Cyber Essentials

Get certified. Stay protected.

Montalex is Cyber Essentials certified. We help UK small and medium businesses achieve certification — and build the security foundations that come with it.

Cyber Essentials Certified
Montalex Limited — verified via IASME / Blockmark
Click the badge to verify certification →

We hold active Cyber Essentials certification, meaning we practise what we preach. When we help you achieve certification, we're drawing on direct experience — not theory.

Why Cyber Essentials matters

Cyber Essentials is a UK government-backed scheme that protects against the most common cyber attacks. It's increasingly required to win public sector contracts, and signals to clients and partners that you take security seriously.

  • Required for UK government contracts handling sensitive data
  • Demonstrates security commitment to clients and partners
  • May qualify for bundled cyber insurance through the certification scheme
  • Protects against up to 80% of common cyber attacks
  • Foundation for ISO 27001 and broader security programmes
The five controls

What Cyber Essentials covers

The scheme focuses on five technical controls that, when implemented correctly, protect against the vast majority of common cyber attacks.

01

Firewalls

Boundary firewalls and internet gateways configured to protect your network from unauthorised access.

02

Secure configuration

Devices and software configured securely, removing unnecessary accounts and disabling unused features.

03

User access control

User accounts with appropriate privileges, MFA enforced, and admin access strictly controlled.

04

Malware protection

Anti-malware software in place and kept up to date across all devices.

05

Patch management

Software and operating systems kept up to date with security patches applied promptly.

Free resource

Cyber Essentials Preparation Guide

A practical guide covering all five controls in detail, the most common failure points, a Microsoft 365 configuration checklist, and a complete pre-assessment checklist to work through before submitting.

  • The five controls explained with assessor expectations
  • Common failure points that cause first-attempt failures
  • Microsoft 365 security configuration checklist
  • Complete pre-assessment checklist
  • What to expect on assessment day
📄
Download free guide
PDF · 15 pages · 2026 edition

No spam. We'll only use your details to send the guide and follow up if relevant.

How we help

Our CE preparation service

Most businesses fail their first assessment because of gaps they didn't know they had. We fix that.

01

Gap assessment

We review your current setup against the five Cyber Essentials technical controls and identify exactly what needs to change.

02

Remediation

We fix what needs fixing — configuring firewalls, enforcing MFA, patching devices, tightening access controls.

03

Pre-assessment review

We run through the self-assessment questionnaire with you so there are no surprises on the day.

04

Certification

You submit the assessment with confidence. We stay on hand to answer any technical questions from the assessor.

Fixed-price packages

Preparation packages

Fixed prices, no surprises. Choose the level of support that fits your situation.

Simple environments
Essentials
£500

Gap assessment and guided self-assessment questionnaire. Ideal for small businesses with straightforward setups.

  • Gap assessment against all 5 controls
  • Prioritised findings report
  • Guided self-assessment questionnaire
  • Email support through submission
Get started →
Most common
Most SMEs
Standard
From £1,000

Gap assessment, remediation guidance, pre-assessment review, and full submission support. Suitable for most small and medium businesses.

  • Everything in Essentials
  • Hands-on remediation guidance
  • Pre-assessment questionnaire walkthrough
  • Assessor liaison support
Get started →
Includes remediation
Full Support
From £1,500

Everything in Standard plus direct technical remediation, deeper support, and post-certification follow-up.

  • Everything in Standard
  • Direct technical remediation
  • Device and account configuration
  • Post-certification follow-up
Get started →

Not sure which package fits? Book a call and we'll tell you exactly what your business needs.

Common questions

Cyber Essentials — your questions answered

Everything you need to know before starting the certification process.

It depends on your contracts and risk appetite. Cyber Essentials is mandatory if you work on UK government contracts that involve handling sensitive or personal data, or providing certain technical products and services. Beyond compliance, it is worth considering if your business holds customer data, uses cloud services, or has staff working remotely — the five controls it requires are the baseline most insurers and enterprise clients now expect.

Cyber Essentials is mandatory for suppliers bidding for certain UK government contracts — specifically those involving sensitive information or technical services. It is not a blanket legal requirement for all UK businesses. However, it is increasingly required by larger organisations as a condition of doing business with them, and many cyber liability insurers use it as a benchmark when assessing risk.

For most small businesses, the process takes between two and six weeks from start to certification. A straightforward environment with modern cloud-based tools (like Microsoft 365) can be ready in two to three weeks. Businesses with older infrastructure, on-premise servers, or multiple sites typically need longer to remediate gaps before assessment. Our gap assessment call will give you a realistic timeline for your specific setup.

Yes — for several practical reasons beyond the badge. Certification requires you to implement the five technical controls that block the majority of opportunistic cyber attacks. Smaller organisations may also qualify for bundled cyber insurance through the certification scheme, depending on eligibility. And as clients and procurement teams increasingly ask for it, having it removes a barrier to winning work.

Yes. Malware protection is one of the five mandatory controls. The requirement covers having active, up-to-date anti-malware software across all in-scope devices, controls to prevent execution of unknown software, and — where anti-malware is not used — application whitelisting as an alternative. The assessment will verify that your approach meets the current NCSC requirements for malware protection.

Cyber Essentials is a self-assessment: you answer a questionnaire declaring that your controls meet the standard, and an assessor reviews your answers. Cyber Essentials Plus includes everything in the base certification, plus an independent technical audit where an assessor tests your systems directly — scanning for vulnerabilities, testing email filtering, and verifying controls are in place. Plus provides stronger assurance and is required for some higher-risk government contracts.

The certification body fee is set by IASME and varies by organisation size: £320 + VAT for micro-organisations (0–9 employees), £440 + VAT for small organisations (10–49 employees), £500 + VAT for medium organisations (50–249 employees), and £600 + VAT for large organisations (250+ employees). On top of that, preparation and support costs vary depending on how ready your environment is. Montalex offers fixed-price packages from £500 for guided self-assessment through to £1,500+ for full technical remediation and submission support. Most businesses find the all-in cost falls between £900 and £2,500 depending on size and complexity.

Still have questions? Book a call →

Ready to get certified?

Book an assessment call. We'll tell you exactly where you stand and what it would take to get certified.

Book an assessment call