Cyber Essentials for MSPs — Complete 2026 Guide

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme run by the National Cyber Security Centre (NCSC). It's a baseline security standard that demonstrates your organisation (or your client organisations) has implemented essential security controls.

Think of it as a security hygiene checklist. It's not advanced threat detection. It's not zero-trust architecture. It's the fundamentals that stop 99% of commodity attacks — the ones that don't require nation-state sophistication.

The key distinction: Cyber Essentials Plus requires an independent assessment. Basic Cyber Essentials is self-assessed. For MSPs, Cyber Essentials Plus is the credible option — it's worth the assessment cost.

---

Why Cyber Essentials Matters for MSPs

Three reasons:

1. Government Contracts

UK public sector procurement (central government, local authorities, health trusts) increasingly requires suppliers to hold Cyber Essentials Plus. If you want to bid on govtech contracts, you need it. Public sector is good business for MSPs — sticky, long-term, compliance-driven clients.

2. Client Requirements

Enterprise and mid-market clients now mandate Cyber Essentials for their suppliers. Your MSP may handle critical infrastructure — energy, water, financial services. These sectors require supply chain security. Your Cyber Essentials certification is part of their risk assessment.

3. Insurance & Liability

Some cyber insurance policies now require Cyber Essentials as a baseline. If you suffer a breach and cannot demonstrate the 5 basic controls, your insurer may deny the claim. That's expensive.

4. Competitive Differentiation

Most MSPs haven't heard of Cyber Essentials. Those who have the cert stand out to buyers who care about security. It's a low-cost signal of competence.

---

The 5 Cyber Essentials Technical Controls

These are the actual requirements. They're straightforward — but "straightforward" doesn't mean "easy to manage at scale."

1. Boundary Firewalls and Network Access Control

What it means: Every internet-connected network must have a firewall with explicit allow/deny rules. No open ports. No default credentials.

For MSPs: You're probably doing this. But Cyber Essentials requires documented rules. Someone needs to review and audit those rules quarterly. If you're managing 50 client firewalls, that's 50 audit trails to maintain.

Common failure point: Undocumented rules. A technician added a port exception six months ago "temporarily" — it's still open. The assessment finds it, and you fail.

Aerie OS angle: Aerie doesn't manage firewalls, but it can log and track firewall changes across all your clients in one place. Compliance visibility = easier audits.

---

2. User Access Control

What it means:

• No shared admin accounts
• Passwords minimum 12 characters, complexity required
• Multi-factor authentication (MFA) on all remote access and privileged accounts
• Disable accounts within 24 hours of staff departure
• Principle of least privilege — users have only the permissions they need

For MSPs: This is operational overhead. Every client needs documented access control policies. Every termination needs verified proof that accounts were disabled. Every remote access point needs MFA.

Common failure point: Shared service accounts. "We all log in with Engineer_1" — fail. Disabled accounts still exist in the directory but are marked inactive — fail. MFA is enabled but not on the VPN gateway — partial fail.

Aerie OS angle: Aerie handles user provisioning, permission management, and access auditing. If you're auditing client access control, you can pull documented permission matrices and audit trails from Aerie.

---

3. Secure Configuration

What it means:

• No unnecessary services running on servers or endpoints
• Security-relevant patches applied within 14 days
• Anti-malware installed and kept up to date
• Default passwords changed on all devices
• Logging enabled on firewalls and servers

For MSPs: This is asset management at scale. You need an inventory of every client's systems, their patch status, their AV status, their service configuration. Miss one system in the audit and you fail.

Common failure point: A legacy workstation running Windows Server 2012 with outdated AV definitions. Or a printer that was never patched. Or a VoIP phone running default credentials.

Aerie OS angle: Aerie's device management features can track patch status, AV status, and security configurations across all client devices. Your auditor can see the full inventory in one report.

---

4. Malware Protection

What it means:

• Anti-malware software on all servers and endpoints
• Real-time scanning enabled
• Definitions updated (near real-time)
• Quarantine and alert on detection

For MSPs: Most modern AV solutions do this. But you need evidence it's running everywhere. One unprotected system = fail.

Common failure point: Endpoint AV not running on a backup server because AV "slows down backups." Or definitions 7 days out of date on an isolated lab system. Both are fails.

Aerie OS angle: Aerie's RMM capabilities include AV monitoring. You can ensure all systems meet the definition update requirement across all clients.

---

5. Patch Management

What it means:

• All software on in-scope devices must be licensed and supported by the vendor
• Critical and high-severity patches applied within 14 days of release
• Unsupported operating systems and applications are an automatic failure
• Auto-update enabled where possible; manual approval workflows documented where not

For MSPs: This is the control that catches MSPs off-guard at scale. One Windows Server 2012 box, one unpatched third-party application, one legacy line-of-business system running on an EOL OS — any of these fails the assessment. You need a complete, accurate patch status view across every in-scope device before the assessor arrives.

Common failure point: A legacy application that hasn't shipped a patch in 18 months — not because it's secure, but because the vendor abandoned it. Or a patch that deployed successfully on 99 of 100 endpoints but failed silently on one. Or an endpoint that was offline during the deployment window and never caught up.

Aerie OS angle: Aerie's RMM module handles automated patch deployment across all client devices, tracks deployment status, and flags failures immediately. Compliance reporting shows patch status per device, per client — ready to hand to an assessor as evidence.

---

Cyber Essentials Certification: Costs & Timeline

Self-Assessed (Basic Cyber Essentials)

• Cost: £300–£500 (paid to your chosen certification body)
• Timeline: 2–4 weeks
• Validity: 1 year
• Credibility: Lower than CE+. Self-assessment involves no independent technical verification — clients and auditors in regulated sectors typically require CE+.

Independently Assessed (Cyber Essentials Plus)

• Cost: £900–£2,400 per assessment (varies by assessor and organisation size)
• Timeline: 4–8 weeks
• Process:
  • Select an approved NCSC assessor
  • Prepare documentation (policies, audit logs, configuration records)
  • Assessor conducts interviews and technical validation (4–6 hours on-site, 2–4 hours remote)
  • Report issued (pass or fail)
• Validity: 1 year
• Renewal: Annual reassessment required (£800–£2,000)

Budget Estimate for a 10-Tech MSP

• Initial assessment: £1,500
• Annual renewal: £1,200
• Internal cost (staff time to prepare documentation): 40–60 hours
• Staff time @ £50/hour: £2,000–£3,000

Total first-year cost: £3,500–£4,500 + staff time. Annual cost thereafter: £3,200 + staff time.

Where to Find Assessors

NCSC maintains a list of approved assessors: Cyber Essentials Approved Bodies. UK-based assessors are typically more familiar with local business operations.

---

How to Prepare for Cyber Essentials Assessment

Phase 1: Documentation (Weeks 1–2)

Before the assessor arrives, you need:

1. Information Security Policy

   • Covers all 5 controls
   • Signed by leadership
   • Version-controlled

2. Access Control Policy

   • User onboarding/offboarding procedures
   • Password policy
   • MFA requirements
   • Privileged access management

3. Configuration & Change Management

   • Server and endpoint hardening baseline
   • Patch management process
   • Approval workflow for configuration changes

4. Incident Response Plan

   • Who to notify if malware is detected
   • How logs are preserved
   • Escalation path

5. Asset Inventory

   • All servers, workstations, network equipment
   • Firmware versions
   • Patch status
   • AV status and definitions date

6. Access Logs & Audit Trail Samples

   • Firewall rule audits (last 3 months)
   • User access changes (last 3 months)
   • Privileged account logs (PAM/RDP logs)

Phase 2: Technical Validation (Weeks 2–3)

Prepare for the assessor to:

• Check firewall configuration — They'll ask to see your live firewall rules. No default rules, no comments like "this was a temp rule."
• Review user accounts — They'll sample 5–10 user accounts across servers and verify: accounts are named (not shared), MFA is enabled, they have only necessary permissions.
• Inspect patch status — They'll run a vulnerability scanner to verify all systems are patched. Windows systems should be current within the 14-day window.
• Verify AV is running — They'll check 5–10 endpoints to confirm AV is installed, running, and definitions are recent.
• Interview staff — They'll ask technicians: "What's the process for patching? How do you handle a staff departure?" If staff can't articulate the process, that's a gap.

Phase 3: Remediation (Variable)

If the assessment finds gaps, you have 30 days to remediate. Common fixes:

• Enable MFA on a forgotten system
• Update AV definitions
• Document a previously undocumented process

---

Common Assessment Failure Points

MSPs typically fail Cyber Essentials on these issues:

1. Incomplete Asset Inventory

The problem: You don't have a complete list of all client systems. An old NAS, a backup server, a printer — something's missing.

The fix: Before assessment, do a full inventory scan. Use your RMM to generate a complete asset list. Include firmware versions and patch status.

2. Undocumented Procedures

The problem: You do the right things (disable accounts on termination, update patches), but you haven't documented the process. The assessor asks "Show me your offboarding procedure" and you can't.

The fix: Document everything. Write your policies. Get them signed by leadership. Make them specific — "Within 24 hours of notification, Admin revokes all access via [procedure]."

3. Stale Access Control

The problem: Ex-employee accounts still exist in the directory. They're marked disabled, but they still exist.

The fix: Delete disabled accounts after 30 days. Document the deletion. The assessor wants to see no lingering enabled accounts for former staff.

4. Patches Not Applied Within 14 Days

The problem: You have 100 client endpoints. One is offline for maintenance. Another's patch installation failed silently. You don't know.

The fix: Automated patch deployment + automated verification. If a patch fails, escalate immediately. Don't let systems drift.

5. MFA Not Enabled on All Remote Access

The problem: MFA is enabled on the VPN gateway, but not on RDP. Or MFA is enabled on user accounts but not on service accounts (which are still used for remote access).

The fix: Audit all remote access entry points. Enable MFA everywhere. Service accounts that must be used remotely need hardware tokens or app-based MFA.

6. Anti-Malware Definitions Outdated

The problem: AV is installed and running, but the definitions are 10 days old. Policy says "keep current" — but "current" is undefined. The assessment finds systems with stale definitions.

The fix: Enforce daily definition updates. If definitions are >3 days old, escalate. Automated policy enforcement is your friend here.

---

How Aerie OS Helps with Cyber Essentials Compliance

Aerie OS isn't a compliance tool — but it enables the operational disciplines that compliance requires.

1. Unified Asset Visibility

All client devices in one system. You can pull a complete inventory report in seconds. Patch status, AV status, security configuration — all auditable.

2. Centralized User Access Management

User provisioning, permission assignment, and offboarding from one place. When an employee leaves, you disable the account in Aerie once — it cascades across all client systems and tools.

3. Patch & Update Management

Push patches to all client systems. Track deployment status. Know immediately if a patch fails. Automated verification ensures systems stay within the 14-day window.

4. Device Security Configuration

Enforce baselines across all endpoints. Anti-malware, firewall rules, service configuration — apply once, monitor continuously.

5. Audit Logging & Reporting

All actions logged. User access changes, firewall modifications, system configurations — generate audit reports for assessors.

6. Compliance Reporting & Evidence Packs

Aerie's Compliance module maps client environments against Cyber Essentials controls and generates audit-ready evidence packs automatically — patch reports, access control logs, AV status, and configuration records from a single data source. No manual extraction across five different tools.

---

Compliance Checklist: Pre-Assessment

Use this before your assessment:

• Information Security Policy written and signed
• Access Control Policy documented (user lifecycle, MFA requirements, PAM)
• Configuration Management Policy in place
• Complete asset inventory (servers, workstations, network equipment)
• All systems patched within 14 days
• All systems running current anti-malware with recent definitions
• MFA enabled on all remote access entry points
• No shared admin accounts (all accounts are named)
• All disabled user accounts deleted
• Firewall rules documented and reviewed (no undocumented or default rules)
• Staff interviewed to confirm they understand procedures
• Incident response plan written
• Assessor selected and appointment booked

---

Should You Get Cyber Essentials?

Yes, if:

• You want to bid on UK government contracts
• Your enterprise/mid-market clients require it
• Your cyber insurance policy mandates it
• You want to differentiate from competitors

Maybe, if:

• You serve SME clients who don't require it
• Your current customer base doesn't ask for it
• Budget is tight and you're not losing deals because of it

Start with Cyber Essentials Plus. Self-assessed isn't credible. The cost difference (assessor fee) is worth it for the credibility.

---

Next Steps

1. Review the NCSC guidance: Cyber Essentials Overview
2. Check your status against the 5 controls — Which ones do you already meet? Where are the gaps?
3. Prepare documentation — Write policies and create your asset inventory
4. Select an assessor — Look for one with MSP experience
5. Schedule your assessment — Book 4–8 weeks out to allow preparation time

---

Key Takeaways

• Cyber Essentials is a baseline security standard, not an advanced certification. It covers the fundamentals that stop commodity attacks.
• The 5 technical controls are straightforward — firewalls, access control, secure configuration, malware protection, and patch management.
• Assessment costs £1,500–£2,400 plus staff time. Budget 40–60 hours of internal work.
• Failure is usually about documentation and completeness, not advanced security. One missing system or undocumented procedure can fail you.
• Annual reassessment required. Cyber Essentials isn't a one-time cert.
• Government contracts, enterprise clients, and insurance often require it. Worth the investment if you serve those segments.

Cyber Essentials is achievable for any well-managed MSP. The key is making compliance operational — embedding asset visibility, patch management, and access control into your daily processes. That's where tools like Aerie OS pay for themselves.

---

Have questions about Cyber Essentials or compliance? Check our comparison pages or start a free trial of Aerie OS.