Achieving Cyber Essentials as a Sole Trader: A Comprehensive Guide to Compliance and Resources

Cybersecurity is no longer optional for sole traders. With increasing cyber threats targeting small businesses, protecting your digital assets and client data is essential. The Cyber Essentials scheme offers a straightforward way to demonstrate your commitment to cybersecurity. This guide explains how you, as a sole trader, can successfully achieve Cyber Essentials certification, using practical steps and trusted resources.

What is Cyber Essentials?

Cyber Essentials is a UK Government-backed certification scheme built around five core technical controls. If implemented correctly, those controls will protect any organisation from the majority of the most common cyber attacks. The scheme is managed by IASME on behalf of the National Cyber Security Centre (NCSC) and is widely recognised as the industry-standard baseline for cyber security in the UK. IASME

Cyber Essentials certification can also open doors: many government contracts and supply chain opportunities now require suppliers to hold a valid certificate. For a sole trader, this makes certification not just a security measure but a genuine business asset. IASME

What Does the Scope of My Assessment Include?

One of the most common questions sole traders ask is: what exactly is being assessed?

The scope covers all of the IT infrastructure you use to run your business — every internet-connected device that accesses your company data. That means laptops, desktop computers, tablets, smartphones and any cloud services such as Microsoft 365, Google Drive, Dropbox or QuickBooks.

As a sole trader, your scope is likely to be very small. It may be nothing more than a laptop, a mobile phone and a handful of cloud services. That is perfectly fine — the assessment is the same regardless of the size of your organisation, and a smaller footprint generally means fewer things to address.

A sensible first step is to create a simple asset register: a list of all the internet-connected devices, software and cloud services your business uses. This gives you a clear picture of what needs to be secured before you begin answering the assessment questions.

Your Home Router Isn't Always in Scope

This is an area that often causes confusion. If you work from home and your router is provided and managed by your internet service provider (ISP), it falls outside the scope of your Cyber Essentials assessment. The same applies if you work in a serviced office or on a hot desk where the router is not under your control. However, if you work from your own office or shop, or if you use a router that you purchased yourself, that router and its firewall will be in scope — and you will need to ensure it is configured securely.

The Five Controls: What Do They Mean for a Sole Trader?

The scheme is centred around five core controls. The UK Government conducted a cyber-risk assessment focused on commodity attacks — low-skilled attacks from the internet using easily available tools — and identified these five controls as essential for reducing that risk to acceptable levels.

Here is how each one typically applies to a single-person business:

1. Firewalls — Your devices should have a software firewall enabled. For most sole traders, this means ensuring Windows Defender Firewall or macOS XProtect is switched on. If you own your router, it should also have its firewall active.

2. Secure Configuration — Devices and software should be set up securely, with unnecessary features disabled and default passwords changed.

3. User Access Control — You need to control who has access to your systems and data, and ensure accounts are appropriately privileged (more on this below).

4. Malware Protection — You need up-to-date, active malware protection in place across all in-scope devices.

5. Patch Management — Software, operating systems and apps must be kept up to date with security patches applied within 14 days of release.

Why Do I Need Two Accounts If It's Just Me?

This is one of the questions sole traders find most surprising, and it is worth explaining clearly.

Every computer has an administrator account — one that has the power to install, modify and delete software. Using an administrator account for everyday tasks such as email, web browsing and document editing carries significant security risk. If your account is ever compromised by an attacker, they immediately inherit all the privileges of that account. If that is an administrator account, they can install malicious software, delete files and access your sensitive data.

The requirement is straightforward: create a separate administrator account, then downgrade your regular account to a standard user account for day-to-day use. You can still carry out administrative tasks when needed by entering the administrator password. This applies even if you are the only person who uses the computer.

By default, the first account set up on a Windows or Mac machine carries administrator privileges — so if you have never changed this, you are likely operating as an administrator every day without realising it.

Do I Need a Process for User Accounts?

Yes — and this is an area where sole traders often underestimate what is required.

Even as a one-person business, it is likely that others have had some form of access to your systems. An IT consultant who helped set up your laptop, a friend who built your website, a bookkeeper who accesses your accounts software. Do you know what accounts they have? Are those accounts still active?

You need to be able to demonstrate that you understand and control who has access to your network and data. A simple process does not need to be complicated — a spreadsheet or document recording who has been given an account, when it was created, what access it allows, who authorised it, and when it was closed is entirely sufficient.

Even if the only entry on that register is your own account, the process is in place and ready to scale should your business grow or should you need to bring in additional support.

It is also good practice to review all accounts every six months to ensure that no unnecessary access remains active.

What About Passwords and Multi-Factor Authentication?

Meeting the Cyber Essentials password requirements cannot be done through good intentions alone — technical controls must be in place.

This means configuring your platforms and services so that they enforce minimum password lengths, block commonly used passwords, and lock accounts after repeated failed login attempts (a technique known as throttling). Relying on a written password policy without the technical settings to back it up will not satisfy the scheme requirements.

Multi-Factor Authentication (MFA) is also a critical requirement. From the April 2026 update, MFA is a mandatory requirement for all cloud services where it is available. Organisations that fail to implement MFA for cloud services — whether it is free, included or a paid option — will automatically fail the assessment.

For a sole trader using Microsoft 365, Google Workspace or similar services, enabling MFA is usually a straightforward process within the account settings and should be a priority before submitting your assessment.

What Happens if My Account is Compromised?

You need a clear, documented process for responding promptly if you believe an account has been compromised. Signs of compromise can include emails being sent from your account that you did not create, passwords being changed without your knowledge, or files being deleted or altered unexpectedly.

If you suspect a compromise, change your password immediately to something unique and at least 12 characters in length, enable MFA if it is not already active, notify any relevant contacts, and report serious incidents to Action Fraud.

Critically, you should not rely solely on your IT provider to hold and manage your passwords. The accounts, the passwords and the responsibility are yours as the business owner. If your IT provider became unavailable or suffered a breach, you need to be confident that you can access and recover your own accounts independently.

Can I Just Let My IT Provider Handle It?

No — and this is an important point. You can involve your IT provider in helping to implement the controls and even in helping you answer the questions, but you cannot pass full responsibility to them. As the business owner, you are ultimately accountable for the answers provided. The assessment requires a senior individual (in a sole trader's case, that is you) to digitally sign the submission confirming that all answers are accurate.

It is worth noting that some IT providers have strong technical knowledge but limited understanding of Cyber Essentials specifically. If you use a provider, give them clear instructions about the controls you need implementing, and consider asking whether they hold Cyber Essentials certification themselves — a certified provider demonstrates that they take cyber security seriously and understand what is required.

What About Managing Ports?

For most sole traders working from a laptop using cloud services, the majority of network ports should be closed. A port is essentially a channel through which data can travel in or out of your network. Leaving unnecessary ports open is the equivalent of leaving doors unlocked — it gives attackers potential entry points into your systems.

If you are not sure whether your network has open ports, this is something worth checking before your assessment. Some routers, particularly those purchased rather than provided by an ISP, may have all ports open by default — which would represent a risk that needs to be addressed.

Where Do I Start If I'm Not Technical?

Get Cyber Certified, NCSC and IASME have produced a number of free resources to help:

• Cyber Essentials Resource Hub — A free online hub of helpful articles covering common questions posed to our assessment team.

• Cyber Essentials Knowledge Hub — Maintained by IASME, this is the central source of up-to-date, authoritative guidance on the scheme, including sector and size-specific content.

• NCSC Cyber Essentials overview — The NCSC's official overview of the scheme, including links to the question set and requirements documents.

Ready to Get Certified?

At Get Cyber Certified, we are an IASME-accredited Cyber Essentials Certification Body with experience assessing organisations of every size — including sole traders and single-person companies. We understand that the assessment can feel daunting at first, but with the right preparation, most sole traders find the process very manageable.

The cost of basic Cyber Essentials certification starts at £319 + VAT for micro organisations, and for a sole trader, the scope is typically small enough to make the process quick and straightforward. Get Cyber Certified

If you're ready to take the next step, visit www.getcybercertified.co.uk to find out more or to begin your application.