Cyber Essentials is a UK government-backed scheme that asks every certified organisation to demonstrate five basic security controls. For SMEs, the work is much less about the controls themselves and more about gathering and maintaining evidence.
Understand the five control areas
Firewalls, secure configuration, user access control, malware protection and security update management. Every requirement maps to one of these.
Define scope honestly
Scope drives the assessment. Keep it accurate; do not under-scope to make life easier.
Pick an evidence home
Whether it is a workspace tool, a folder structure or a spreadsheet, evidence needs a single home with metadata.
Run it as an ongoing process
Cyber Essentials is annual. Most pain comes from treating it as a one-off.
Book a slot with an assessor
When you're ready, book assessment through an accredited assessor body. Allow 60–90 days of prep.
Practical examples
20-person consultancy
Laptops, Microsoft 365, accounting SaaS, design SaaS, ISP router. Asset register + per-control evidence covers it.
50-person engineering firm
Add servers, mobiles, project SaaS and CAD systems. Same controls, broader scope.
10-person agency
Mostly cloud-first. MFA evidence and admin lists dominate.
Common mistakes
Treating CE like ISO 27001
Cyber Essentials is much narrower. Don't over-document.
Skipping renewal prep
Annual renewal is mandatory — plan it like a small project.
Hiding scope problems
Under-scoping invalidates the certificate. Be honest.
Build this properly in Evaud
Start a free workspace and organise your Cyber Essentials evidence in one place.
Frequently asked questions
Evaud helps organise Cyber Essentials evidence and readiness information. It is not a certification body and does not guarantee certification.