Why Cyber Essentials Is Still the Best First Step for MSPs

Cyber Essentials has been around since 2014. In an industry that reinvents itself every eighteen months, that makes it practically ancient. And yet, a decade on, it remains the single most practical starting point for any organisation serious about security — and the most underused lever MSPs have for growing their security revenue.

Here's why it's still worth your time, and how to make more of it.

What Cyber Essentials Actually Is

Cyber Essentials is a UK government-backed certification that covers five technical controls:

1. Firewalls — boundary and software firewalls configured and active
2. Secure configuration — devices set up securely, unnecessary features removed
3. User access control — least privilege, no default credentials, MFA on internet-facing services
4. Malware protection — anti-malware active and updated
5. Security update management — patches applied within 14 days for high/critical vulnerabilities

That's it. No ISMS. No risk register. No weeks-long audit. A self-assessment (or Plus — with external verification) that a typical SME can complete in a day if they're reasonably well-organised.

Why MSPs Should Care

It's mandated in more places than you think

UK government contracts involving personal data or certain sensitive information require Cyber Essentials as a baseline. Crown Commercial Service suppliers need it. A growing number of insurers are factoring it into cyber insurance premiums or eligibility.

Your clients are going to need it eventually. The question is whether they come to you for help, or go elsewhere.

It surfaces real problems

The process of answering the Cyber Essentials questionnaire honestly is remarkably revealing. Clients who insist their patching is "fine" suddenly discover they have 200 end-of-life devices. MFA that was "deployed" turns out to only be on email, not the line-of-business application with all the client data in it.

Cyber Essentials isn't just a checkbox — it's a structured discovery exercise dressed up as a certification.

The upsell path is clear

Certification → gap remediation → annual renewal → Cyber Essentials Plus → ISO 27001 readiness. Every step in that chain is billable. MSPs who own the Cyber Essentials relationship with a client are far better placed to sell ongoing security services than those who don't.

Common Mistakes MSPs Make

Treating it as a one-and-done. Cyber Essentials lapses after twelve months. Most clients don't realise this until the renewal is overdue and they've failed a supplier check. Set up renewal reminders at ten months. Automate the outreach.

Doing it for the client instead of with them. The self-assessment has to be accurate. If you fill it in on their behalf and they fail a Plus audit or suffer a breach, that's a problem. Walk them through it, document your involvement.

Ignoring scope. Cyber Essentials scope can be the whole organisation or a defined subset. For clients who aren't ready for the full estate, a scoped assessment gets them certified quickly and gives you a roadmap for the rest.

Not selling the value. "You need to do Cyber Essentials" is a weak pitch. "We can get you certified in two to three weeks, which unlocks government contracts and knocks points off your cyber insurance premium" is a proposition.

The Bottom Line

Cyber Essentials won't stop a nation-state attacker. It's not trying to. What it does is close the gap on the vast majority of commodity attacks — phishing, credential stuffing, exploitation of known vulnerabilities — that account for the overwhelming bulk of breaches affecting UK SMEs.

For MSPs, it's a scalable, repeatable service with a clear commercial structure and a genuine security benefit for clients. If you're not leading with it, you're leaving money on the table and leaving clients at unnecessary risk.