Cyber Essentials for Councils: A Practical Guide for Local Authorities
Cyber Essentials is the UK government's baseline cybersecurity certification scheme, and it is increasingly expected of local authorities as a condition of central government contracts and cyber insurance cover. Yet many councils lack the structured approach to achieve certification — leaving resident data, council systems, and public services exposed to preventable attacks.
Cyber Essentials covers five technical controls that protect against the majority of common cyber attacks targeting UK organisations.
What Cyber Essentials Requires
Cyber Essentials focuses on five technical controls that protect against the most common cyber threats:
- Boundary firewalls and internet gateways — controlling what traffic enters and leaves council networks
- Secure configuration — ensuring devices and software are configured securely, default passwords changed
- Access control — limiting user privileges to what is needed, using multi-factor authentication
- Malware protection — antivirus and application controls on council devices
- Patch management — critical vulnerabilities remediated within 14 days of patch release
Cyber Essentials Plus for Councils
Cyber Essentials Plus adds independent technical verification — an assessor tests your controls rather than relying on self-assessment. Many central government contracts now require Cyber Essentials Plus for suppliers, and the NCSC recommends it for organisations processing sensitive personal data. For councils holding resident data including health, benefits, and social care records, Cyber Essentials Plus demonstrates a higher level of assurance to residents and the ICO.
Common Barriers for Councils
Local authorities often face specific challenges achieving Cyber Essentials certification: legacy systems running unsupported software, BYOD policies that are difficult to control, and complex network environments spanning multiple council sites and partner organisations. A phased approach — scoping out legacy systems initially, addressing BYOD with a clear policy, and working through the five controls systematically — makes certification achievable without wholesale IT transformation.
Maintaining Certification Year on Year
Cyber Essentials certification must be renewed annually. Councils should build certification maintenance into their IT change management process — ensuring new systems are assessed against CE requirements before deployment, and that patching and access control processes are documented and followed consistently. Treat it as a living programme, not a one-off project.
Frequently Asked Questions
Is Cyber Essentials mandatory for local councils?
Cyber Essentials is not currently mandatory for all local councils by statute. However, it is required for councils that handle certain central government contracts, and is expected under NCSC public sector cyber guidance. Many cyber insurers now require it as a condition of cover, and the Local Government Association strongly recommends it as a baseline for all councils.
How long does Cyber Essentials take for a council?
Cyber Essentials certification typically takes 4-12 weeks for a council, depending on the size of the estate, existing control maturity, and the number of remediation actions required. The initial self-assessment questionnaire can be completed in a day, but addressing gaps — particularly around patch management and access control on legacy systems — takes longer.
What does Cyber Essentials cost for a local authority?
Cyber Essentials basic certification costs from £300 for the assessment. Cyber Essentials Plus costs significantly more — typically £2,000-£10,000 depending on organisation size — as it requires independent technical testing. Councils should also budget for remediation work to close gaps identified during the assessment process.
Get support achieving Cyber Essentials for your council
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.