Cyber Essentials for care contracts
Cyber Essentials is a UK government-backed certification that proves you have five basic technical security controls in place, and many NHS and council care tenders now ask for it. It is not always a hard mandatory gate. In NHS Standard Contracts it is often listed as "desirable" or "required depending on the risk assessment", so read the exact ITT wording before you assume you are excluded. Basic Cyber Essentials is a self-assessment from £300 plus VAT; Cyber Essentials Plus adds a hands-on audit and is the version NHS bodies tend to specify where personal or clinical data is handled. It is separate from the DSP Toolkit, not a replacement for it. We tell you for free whether a tender genuinely needs it before you spend a penny.
What Cyber Essentials actually is
Cyber Essentials is a UK government-backed scheme that certifies your organisation against five basic technical security controls. It is owned by the National Cyber Security Centre (NCSC) and delivered through IASME as the sole Cyber Essentials Delivery Partner. The five controls are firewalls, secure configuration, security update management, user access control, and malware protection. According to the NCSC, the scheme is centred on these five controls and is overseen by the NCSC itself, so a buyer who sees your certificate knows exactly what has been checked. For a care provider this is deliberately practical. It is not a deep security standard like ISO 27001; it is a floor that says your laptops, phones, routers and accounts are configured to stop the most common attacks. IASME operates a network of more than 400 certification bodies across the UK as the NCSC's official Delivery Partner, so you can usually find an assessor local to you. The certificate names a scope, which is the systems and data it covers, and that scope is what a tender evaluator reads. Scope it too narrowly and a careful evaluator will spot that it does not cover the care records the contract touches.
Basic versus Cyber Essentials Plus
The key distinction readers confuse is between Cyber Essentials (self-assessment) and Cyber Essentials Plus (audited). Basic Cyber Essentials is a questionnaire you complete and a certifying body reviews. Cyber Essentials Plus covers the same five controls but adds a hands-on technical audit by the certifying body, where an assessor tests a sample of your devices and accounts to confirm the controls really work. That difference matters in care procurement. Cyber Essentials Plus is the version NHS contracts most often specify where personal or clinical data is handled, because the buyer wants evidence that was independently tested rather than self-declared. Basic is frequently enough for lower-risk council home care or supported living contracts. When an ITT says "Cyber Essentials" without "Plus", do not over-buy: confirm the wording first. When it says "Plus", budget the extra time, because the audit needs your systems ready and a sample of in-scope devices available on the day. Booking a Plus audit late is a common reason providers miss the certificate before a deadline.
What it costs and how long it lasts
Basic Cyber Essentials is a self-assessment costing from £300 plus VAT for a micro organisation of nought to nine staff, rising to around £500 plus VAT for a large organisation of 250 or more staff. According to IASME, the self-assessment fee ranges from £300 plus VAT at the micro tier up to around £500 plus VAT for large organisations, and certification is valid for 12 months. Cyber Essentials Plus costs more on top of that because of the technical audit, and the exact figure depends on the certifying body and the size of your estate. All the headline figures are quoted excluding VAT and are tiered by organisation size, so a small domiciliary agency pays less than a multi-branch provider. The 12-month validity is the part bidders forget. You must renew annually, and an expired certificate is treated as no certificate at all. If you hold it purely for tendering, line renewal up before your busy bidding months so you are never caught presenting a lapsed certificate at the selection stage.
How it appears in NHS and council tenders
Cyber Essentials usually surfaces in the selection questionnaire or the information-governance section of a care tender, and how it is worded decides whether it is a gate. Government policy requires suppliers bidding for certain public contracts that handle citizens' personal data, such as home addresses, to hold Cyber Essentials or Cyber Essentials Plus, or to demonstrate equivalent controls. So for a home care or supported living contract where you process service-user addresses and care records, expect it to come up. The trap is assuming it is always mandatory. In NHS Standard Contracts Cyber Essentials is increasingly listed as "desirable" or "required depending on the risk assessment", so it is rarely a blanket mandatory gate like the DSP Toolkit. Read the exact ITT and the information-governance schedule. If it is desirable, a missing certificate may cost marks rather than disqualify you; if it is required, treat it as pass or fail and have the certificate, or a credible plan to obtain it, ready before the deadline.
Cyber Essentials and the DSP Toolkit are separate
Cyber Essentials does not replace the DSP Toolkit, and confusing the two costs providers marks. The Data Security and Protection Toolkit is NHS England's annual self-assessment of how you handle health and care data, and most NHS and many council care contracts require it in its own right. Cyber Essentials is a narrower, independently certified check on five technical controls. You can be asked for either, both, or neither. The two do connect at one point. Holding a current Cyber Essentials Plus certificate that covers all your health and care data processing upgrades your DSP Toolkit status from "Standards Met" to "Standards Exceeded". According to the NHS Data Security and Protection Toolkit, organisations that achieve "Standards Met" and hold a current Cyber Essentials Plus certificate have their status displayed as "Standards Exceeded". That upgrade is a genuine, evidenced differentiator on an information-governance question, but the scope of the certificate must cover your care data for it to count, so check that wording before you claim it.
How to get it without overspending
Decide what the tender actually asks for before you buy anything, because the wrong certificate is wasted money and the right one is cheap insurance. Start by reading the ITT and information-governance schedule to confirm whether it is Cyber Essentials, Cyber Essentials Plus, mandatory or desirable. Then pick a certifying body from the IASME network, scope the certificate to cover the systems and data the contract touches, and plan for the 12-month renewal. If you are going for Cyber Essentials Plus, prepare for the audit: patch your devices, enforce multi-factor authentication, tidy user accounts and remove software you no longer use, because the assessor tests a real sample. Keep the certificate and its scope statement in your bid library so it is ready to attach to the next selection questionnaire. Where a tender wants it only as "desirable" and you do not yet hold it, you can often still bid by evidencing equivalent controls, but say so honestly and back it with your policies rather than overclaiming.
Cyber Essentials in care tenders at a glance
How the two levels compare and where each tends to be asked for in NHS and council care procurement.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| How it is assessed | Self-assessment questionnaire reviewed by a certifying body | Same five controls plus a hands-on technical audit of a device sample |
| Indicative cost | From £300 plus VAT (micro) to around £500 plus VAT (large org) | Costs more on top, varies by certifying body and estate size |
| Validity | 12 months, renewed annually | 12 months, renewed annually |
| Five controls covered | Firewalls, secure configuration, security update management, user access control, malware protection | Same five controls, independently tested |
| Typical care-tender use | Lower-risk council home care and supported living contracts | NHS contracts handling personal or clinical data |
| Effect on DSP Toolkit | No status upgrade | Upgrades 'Standards Met' to 'Standards Exceeded' if scope covers your care data |
| Owner and delivery | NCSC owns the scheme; IASME is the sole delivery partner | NCSC owns the scheme; IASME is the sole delivery partner |
Not sure if you qualify for a tender? We check it for free, before you pay anything, and we only take bids we believe you can win. Text TENDER to get started.
Common questions
Is Cyber Essentials mandatory for NHS contracts?
Not always. In NHS Standard Contracts Cyber Essentials is increasingly listed as "desirable" or "required depending on the risk assessment", so it is rarely a blanket mandatory gate. Government policy does require suppliers bidding for certain public contracts that handle citizens' personal data, such as home addresses, to hold Cyber Essentials or Cyber Essentials Plus or demonstrate equivalent controls. Read the exact ITT wording: where it is mandatory, treat it as pass or fail; where it is desirable, a missing certificate usually costs marks rather than disqualifying you.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both certify the same five technical controls: firewalls, secure configuration, security update management, user access control and malware protection. Basic Cyber Essentials is a self-assessment that a certifying body reviews. Cyber Essentials Plus adds a hands-on technical audit, where an assessor tests a sample of your devices and accounts to confirm the controls actually work. Cyber Essentials Plus is the version NHS contracts most often specify where personal or clinical data is handled, because the evidence is independently tested rather than self-declared.
How much does Cyber Essentials cost?
Basic Cyber Essentials is a self-assessment costing from £300 plus VAT for a micro organisation of nought to nine staff, rising to around £500 plus VAT for a large organisation of 250 or more staff, according to IASME. Certification is valid for 12 months and must be renewed annually. Cyber Essentials Plus costs more on top because of the technical audit, with the exact figure set by the certifying body and the size of your IT estate. All figures are quoted excluding VAT and are tiered by organisation size.
Does Cyber Essentials replace the DSP Toolkit?
No. The Data Security and Protection Toolkit is NHS England's annual self-assessment of how you handle health and care data, and most NHS and many council care contracts require it in its own right. Cyber Essentials is a separate, narrower check on five technical controls. The two connect at one point: holding a current Cyber Essentials Plus certificate that covers all your health and care data processing upgrades your DSP Toolkit status from "Standards Met" to "Standards Exceeded". You can be asked for either, both or neither, so check each tender.
How long is Cyber Essentials valid for?
Cyber Essentials and Cyber Essentials Plus are both valid for 12 months and must be renewed annually. An expired certificate is treated as no certificate at all, so if you hold it for tendering, line your renewal up before your busy bidding months. Keep the certificate and its scope statement in your bid library so it is ready to attach to the next selection questionnaire, and check that the scope still covers the systems and data each new contract touches.
What does Selective Care Match charge, and what is your win rate?
Your first tender is £795. We only take bids we believe you can win, and if a loss is clearly down to our writing error we rewrite the next one free. Our win rate is 96 percent. Before any of that, we run a free eligibility check, including whether a tender genuinely needs Cyber Essentials or Cyber Essentials Plus, so you only spend on certification the contract actually requires.
Keep reading
DSP Toolkit for care bids
SQ and PQQ in care tenders
How to respond to a care tender
Care tender checklist
Why care bids lose
Browse all care tender guides, or see care tender writing by service.
Got a tender to check?
Text TENDER to +44 7822 030677and we'll tell you free whether you'd qualify, before you spend a penny.