not fully deployed

Multi-factor authentication was only partially enabled. Some accounts had it, many didn’t. MFA on all internet-facing accounts is a basic Cyber Essentials requirement, and partial rollout is an automatic failure.

End-of-life firewalls

The firewalls in place had been out of manufacturer support for two years. End-of-life network equipment that no longer receives security patches is an instant failure, and had been throughout the previous certification period.

No mobile device management

Staff were accessing company email and data on unmanaged mobile devices with no MDM in place. There was no enrolment, no compliance policy, and no controls over what those devices could access.

Missing policies

No documented new user onboarding process, no formal leaver procedure, and no acceptable use policy. Required documentation for Cyber Essentials, and none of it existed.

Every one of these is a clear, unambiguous failure against the Cyber Essentials standard. This business had been holding a certificate, and paying a premium for it, while remaining exposed to exactly the threats that certificate is meant to protect against. WikiTech remediated every gap and put them through a genuine certification with an independent IASME assessor. They passed, properly, for the first time.

Pricing

Transparent pricing, fixed before we start.

IASME certification fees are set by organisation size. Our time for scoping, remediation, and submission depends on the current state of your environment. We assess first and give you a fixed-price proposal before any work begins.

Micro
0–9 employees
IASME fee£320
Our time£750–£1,500
Typical total£1,050–£1,800
Small
10–49 employees
IASME fee£440
Our time£1,000–£2,500
Typical total£1,450–£2,950
Medium
50–249 employees
IASME fee£500
Our time£2,500–£7,500
Typical total£3,000–£8,000
These prices cover standard Cyber Essentials certification. The range reflects the reality: a business that already has MDM, MFA, and a compliant firewall needs far less remediation than one starting from scratch. We assess your environment first, tell you exactly where you stand, and give you a fixed-price proposal before any work begins. All prices ex VAT. IASME fees are charged at the rate published on the IASME website. No surprises.
Cyber Essentials Plus

Quoted monthly · price on application

Cyber Essentials Plus involves independent hands-on testing of your systems and significantly more verification work than standard CE. Staying compliant isn’t a once-a-year exercise, so we price CE+ as a monthly figure that covers the regular checks needed to keep your environment at the standard year-round.

The monthly price depends on your user count and infrastructure, so it’s quoted on application after we’ve assessed your environment.

Request a CE Plus quote
Staying certified

Certification is annual. We make renewal effortless.

Cyber Essentials certification lasts 12 months. Many businesses that handle the initial certification themselves find that renewal becomes a problem, because the controls have drifted, devices have gone out of date, or staff changes have introduced gaps that nobody noticed.

For WikiTech clients, renewal is straightforward, because we maintain your environment to the Cyber Essentials standard throughout the year as part of managed IT. Patch management, device compliance, access reviews, firewall configuration: these aren’t things we do once for the certification and then forget. They’re part of how we run your IT.

When your renewal comes around, we carry out a pre-submission check, confirm everything is still in order, and submit. It’s a formality, not a project.

What we maintain year-round for Cyber Essentials compliance

Patch management: operating systems and software kept up to date across all devices

Device compliance via Intune: enrolled, managed, and monitored year-round

MFA and Conditional Access: enforced across all accounts, reviewed when users join or leave

Firewall and network configuration: maintained, reviewed, and updated as your environment changes

Joiners and leavers: account provisioning and deprovisioning managed to standard

Pre-renewal audit: full check before submission so there are no surprises

Common questions

Cyber Essentials questions we get asked

Typically 4–8 weeks from initial assessment to certification, depending on how much remediation is needed. We complete the pre-audit, fix everything that would cause a failure, then submit. You’re not left doing the form-filling yourself; we handle the whole process and liaise with the assessor directly.

Cyber Essentials is sufficient for most businesses: government contract eligibility, insurance requirements, and supply chain compliance. CE+ is required by some specific government frameworks and certain defence or regulated sector contracts. If you’re unsure, we’ll advise based on your situation.

That’s exactly what the pre-submission audit is for. We identify everything you’d fail on before anything is submitted, fix it as part of the engagement, and only submit once your environment meets the standard. You won’t be failed and left to figure out remediation yourself.

Yes. We work with businesses who want Cyber Essentials certification independently of their managed IT arrangement. We carry out the audit, handle remediation, and manage the submission. If you want to move your IT to WikiTech at the same time, that’s straightforward to arrange, but it’s not a requirement.

Yes, if it’s done properly. The five controls cover the basics that the majority of successful cyberattacks exploit. Businesses that take the requirements seriously rather than treating it as a tick-box exercise end up with meaningfully better security. That’s how we approach it.

Cyber Essentials is a good starting point. ISO 27001 is a far more comprehensive information security management standard, typically required by larger enterprises and certain regulated sectors. WikiTech offer ISO 27001 gap analysis for businesses looking to understand what achieving the standard would involve.

Ready to get certified?

Book a free assessment and we’ll tell you exactly where your environment stands against the Cyber Essentials requirements, and what it would take to get certified.

Most calls answered within 4 rings  ·  ENQUIRIES 020 3822 0899  ·  SUPPORT 01622 586 001