Cyber Essentials for Accountancy Practices: A Plain-English 2026 Guide

If you run an accountancy practice, you already handle exactly the kind of information criminals want: National Insurance numbers, bank details, payroll data, company accounts, and the personal financial affairs of dozens or hundreds of clients. That makes good cyber security a core part of running a responsible practice, not an optional extra.

Cyber Essentials is one of the simplest, most recognised ways to show you’ve got the basics right. This guide explains what it is, why it matters specifically for accountancy firms, and what’s involved, in plain English, for a practice partner or practice manager rather than an IT specialist.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme, run by the IASME Consortium on behalf of the National Cyber Security Centre (NCSC). It sets out a small number of practical security controls that, between them, protect against the large majority of common, opportunistic cyber attacks.

The idea is deliberately unglamorous. Most breaches that hit small firms aren’t sophisticated, targeted hacks, they’re automated attacks that find an unpatched computer, a weak password, or a missing layer of protection. Cyber Essentials closes those obvious doors.

There are two levels:

• Cyber Essentials, a self-assessment questionnaire that is verified by a certification body.
• Cyber Essentials Plus, everything in the base level, plus a hands-on technical audit where an assessor checks that the controls are actually working.

Why accountancy practices in particular should care

Plenty of small businesses can get away with treating security loosely. A practice really can’t, for several reasons that stack on top of each other.

Your clients’ data is the target

You hold sensitive financial data in volume. A breach isn’t just embarrassing, under UK GDPR it can be a reportable incident, with the Information Commissioner’s Office (ICO) involved, clients to notify, and real reputational damage in a profession where trust is everything.

Your professional body and AML obligations

As an ICAEW, ACCA or AAT member firm you’re expected to look after client data properly, and as an Anti-Money-Laundering-supervised business you handle information that has to be kept secure. Cyber Essentials gives you a clear, externally-recognised way to demonstrate you take that seriously.

Insurance increasingly expects it

More and more cyber insurance policies, and some professional indemnity policies, either require Cyber Essentials or offer better terms if you hold it. If you’ve renewed a policy recently, you may already have been asked whether you’re certified.

Clients are starting to ask

Larger clients, and anyone doing public-sector work, increasingly ask their advisers whether they’re certified. Being able to say “yes” is quietly becoming a competitive advantage when you’re pitching for work.

The five controls, explained without jargon

Cyber Essentials covers five technical control areas. Here’s what each one actually means for a practice.

1. Firewalls

A firewall is the barrier between your office network (or a home worker’s connection) and the internet. The control is about making sure these are switched on and configured sensibly, so that only the traffic you actually need can get in. In practice this covers your office router and the firewall built into each computer.

2. Secure configuration

Computers, servers and software often ship with convenient-but-insecure default settings, default passwords, unnecessary features switched on, sample accounts left active. Secure configuration means tidying all of that up: removing what you don’t need and locking down what you keep.

3. Security update management (patching)

Software vendors regularly release updates that fix security holes. The control here is simple but vital: keep operating systems and software up to date, and stop using anything that’s no longer supported. An unpatched machine running your practice software is one of the easiest ways in for an attacker.

4. User access control

Not everyone in the practice needs access to everything. This control is about giving each person only the access they need to do their job, using individual accounts (not shared logins), and being careful with administrator accounts, which are powerful and therefore dangerous if compromised.

5. Malware protection

This is your protection against viruses, ransomware and other malicious software, typically anti-malware software that’s kept up to date, plus sensible controls on what can be installed and run.

And the one that ties it together: multi-factor authentication

Across recent updates to the scheme, multi-factor authentication (MFA) has become a firm requirement for cloud services, things like Microsoft 365 and cloud-based practice or bookkeeping software. MFA means that even if someone steals a password, they still can’t get in without a second factor (usually a prompt on a phone). For a practice, turning on MFA everywhere is one of the single highest-value security steps you can take.

The scheme is refreshed roughly once a year, and the detailed requirements (including exactly how MFA must be applied) do change. Before you certify, check the current requirements with your certification body or the official NCSC/IASME guidance.

What does Cyber Essentials cost?

The certification fee for the base-level Cyber Essentials self-assessment is modest, it’s tiered by organisation size, and for a small practice it sits at the lower end. Cyber Essentials Plus costs more because it involves a hands-on audit.

The bigger investment is usually the preparation: making sure MFA, updates, device settings and access controls are all in good shape before you apply. For many practices that’s a few sensible improvements rather than a wholesale overhaul, and most of it is good practice you’d want in place regardless.

How to prepare: a sensible order of play

1. Turn on multi-factor authentication everywhere, Microsoft 365, your cloud accounting and practice software, and anywhere else staff log in.
2. Get updates under control, make sure every device updates promptly and retire anything unsupported.
3. Tidy up accounts and access, individual logins, the right level of access per person, and tight control of administrator accounts.
4. Check your protections, firewalls on, malware protection running and current, devices configured securely.
5. Run a gap check, then apply, work through the questionnaire, fix anything outstanding, and submit.

If that feels like a lot to coordinate around client work, that’s exactly the sort of thing we help practices with. Our cyber security and Cyber Essentials service gets you prepared and certified without it becoming your problem to project-manage.

The bottom line

Cyber Essentials isn’t about box-ticking. It’s a clear, recognised way to make sure your practice has the security basics genuinely in place, protecting your clients’ data, satisfying insurers and professional expectations, and giving you something concrete to point to when clients ask.

The quickest way to find out where you stand is a free Practice IT Health Check. In 15 to 20 minutes we’ll tell you, honestly, how close you already are to Cyber Essentials and what, if anything, is worth doing first.