The most searched question about Cyber Essentials is also the one the industry answers worst: what does it actually cost? Most pages on the subject are written to funnel you into a consultancy package, so the honest numbers arrive wrapped in upsell. Here they are without it, from a licensed certification body that assesses these applications.

The assessment fee: set by IASME, the same everywhere

The core price of Cyber Essentials is not set by certification bodies. It is set by IASME, the government’s delivery partner, on a tiered scale based on your total headcount, and it is the same whoever assesses you.

£320Micro organisations, 0-9 employees, + VAT
£440Small organisations, 10-49 employees, + VAT
£600Sliding scale maximum for the largest organisations, + VAT

Medium and large organisations sit between the small tier and the maximum on IASME’s sliding scale. The size band is based on your whole organisation’s headcount, not just the people or systems in scope for the assessment.

That fee buys the assessment itself: access to the question set, review of your answers by a licensed assessor, the pass or fail verdict, and, if you pass, the certificate and verifiable digital badge. If you fail, you get a short window, currently 48 hours, to fix the issues and resubmit once without paying again. Miss that window and the next attempt is a new fee, which is one of several reasons preparation matters more than shopping around.

Passing also includes cyber liability insurance at no extra cost for UK organisations under £20 million turnover that certify their whole organisation. For a micro business, the insurance alone can justify the fee.

What Cyber Essentials Plus costs

Cyber Essentials Plus is priced differently, and this is where the market gets murky. IASME does not fix the Plus fee: each certification body sets its own, because the work varies with the size and complexity of your estate. An assessor has to test a sample of your systems, run vulnerability scans, and verify your controls actually hold, and testing eight laptops in one office is not the same job as testing a hundred devices across three sites and a warehouse.

Expect a quote in the four figures, on top of the standard assessment fee, since a passing Cyber Essentials certificate is the prerequisite. Be wary of any fixed price offered before anyone has asked about your environment: either it is padded to cover the worst case, or corners get cut when your estate turns out to be the worst case. A serious certification body scopes first and quotes second. That is how we do it, and a scoping call costs nothing.

Where the real money goes

Here is the part the pricing pages skip. For most businesses, the assessment fee is the smallest number in the project. The real spend is fixing what the assessment will find, and it varies enormously depending on where you are starting from.

A business already running supported software, applying updates promptly and using multi-factor authentication might spend nothing beyond the fee and a few hours of someone’s time on the question set. A business with machines on unsupported operating systems, no multi-factor authentication, and nobody who knows what is on the network is looking at genuine remediation: replacement hardware or licences, configuration work, and the hours to do it. Since April’s version 3.3 rules, some of those gaps are automatic failures, so they cannot be talked around; they have to be fixed.

The honest framing is this: that spend is not the cost of certification. It is the cost of security your business needed anyway, and the assessment is simply the thing that made it visible and gave it a deadline.

How to keep the total down

  • Self-check before you book anything. The question set is free to download, and we have published a full preparation guide and checklist. An hour with it tells you whether you are ready or what stands in the way.
  • Fix the automatic failures first. Missing multi-factor authentication on cloud services and unsupported software fail the assessment outright under the 2026 rules. Everything else is negotiable effort; these are not.
  • Do not pay for help you do not need. A tidy ten-person business with modern kit can usually pass on the standard fee alone. Consultancy earns its money when the estate is messy, the scope is unclear, or a failure would cost you a contract deadline.
  • Get the size band right. The tier is set by total headcount under the government's size definitions. Worth checking before you pay rather than after.
  • Budget for the renewal. Certificates last 12 months. The second year is almost always cheaper in effort, because the housekeeping is done; the fee, though, is annual.

What we charge

The standard assessment with us costs the IASME fee for your size band. Nothing added. For Cyber Essentials Plus, we scope your environment first and quote a fixed price for the audit, so the number you agree to is the number you pay. And if a scoping call reveals you would fail today, we tell you what to fix and let you decide who fixes it: no obligation to buy the remediation from us, or anything else.

If you want to know exactly what certification would cost your business, get in touch. One conversation, real numbers, and you will know whether you would pass today, wherever in the UK you are.

Assessment fees quoted are IASME’s published tiered pricing as of July 2026 and are subject to change by IASME; see the IASME Cyber Essentials FAQ for the current schedule.