Cyber Essentials for Councils FAQ: Your Questions Answered
Cyber Essentials certification is one of the most commonly discussed topics in local government cybersecurity — and one surrounded by misconceptions. This FAQ addresses the most common questions councils ask about achieving and maintaining Cyber Essentials certification.
Cyber Essentials certification demonstrates the five technical controls that protect against the majority of common cyber attacks targeting UK organisations.
About Cyber Essentials for Councils
Cyber Essentials is a UK government-backed certification scheme managed by the NCSC. It certifies that an organisation has implemented five baseline technical controls that protect against common cyber threats. There are two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified).
Frequently Asked Questions
What does Cyber Essentials certification actually certify?
Cyber Essentials certifies that your organisation has implemented five baseline technical controls: boundary firewalls and internet gateways, secure configuration of devices and software, user access controls including MFA, malware protection, and patch management. It demonstrates that your organisation has addressed the most common attack vectors — not that you are comprehensively secure against all threats.
How much does Cyber Essentials cost for a local council?
Cyber Essentials basic certification costs from £300 for the self-assessment questionnaire and review. Cyber Essentials Plus — which includes independent technical testing — costs significantly more, typically £2,000-£10,000 depending on the size of the estate being certified. Councils should also budget for remediation work to close gaps identified during the assessment process.
How long does Cyber Essentials take for a council?
From starting the process to receiving certification, Cyber Essentials typically takes 4-12 weeks for a council. The self-assessment questionnaire can be completed in a day, but addressing gaps — particularly around patch management on legacy systems and access controls — takes longer. Cyber Essentials Plus requires scheduling independent testing, which adds further time.
Can councils get Cyber Essentials if they have legacy systems running unsupported software?
Yes, with careful scoping. Legacy systems running unsupported operating systems must either be remediated (upgraded or replaced) or excluded from scope. Systems excluded from scope must be genuinely isolated from in-scope systems and the internet. Document your scoping decisions carefully — an assessor will review them.
Does Cyber Essentials cover cloud services like Microsoft 365?
Yes — cloud services used by the council, including Microsoft 365, are in scope for Cyber Essentials. The certification covers how the council configures and controls its cloud services, not just on-premises infrastructure. This includes MFA configuration, admin account protection, and secure configuration of cloud services.
Get help achieving Cyber Essentials certification
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.