Cyber Essentials for UK Software Companies — The 5 Controls Explained (2025)

🛡️ NCSC Certified🏛️ Gov Contracts Mandatory📋 5 Controls☁️ Cloud Scope💷 From £1,500🔒 ISO 27001 Aligned
June 202510 min readClickMasters Compliance Team

Direct Answer

Cyber Essentials is a UK government-backed cybersecurity certification scheme administered by NCSC. It is mandatory for any UK business bidding for government contracts that involve handling sensitive or personal information. Certification requires meeting five technical controls: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management. ClickMasters builds software that meets all five Cyber Essentials controls by default — and maintains Cyber Essentials alignment through our software maintenance retainers.

The 5 Cyber Essentials Controls — What They Mean for Software

Cyber Essentials Basic vs Cyber Essentials Plus

Important: Cyber Essentials certification applies to your organisation's entire "scope" — all devices, services, and software that can access your data or be accessed from the internet. For cloud-hosted software, your AWS/Azure infrastructure is in scope. ClickMasters' cloud deployments are designed with Cyber Essentials scope in mind from day one.

FactorCyber Essentials (Basic)Cyber Essentials Plus
Assessment methodSelf-assessment questionnaireExternal technical verification by CREST-approved body
Technical testingNone — self-reportedVulnerability scan + sample testing of controls
Cost (approx)£300–£500 (certification body fee)£1,500–£5,000 (depending on scope)
Government requirementMost contracts: basic requiredHigher-risk contracts, MOD, NCSC programmes
Insurance benefitSome cyber insurance policies offer discountsAdditional discount — more evidence of controls
Validity12 months12 months
Time to obtain1–3 days (self-assessment)1–3 weeks (including testing)
ClickMasters involvementWe provide evidence documentationWe support technical verification process

Frequently Asked Questions — Cyber Essentials for Software Companies

Related Guides & Services

Frequently Asked Questions

Common questions about cyber essentials for uk software companies — the 5 controls explained (2025).

Cyber Essentials is mandatory for any UK business bidding for central government contracts that involve handling personal information or sensitive data (as defined by the Cabinet Office). It is also required for suppliers to the NHS, MOD, and many local authorities. Beyond mandates, many large enterprises now require Cyber Essentials from their software suppliers as part of vendor onboarding — making it a de facto commercial requirement in regulated sectors.

ISO 27001 is a comprehensive information security management system covering 114 controls across strategy, processes, people, and technology. Cyber Essentials is narrower — five specific technical controls — but is government-mandated and UK-specific. The two are complementary: Cyber Essentials provides a technical baseline; ISO 27001 builds on it with broader organisational controls. For most UK SMBs, Cyber Essentials should come first (simpler, faster, required for gov contracts). ISO 27001 makes sense when you need to demonstrate the full ISMS to enterprise or regulated sector buyers.

Your cloud infrastructure (AWS, Azure) is in scope for Cyber Essentials if it hosts software that: processes personal data, connects to your internal network, or is internet-accessible. This means: cloud security groups (acting as firewalls), IAM permissions (access control), container image scanning (malware protection), and patch management for cloud services all fall under the five controls. ClickMasters designs cloud architectures to be CE-compliant from the outset.

Cyber Essentials Basic: 1–3 days. Complete the self-assessment questionnaire, submit to a certification body (e.g. IASME, Cyber Essentials Company), receive certification. Cyber Essentials Plus: 1–3 weeks. Includes external vulnerability scanning and sample testing. For software companies undergoing certification for the first time, ClickMasters recommends a pre-assessment review (half a day) to identify any controls gaps before formal submission — avoiding a failed submission.

About the Author

ClickMasters Security & Compliance Team Cyber Essentials implementation and cloud security specialists ClickMasters has supported 20+ UK businesses through Cyber Essentials certification. Our software development practices align to the 5 controls by default — providing clients with a strong starting point for their own CE assessment.

Build Cyber Essentials-Compliant Software ClickMasters builds...

Build Cyber Essentials-Compliant Software ClickMasters builds all software to meet the 5 Cyber Essentials controls by default. No additional compliance cost. Book a free consultation. → Book Free Consultation: clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation