Cyber Essentials is genuinely useful. That needs to be said clearly, because this article is about its limits — and those limits only matter in the context of something worth doing in the first place.
If you have achieved Cyber Essentials, you have demonstrated that five foundational security controls are in place. That is not nothing. It reduces your exposure to a significant category of commodity attacks and tells clients, suppliers, and insurers that your organisation has met a minimum standard.
The problem is the word 'minimum.' Somewhere between achieving the certification and running the business, many organisations quietly promote it to something it was never designed to be.
The Problem
Cyber Essentials covers five technical control areas: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Pass the assessment and you can credibly say those controls are in place and functioning at the required level.
What it does not assess: your incident response capability, your staff awareness and human risk, your supply chain risk, your cloud environment beyond basic configuration, your data handling practices, your governance structure, your business continuity plans, or whether anyone in your organisation can answer the question 'what would we do if this went wrong?'
A useful analogy: Cyber Essentials is the equivalent of passing your driving test. It confirms you meet the standard required to be on the road. It says nothing about whether you drive carefully, whether you maintain the vehicle, whether you understand the risks of the roads you use, or what you would do in an emergency.
Passing the test is the right thing to do. Believing it means you are a safe driver is a different matter.
The Consequences
Organisations that treat Cyber Essentials as a sufficient security posture tend to share certain characteristics when incidents occur.
They are surprised. The certification provided a sense of assurance that was not grounded in a genuine understanding of ongoing exposure. The attack did not come through one of the five control areas — it came through something CE was never designed to cover.
They struggle with notification obligations. GDPR requires notification to the ICO within 72 hours of becoming aware of a qualifying breach. Organisations without incident response plans, clear data mapping, or a designated person responsible for data breach management often miss this window, adding regulatory risk to an already difficult situation.
They cannot demonstrate governance. When the ICO, an insurer, or a client asks what governance was in place around the certified controls — who was reviewing them, how often, whether they had been re-assessed as the business changed — the honest answer is often 'nobody.' Certification without ongoing governance is a snapshot, not a posture.
What This Is
Cyber Essentials Plus goes further, requiring hands-on technical verification rather than self-assessment. ISO 27001 further extends the scope to include a full information security management system. These are genuinely more robust.
But even ISO 27001 is a framework, not a guarantee. Frameworks tell you what a good programme looks like. They do not replace the need for someone who owns the risk, reports to the board, and ensures the programme stays relevant as the business evolves.
Certification is an input to governance. It is not a substitute for it.
Why It Matters
The reason this matters commercially is that the gap between what your certification covers and what your actual risk exposure is — that gap is where your liability lives.
If your organisation suffers an incident in an area not covered by Cyber Essentials, and you cannot demonstrate that anyone was governing your broader risk posture, the certification will not protect you. Not with your insurer. Not with the ICO. Not with clients whose data was affected.
The certification demonstrates you did something. Governance demonstrates you took it seriously.
How We Can Help
Our Cyber Essentials eBook walks through exactly what the certification covers, where the gaps are, and what a mature programme beyond CE looks like in practice. It is the most direct reading companion to this article. If you have achieved Cyber Essentials and want to understand what a genuine risk governance programme would look like on top of it, a conversation with our team is the right next step.
Questions and Answers
We've just been told Cyber Essentials is mandatory for our government contracts. Isn't that enough?
For the purposes of the contract requirement, yes. But the contract requirement is a procurement threshold, not a risk management standard. The certification satisfies your client. Your actual risk posture is a separate question.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is self-assessed. You answer questions about your controls and a certifying body reviews your answers. Cyber Essentials Plus involves hands-on technical testing by the certifier to verify the controls are actually in place and functioning. CE Plus is more robust and carries more weight with insurers and clients.
Does achieving Cyber Essentials affect our cyber insurance premium?
Typically yes — many insurers recognise CE or CE Plus as a positive indicator. However, insurers increasingly look beyond certification at the governance structure around it. A certified organisation with no evidence of ongoing risk management may find that certification alone is insufficient at claim time.
How often do we need to renew Cyber Essentials?
Annual renewal is required to maintain the certification. The renewal assesses your controls as they stand at the point of re-assessment. It does not provide continuous assurance in between assessments.
We're ISO 27001 certified. Does this article apply to us?
ISO 27001 is a significantly more comprehensive standard. If it is actively maintained and your ISMS is genuinely embedded, you are in a better position than most. The question to ask is whether the standard is being managed as a live governance programme or as a certification that gets renewed. The quality of ISO 27001 implementation varies considerably.
Summary
Cyber Essentials is a worthwhile and important baseline. It is not a risk management programme. Treating it as one leaves a gap between what you believe your posture is and what it actually is — and that gap is where real risk lives.
Henry Lawrence
Henry is the Managing Director of ITbuilder. He is also a CISM professional with over 7+years experience leading cyber security strategy and transformation initiatives across public and private sector clients. He has a strong track record of delivering maturity assessments, cyber governance models, and Secure by Design programmes in FS, Public Sector and E&U
More articles from Henry Lawrence