Cyber Essentials is a UK government-backed certification scheme that helps organisations protect against the most common cyber attacks. For accounting firms, achieving Cyber Essentials certification demonstrates to clients, regulators, and insurers that you have implemented a baseline set of technical controls — and provides a structured framework for improving your security posture.

Certification also qualifies smaller UK organisations for a free £25,000 cyber liability insurance policy, which is significant value for practices that have not yet arranged specialist cyber insurance.

What Cyber Essentials covers

Cyber Essentials is built around five technical controls that protect against the most common attack vectors — the kinds of attacks that account for the vast majority of successful breaches against small and medium-sized organisations.

1. Firewalls

Firewalls control the network traffic entering and leaving your systems, blocking connections that are not needed for legitimate business use. For accounting practices, this means ensuring that all internet-connected devices — computers, laptops, tablets — are protected by a properly configured firewall, that default settings have been changed, and that only approved services and protocols can connect to and from the network.

Most modern routers include basic firewall functionality. The Cyber Essentials standard requires that firewall rules are documented, that unnecessary rules are removed, and that administrative access to the firewall is password-protected and not accessible from the internet.

2. Secure configuration

Devices and software are often delivered with insecure default settings — default passwords, unnecessary services enabled, and configurations that prioritise convenience over security. Cyber Essentials requires that all devices within scope have their default settings reviewed and changed, unnecessary software and services are removed, and accounts with elevated privileges are limited to those who need them.

For accounting practices, this primarily means: ensuring all computers have had their default software reviewed, unnecessary built-in applications removed, and admin accounts restricted to IT management purposes rather than day-to-day use.

3. Access control

User accounts and administrative privileges should be assigned on a need-only basis, with regular reviews to remove access that is no longer required. Cyber Essentials requires that: user accounts are created with an appropriate level of access, password policies are enforced (minimum length, complexity requirements), administrative accounts are only used for administrative tasks, and accounts for staff who have left are deactivated promptly.

For accounting practices, this includes reviewing access to cloud accounting software, practice management systems, and email — not just on-premise systems.

4. Malware protection

Anti-malware software must be installed, active, and up to date on all devices within scope. For practices using Windows computers, Windows Defender (the built-in Microsoft security tool) meets the Cyber Essentials requirement when properly configured. For macOS, Gatekeeper and XProtect provide baseline protection, though a third-party anti-malware product is recommended for organisations handling sensitive data.

The requirement extends to mobile devices if they are within scope of the certification.

5. Patch management

Software vulnerabilities are regularly discovered and fixed by software providers. Applying patches (software updates that fix security vulnerabilities) promptly is one of the most effective security controls available. Cyber Essentials requires that: operating systems and software are kept up to date, patches classified as high risk or critical are applied within 14 days of release, and unsupported software (software that no longer receives security updates) is not used.

For accounting practices, the most critical patch management areas are: Windows updates, macOS updates, Microsoft 365/Google Workspace updates, accounting software updates, and web browsers.

The two certification levels

Cyber Essentials (self-assessment)

The basic certification level is a self-assessment questionnaire, reviewed and verified by a Certification Body. You answer questions about your implementation of the five controls, provide evidence where requested, and a certifier reviews and approves the answers.

This level is appropriate for accounting practices with straightforward IT environments — a small number of computers, cloud-based software, and no complex on-premise infrastructure.

Cost: typically £300 to £500 for the assessment and certification, depending on the Certification Body.

Cyber Essentials Plus

Cyber Essentials Plus includes the same self-assessment questionnaire plus an independent technical verification of the controls — a remote or on-site technical assessment by a Certification Body assessor who checks that the controls are actually in place and working as described.

This level provides greater assurance and is required for some government contract work. It is appropriate for larger practices or those handling particularly sensitive data.

Cost: typically £1,200 to £2,500, depending on scope and the Certification Body.

The free cyber liability insurance

UK organisations with fewer than 50 employees and annual turnover under £2 million that achieve Cyber Essentials certification (either level) receive a free £25,000 cyber liability insurance policy from IASME (the government-appointed scheme administrator), underwritten by a UK insurer.

This policy covers: notification costs following a data breach, regulatory fines and penalties, ransomware recovery costs, business interruption losses, and crisis communication support.

For small accounting practices that have not purchased specialist cyber insurance, this is a meaningful benefit. Review the policy terms carefully — the £25,000 limit may not be sufficient for practices with significant business interruption exposure, but it provides a useful baseline for practices that are otherwise uninsured for cyber events.

Getting certified: the process

For more on AI tools and technology for UK accountants and how cybersecurity certification fits alongside technology adoption, see our full AI and Tech hub.

  1. Self-assessment: review your current IT environment against the five control areas and identify gaps between your current state and the Cyber Essentials requirements.
  2. Remediation: address the gaps identified. Common actions for accounting practices include: enabling MFA on email and cloud services, applying outstanding software patches, ensuring all devices have active anti-malware, reviewing and restricting admin accounts.
  3. Choose a Certification Body: IASME (the scheme administrator) maintains a directory of accredited Certification Bodies. Select one based on your location and budget.
  4. Complete the assessment questionnaire: the online questionnaire covers each of the five control areas with specific technical questions. Allow three to five hours for a thorough completion.
  5. Submit and await verification: the Certification Body reviews your answers. For Cyber Essentials (self-assessment), this review typically takes one to five working days. Issues may require clarification or remediation before certification is awarded.
  6. Certification: on passing, you receive a Cyber Essentials certificate valid for twelve months. Recertification is annual.

Why certification matters for accounting practices

Professional credibility: Cyber Essentials certification provides a verifiable signal to clients that you take data security seriously. For clients whose own organisations require their suppliers to hold Cyber Essentials, certification is a prerequisite for the engagement.

ICO enforcement context: the ICO considers an organisation's security measures when assessing GDPR compliance and determining penalties following a data breach. Cyber Essentials implementation — even without formal certification — demonstrates a considered approach to security.

Professional indemnity and cyber insurance: many insurers look favourably on Cyber Essentials certification when assessing risk and setting premiums. For professional indemnity insurers, evidence that you have implemented baseline security controls may influence the terms offered.

Regulatory framework alignment: the five Cyber Essentials controls align with the baseline recommendations of the NCSC and with the technical and organisational security measures required under UK GDPR Article 32.

Key takeaways

  • Cyber Essentials is a UK government-backed certification covering five controls: firewalls, secure configuration, access control, malware protection, and patch management.
  • The basic (self-assessment) certification costs £300 to £500 and includes a free £25,000 cyber liability insurance policy for practices with fewer than 50 staff and turnover under £2 million.
  • Cyber Essentials Plus adds independent technical verification and is appropriate for practices with more complex IT environments or government contract requirements.
  • Certification is annual; prepare for recertification by maintaining the controls throughout the year rather than scrambling to remediate before each renewal.
  • The five Cyber Essentials controls align with the technical and organisational security measures required under UK GDPR — implementing them supports both cybersecurity and data protection compliance.

Frequently asked questions

Is Cyber Essentials mandatory for accounting firms?

Cyber Essentials is not currently mandatory for accounting firms in the UK. It is required for organisations tendering for certain UK government contracts that involve handling personal data. Professional bodies including ICAEW and ACCA recommend it as best practice. The ICO does not require Cyber Essentials certification specifically but does require appropriate technical security measures under UK GDPR — Cyber Essentials provides a recognised framework for demonstrating those measures.

How long does it take to achieve Cyber Essentials certification?

The time depends on how close your current security controls are to the required standard. Practices that already have MFA on all accounts, up-to-date software, and active anti-malware may complete the self-assessment and achieve certification within two to three weeks. Practices with significant gaps — particularly around software patching, admin account management, or firewall configuration — may need four to eight weeks of remediation before they can pass.

Does Cyber Essentials cover cloud-based accounting software?

Cyber Essentials applies to your IT environment — the devices and software within your boundary. Cloud services used by the practice (Xero, QuickBooks, Microsoft 365) are within scope for some controls (such as access control and user account management) even though the provider controls the infrastructure. The certification questionnaire asks about how you manage access to cloud services, not about the cloud provider's own security.

Can an accounting firm become Cyber Essentials certified even with a very small IT footprint?

Yes. Cyber Essentials is designed to be achievable by small organisations, including sole traders with a single laptop. The questionnaire and requirements scale to the size of the IT environment. For very small practices with simple IT environments, achieving the certification is typically straightforward.

What is the difference between Cyber Essentials and ISO 27001?

Cyber Essentials is a baseline technical certification covering five specific controls. It is relatively quick and inexpensive to achieve and is accessible to small organisations. ISO 27001 is a comprehensive information security management standard covering all aspects of information security — risk management, organisational processes, physical security, personnel security, and more. ISO 27001 is significantly more demanding to implement and certify. Most small and mid-size accounting practices should start with Cyber Essentials; ISO 27001 is more appropriate for larger firms or those handling very sensitive data at scale.