Cyber Essentials is the UK government-backed scheme that helps organisations protect themselves against the most common cyber threats. For many businesses, especially those supplying to the public sector, it is no longer optional — it is a contractual requirement. Yet one of the most common questions from business owners and IT managers is simply: how much does it actually cost? The answer depends on the size of your organisation, how prepared your current IT infrastructure is, and whether you need the standard Cyber Essentials or the more rigorous Cyber Essentials Plus. This guide breaks down every cost you are likely to encounter so you can budget accurately and avoid surprises.
Cyber Essentials: Base Certification Costs
The standard Cyber Essentials certification is a self-assessment process. You answer a questionnaire covering five technical controls — firewalls, secure configuration, user access control, malware protection, and patch management — and a certification body reviews your answers. Since April 2023, the IASME Consortium has been the sole delivery partner for the NCSC’s Cyber Essentials scheme, meaning all applications go through the IASME portal.
Pricing is banded by organisation size:
- Micro organisation (up to 9 employees): approximately £300 + VAT
- Small organisation (10–49 employees): approximately £400 + VAT
- Medium organisation (50–249 employees): approximately £450 + VAT
- Large organisation (250+ employees): approximately £500 + VAT
These fees are paid through the IASME portal at iasme.co.uk and cover the cost of the online assessment and review by an NCSC-accredited certification body. Certification is valid for 12 months, so these costs recur annually.
Cyber Essentials Plus: What It Costs
Cyber Essentials Plus is a step up from self-assessment. Rather than you answering questions about your own controls, an independent assessor conducts hands-on technical testing of your systems — checking devices, scanning for vulnerabilities, and verifying that the controls you claim are in place actually work in practice.
Because Plus involves real technical work by a qualified assessor, pricing is not fixed and must be quoted individually by the certification body. As a general guide:
- Small organisations: typically £1,500–£3,000
- Larger or more complex environments: £5,000–£10,000 or more
The factors that drive up the cost of Plus are the number of devices in scope, the number of office locations or remote working setups, and the range of cloud services being assessed. A five-person business using a handful of laptops and Microsoft 365 will come in at the lower end. A 100-person business with multiple sites, a mix of cloud and on-premises servers, and bespoke software will cost considerably more. Always ask certification bodies for a detailed quote and clarify exactly what is in scope before committing.
The Hidden Costs: Preparation and Remediation
The certification fee is only part of the picture. For many organisations, particularly those without a recent IT audit or a dedicated IT team, the real cost sits in getting your infrastructure up to the required standard before the assessment takes place.
IT Support and Consultant Time
If you use a managed IT provider or an independent consultant, you will likely need their help to review your current setup, close any gaps, and complete the questionnaire accurately. For a small business in reasonable shape, expect one to two days of support time. For a business that has never documented its IT controls or still relies on legacy systems, it could be three to five days. At typical UK IT support day rates of £400–£600, that is £400 to £2,500 in additional costs before you even pay the certification fee.
Remediation Costs
Cyber Essentials has specific technical requirements that can catch businesses out. Common areas where remediation is needed include:
- Multi-factor authentication (MFA): Required for cloud services and remote access. Setting up MFA across Microsoft 365 or Google Workspace is usually straightforward, but it takes time and occasionally requires a higher-tier licence.
- Operating system versions: Devices running Windows 10 (which reaches end of support in October 2025) may need upgrading to Windows 11. Hardware that cannot support Windows 11 may need replacing.
- Router and firewall configuration: Consumer-grade routers with default credentials or unsupported firmware can fail the assessment. Replacement or reconfiguration may be required.
- Patch management: All software must be kept up to date and unsupported software removed. This can be time-consuming if devices have been neglected.
Remediation costs vary widely depending on your starting point, but it is sensible to budget a contingency of £500–£1,500 for a small business, more if device replacement is likely.
Annual Renewal Costs
Cyber Essentials certification lasts for 12 months. Renewal follows the same process and the same pricing structure applies each year. If your IT environment remains largely unchanged and is well maintained, renewal should require minimal additional preparation time. Building annual renewal into your IT budget from the outset avoids the certification lapsing — which can have immediate consequences if you hold government contracts.
The Financial Case for Certification
Looking purely at cost can make Cyber Essentials feel like an overhead, but the return on investment is compelling for most UK businesses.
Cyber Insurance Savings
Many UK cyber insurers now ask whether your organisation holds Cyber Essentials certification when calculating premiums. Certified organisations commonly receive reductions of 5–15% on their cyber insurance premiums. For a business paying £3,000 per year for cyber cover, that is a saving of £150–£450 annually — potentially covering a significant portion of the certification cost on its own.
Access to Government Contracts
Any organisation handling UK government data or bidding for central government contracts must hold a valid Cyber Essentials certificate. There is no workaround. For businesses in the supply chain — defence, local authority, NHS, and central government procurement — the cost of not having certification is the cost of being excluded from those contracts entirely.
Incident Avoidance
The average cost of a cyber incident for a UK SMB, once you factor in downtime, recovery, reputational damage, and any regulatory fines, runs to tens of thousands of pounds. Cyber Essentials is specifically designed to address the most prevalent attack vectors and the NCSC estimates that properly implemented controls would prevent the vast majority of commodity cyber attacks. Paying £400 to significantly reduce that risk is difficult to argue against.
Where to Get Certified
The primary route for UK SMBs is through the IASME Consortium portal at iasme.co.uk. IASME manages the scheme on behalf of the NCSC and all assessments flow through their platform. You can choose from a number of NCSC-accredited certification bodies via the portal — it is worth comparing a few, particularly for Cyber Essentials Plus, where pricing and the scope of the technical assessment can vary.
If budget is a concern, it is worth contacting your local Growth Hub or Chamber of Commerce. A number of regional business support programmes offer subsidised Cyber Essentials assessments for SMBs, particularly for micro and small organisations. Availability varies by region but it is always worth asking before paying the full rate.
Related Cyber Essentials Guides
- Cyber Essentials — The Complete UK Business Guide
- What Is Cyber Essentials? The UK Business Guide
- Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
- The Five Cyber Essentials Controls Explained
- How to Pass the Cyber Essentials Self-Assessment Questionnaire
