How to Get Cyber Essentials Certified in Scotland
This Cyber Essentials certification Scotland resource explains what you need to know. More than 53,000 Cyber Essentials certificates were issued across the UK in the year to December 2025 – an 18% increase year on year and the highest annual total since the scheme launched in 2014, according to DSIT. Yet only around 3% of UK businesses hold the certification, which means Scottish SMEs that get certified today gain a real competitive edge. For any business bidding on government contracts, handling personal data, or looking to reduce cyber insurance premiums, Cyber Essentials isn’t just a badge – it’s becoming a baseline requirement. This guide walks you through every step of the process, from choosing your certification level to receiving your certificate and keeping it current.
TL;DR – Cyber Essentials (basic) costs from £320 + VAT and can be completed in as little as one to two weeks if your controls are already in order. Cyber Essentials Plus adds hands-on technical testing and costs from around £1,500 + VAT. There are 25 IASME-accredited certification bodies in Scotland, and ScotlandIS has run grant funding covering up to £1,000 toward certification costs for eligible technology and manufacturing firms.
How Do You Complete Step : Understand the Two Certification Levels?
According to the National Cyber Security Centre (NCSC 2025), over 39,000 Cyber Essentials certifications were issued last year, yet this still covers less than 1% of the total UK business base. Securing this baseline certification instantly elevates your Edinburgh firm above local competitors during lucrative public sector procurement tenders.
Reporting on Cyber Essentials says more than 39,000 certifications were issued in 2024/25, yet that still represents only a small fraction of the UK business base. Cyber Essentials and Cyber Essentials Plus share the same five technical controls, but the way they’re assessed is fundamentally different. The basic level uses a self-assessed questionnaire reviewed by an accredited assessor – you describe your controls and a certification body verifies your answers. Plus goes further: an independent assessor conducts hands-on technical testing of your actual infrastructure to confirm those controls are working in practice, not just on paper.
The five control areas are identical across both levels:
- Firewalls – boundary and host-based firewalls properly configured
- Secure configuration – devices and software set up securely, defaults changed
- User access control – least-privilege accounts, strong authentication
- Malware protection – anti-malware or application allow-listing in place
- Security update management – operating systems and software patched within 14 days of a critical release
Which level should a Scottish SME choose?
For most small businesses, Cyber Essentials (basic) is the right starting point. It demonstrates a credible security baseline to customers and insurers, and it’s a prerequisite before you can pursue Cyber Essentials Plus. You must achieve basic certification before applying for Plus, and – if you want the Plus assessment – you need to complete it within three months of your basic certificate being issued.
Choose Cyber Essentials Plus if you’re bidding for Ministry of Defence contracts, supplying sensitive services to the NHS, or if your enterprise clients are requiring Plus as part of their supply-chain due diligence. The IASME Plus assessment includes external vulnerability scanning of your public IP addresses, on-device testing of a representative sample of your endpoints across every operating system type in scope, and verification that patch levels, configurations, and access controls match what you declared in your self-assessment.
How Do You Complete Step : Check Whether You Qualify and Define Your Scope?
43% of UK businesses suffered an attack, demonstrating the critical need for baseline controls, according to the DSIT Cyber Breaches Survey (2025). Cyber Essentials forces you to patch vulnerabilities and disable legacy protocols. This drastically reduces your attack surface against automated, unsophisticated cyber threats.
Cyber Essentials certification applies to the organisation as a whole – you can’t cherry-pick only part of your IT estate unless you have clearly defined, separate sub-scopes. Specifically, the scope covers all devices that can access organisational data or services: laptops, desktops, servers, mobile phones, tablets, and any cloud services your staff use.
What’s in scope:
- Windows, macOS, Linux, iOS, and Android devices used by staff
- Cloud services and SaaS platforms accessed from those devices
- Your internet-facing perimeter (routers, firewalls, switches with management interfaces)
- Any virtual machines or containers in scope
What can legitimately be excluded:
- Operational Technology (OT) and industrial control systems with no internet connectivity
- Devices permanently air-gapped from internet-facing systems
- Third-party systems your organisation has no administrative control over
How Do You Complete Step : Choose a Certification Body in Scotland?
The IASME Consortium (2025) found that Cyber Essentials certificates are valid for 12 months from the date of issue. Submitting your renewal application before expiry ensures continuous certification status, which is critical for maintaining eligibility on government and NHS procurement frameworks.
IASME Consortium is the NCSC‘s sole delivery partner for the Cyber Essentials scheme. IASME licenses a network of over 290 accredited Certification Bodies (CBs) across the UK, of which 25 are based in Scotland. You can find the full current list using the IASME CB finder at iasme.co.uk.
What to look for when choosing a CB:
- IASME-accredited status (all legitimate CBs are listed on the IASME directory)
- Experience with businesses of your size and sector (some CBs specialise in SMEs, others in enterprise or MOD supply chain)
- Whether they offer pre-assessment consultancy – useful if you want a gap analysis before submitting
- Pricing transparency: quotes should be clear on whether VAT is included and what remediation support costs
You don’t have to use a Scotland-based CB. In practice, remote assessments are standard for Cyber Essentials basic, and assessors often conduct Plus technical audits remotely too, particularly for cloud-heavy organisations. That said, working with a Scottish CB can mean faster response times and assessors familiar with Scotland’s public sector procurement environment.
A note on costs: Certification body fees vary. The base IASME fee for Cyber Essentials starts at £320 + VAT for the smallest organisations. Most CBs add their own assessment and support fees on top, so you’ll typically pay between £400 and £600 + VAT all-in for a small business. Cyber Essentials Plus fees from CBs typically range from £1,500 to £4,250 + VAT depending on the size and complexity of your device estate.
Scottish grant funding: ScotlandIS has administered Scottish Government-backed grant funding giving eligible technology and manufacturing firms based or registered in Scotland up to £1,000 toward Cyber Essentials certification costs. Availability is limited and tied to specific funding rounds – check scotlandis.com for current open rounds.
How Do You Complete Step : Complete the Self-Assessment (Cyber Essentials Basic)?
NCSC guidance (2025) shows that Maintaining your Cyber Essentials certification year-on-year becomes significantly easier once you embed the five technical controls into your standard IT operations. Automated patch management and continuous vulnerability scanning make recertification a straightforward annual process.
The Cyber Essentials self-assessment is completed via the IASME online portal. You’ll work through a structured questionnaire covering each of the five control areas. As of April 2025, the question set moved from the previous “Montpellier” version to the new “Willow” question set – if you started preparation under the old version, review the updated questions before submitting.
The process in brief:
- Register with an IASME-accredited CB and pay the assessment fee
- Receive access to the online question set via the IASME portal
- Complete the questionnaire – most SMEs take between half a day and two days depending on how well they know their environment
- Submit your answers; your CB’s assessor reviews them within 3 working days
- If your answers demonstrate compliance with all five controls, you receive your certificate – typically within 1 – 5 working days for a fully prepared organisation
The questionnaire is detailed. You’ll need to know:
- The make, model, and operating system version of devices in scope
- How your firewall rules are configured
- Your patch management schedule and current patch status
- User account types and whether MFA is enabled for cloud services
- Your malware protection solution and update frequency
Gather this information before you start the questionnaire. Having it all to hand means you can complete the assessment in one sitting rather than stopping to investigate your own infrastructure mid-submission.
How Do You Complete Step : Prepare for the Technical Audit (Cyber Essentials Plus)?
43% of UK businesses suffered an attack, yet the vast majority of successful breaches exploit gaps that Cyber Essentials directly addresses (the DSIT Cyber Security Breaches Survey, 2025). Running through this pre-assessment checklist before submission dramatically increases your first-time pass rate.
Cyber Essentials Plus requires you to hold a current Cyber Essentials certificate first. The technical audit must be initiated within three months of that basic certificate being issued, or you’ll need to renew the basic certification before proceeding.
The Plus assessment has three main components:
1. External vulnerability scan
Your assessor scans all public IP addresses within your scope from the internet. They’re looking for open services that shouldn’t be exposed, known vulnerabilities in software running on those addresses, and access control weaknesses. As a result, any critical or high vulnerabilities found here are an automatic failure.
2. Internal authenticated device testing
A representative sample of devices from each operating system type in your scope is tested – this means if you have Windows 11 desktops, macOS laptops, and iOS mobiles in scope, at least one device from each must be included. The assessor (on-site or via remote access tool) checks:
- OS patched to within 14 days of the latest critical updates
- Accounts following least-privilege principles with no unnecessary admin rights
- Malware protection active and definitions up to date
- Device firewall enabled and correctly configured
- All installed software patched and up to date
3. Configuration verification
Cloud services, routers, and firewalls are checked to confirm the settings you declared in your self-assessment actually reflect reality.
To check Windows patch status quickly before an assessment:
# Check Windows Update history for last 30 days
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
# Check pending updates via Windows Update module (requires PSWindowsUpdate)
Get-WindowsUpdate -AcceptAll -VerboseFor macOS, open Terminal and run:
# Check last software update date
softwareupdate --history | head -20
# List available updates
softwareupdate --listHow Do You Complete Step : Fix Common Failures Before Assessment?
The NCSC (2025) reports that Most Cyber Essentials failures are avoidable with a structured pre-assessment review. The NCSC reports that the most common reasons organisations fail relate to patch management, insecure default configurations, and overly permissive firewall rules. Addressing these before you submit your self-assessment – or before your Plus technical audit – will save you the cost and delay of a reassessment.
| Control Area | Requirement | Common Failure |
|---|---|---|
| Firewalls | Inbound connections blocked by default; only required ports open | Unused ports left open; home router used with default firmware |
| Secure configuration | All default passwords changed; unnecessary software removed | Admin accounts using default credentials; bloatware not removed |
| User access control | Standard users cannot install software; admin accounts not used for day-to-day tasks | Staff operating as local admins; shared admin accounts in use |
| Malware protection | Anti-malware active and updated daily; or application allow-listing in place | Windows Defender disabled or definitions more than 24 hours old |
| Security update management | OS and applications patched within 14 days of a critical release | Third-party software (browsers, PDF readers, Java) unpatched |
| Multi-factor authentication | MFA required for all cloud services accessible over the internet | Microsoft 365 or Google Workspace accounts without MFA enabled |
How Do You Complete Step : Submit and Receive Your Certificate?
According to the NCSC (2025), once your CB’s assessor is satisfied with your self-assessment answers, you’ll receive your Cyber Essentials certificate from IASME. The certificate is valid for 12 months from the date of issue.
Your certificate comes with:
- A unique certificate number that clients and procurement teams can verify against the IASME public register
- Free cyber liability insurance up to £25,000 for UK-based organisations (a benefit introduced by IASME, subject to eligibility criteria – check current terms with your CB)
- The right to display the Cyber Essentials mark on your website, tender submissions, and marketing materials
By contrast, Cyber Essentials Plus certificates include all of the above, plus the additional weight of verified technical testing – worth explicitly highlighting in bid documents and on your supplier qualification submissions.
Once certified, your business appears in the publicly searchable IASME certificate register. Consequently, procurement teams at government bodies, large enterprises, and NHS trusts actively check this register before shortlisting suppliers – and getting on it is the point.
How Do You Complete Step : Maintain Certification Year on Year?
Cyber Essentials certification doesn’t have to start from scratch each year, according to the NCSC (2025). Indeed, if you maintain good security hygiene throughout the year, renewal is considerably faster and smoother than your initial certification.
Annual renewal involves:
- A fresh self-assessment questionnaire (the question set may be updated from year to year)
- Updated device inventory reflecting any hardware or software changes
- Current patch status across all in-scope devices at the time of renewal
- Confirmation that your five controls are still in place
Practical tips for painless renewal:
- Keep a live asset register – a simple spreadsheet listing every device, its OS version, and last patch date is sufficient
- Set a calendar reminder two months before your certificate expiry date
- Check IASME’s release notes each year for any question set changes before starting the renewal
- If you upgraded or replaced devices during the year, verify they’re configured to the scheme’s requirements before your renewal window opens
For this reason, many Scottish SMEs now include Cyber Essentials renewal as a standing line in their annual IT budget, alongside domain renewals and software licence renewals. At £320 – £600 + VAT per year for basic certification, it’s one of the most cost-effective annual security investments available.
What Is Pre-Assessment Checklist?
The NCSC (2025) found that Before you submit your self-assessment or book a Cyber Essentials Plus technical audit, work through this checklist:
| Control Area | Requirement | Common Failure |
|---|---|---|
| Firewall – perimeter | Default-deny inbound rules; only documented exceptions | Legacy rules left open; no rule review process |
| Firewall – host-based | Software firewall enabled on every device | Disabled on developer machines or servers |
| Secure configuration | All admin passwords changed from defaults | IoT devices, routers, NAS units on factory defaults |
| Secure configuration | Unnecessary user accounts removed | Old staff accounts still active |
| User access control | Separate admin and standard user accounts | Single account used for both daily work and admin tasks |
| User access control | MFA on all internet-facing cloud services | Microsoft 365, Google Workspace, Xero without MFA |
| Malware protection | Active anti-malware with up-to-date definitions | Expired AV licence; Windows Defender disabled by third-party AV that was later uninstalled |
| Malware protection | Or application allow-listing enforced | Allow-listing solution not covering all device types in scope |
| Patch management | OS patched within 14 days of critical release | Windows update set to manual; WSUS not pushing updates |
| Patch management | Third-party applications patched within 14 days | Adobe Acrobat, Chrome, Firefox running outdated versions |
| Patch management | Unsupported OS removed from scope | Windows 10 devices still in use post-EOL (October 2025) |
The last row is particularly relevant from late 2025 onwards. Windows 10 reached end of life in October 2025, meaning it no longer receives security updates. Therefore, any Windows 10 device remaining in scope that doesn’t have Microsoft’s Extended Security Updates (ESU) subscription in place will likely cause a Cyber Essentials failure on the patch management control.
What Is Related Articles?
- Cyber Security guide Edinburgh
- Cyber Essentials certification Edinburgh
- FCA Cyber Security requirements
Frequently Asked Questions
How much does Cyber Essentials cost in Scotland?
Cyber Essentials (basic) costs from £320 + VAT for the smallest organisations, rising to around £600 + VAT for small businesses once CB assessment fees are included. Cyber Essentials Plus typically costs £1,500 – £4,250 + VAT depending on your device estate size. Prices are set by individual certification bodies, not fixed by IASME, so it’s worth getting two or three quotes. ScotlandIS has administered grants of up to £1,000 for eligible Scottish technology and manufacturing companies – check scotlandis.com for current availability.
How long does Cyber Essentials certification take?
A well-prepared small business can complete Cyber Essentials basic in 1 – 5 working days from starting the self-assessment to receiving the certificate, according to IASME guidance. Organisations that need to remediate gaps first typically take 1 – 4 weeks. Cyber Essentials Plus adds another 2 – 6 weeks depending on assessor scheduling and any remediation required after the technical audit. End-to-end from scratch to a Plus certificate: allow 4 – 10 weeks.
Do I need Cyber Essentials to bid for government contracts?
Yes, for many UK public sector contracts. Under PPN 014 (updated February 2025), Cyber Essentials certification is mandatory for central UK government contracts involving the handling of personal data or where the goods and services present a risk to the security of government systems. Scottish Government and local authority procurement bodies increasingly apply equivalent requirements. If you’re bidding for NHS Scotland, Scottish Government, or major local authority contracts, you should assume Cyber Essentials is required – confirm with the contracting authority before bidding.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both certifications cover the same five controls: firewalls, secure configuration, user access control, malware protection, and security update management. The difference is how compliance is verified. Cyber Essentials uses a self-assessment questionnaire reviewed by a CB assessor – you declare that your controls are in place. Cyber Essentials Plus goes further: an independent assessor runs external vulnerability scans, tests a sample of your actual devices, and verifies your configurations directly. CE+ carries significantly more weight in high-risk procurement environments.
Can I fail Cyber Essentials?
Yes. Common reasons for failure include unpatched software, MFA not enabled on cloud services, admin accounts used for day-to-day tasks, and open firewall ports that should be closed. Unlike Cyber Essentials Plus, the basic self-assessment allows you to remediate and resubmit – but this delays your certification and can incur additional CB fees. For CE+, failures during technical testing require a new assessment booking. The NCSC estimates that organisations that complete a structured pre-assessment review significantly reduce their failure rate; IASME recommends using a CB’s pre-assessment consultancy service if you’re uncertain about your readiness.
What Are the Key Takeaways?
Cyber Essentials certification is one of the most practical steps a Scottish SME can take in 2026 to protect its business, win more contracts, and demonstrate credibility to customers and partners. With 53,000+ certificates issued across the UK last year, the scheme has real momentum – and with only around 3% of businesses certified, being on that list still differentiates you. The process is structured, the costs are predictable, and with 25 IASME-accredited certification bodies in Scotland, local support is close at hand.
If you’re a Scottish business weighing up whether certification is worth it, the short answer is yes – and the time to start is now, before a contract requirement or a cyber incident makes the decision for you. At Virtually Pro, we help Edinburgh and central Scotland businesses prepare for Cyber Essentials certification as part of a broader cyber security programme – get in touch if you’d like a readiness assessment before you begin.
Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.