The most searched question about Cyber Essentials is also the one the industry answers worst: what does it actually cost? Most pages on the subject are written to funnel you into a consultancy package, so the honest numbers arrive wrapped in upsell. Here they are without it, from a licensed certification body that assesses these applications.

The assessment fee: set by IASME, the same everywhere

The core price of Cyber Essentials is not set by certification bodies. It is set by IASME, the government’s delivery partner, on a tiered scale based on your total headcount, and it is the same whoever assesses you.

£320Micro, 0-9 employees, + VAT
£440Small, 10-49 employees, + VAT
£500Medium, 50-249 employees, + VAT
£600Large, 250+ employees, + VAT
The size band is based on your whole organisation's headcount, not just the people or systems in scope for the assessment.

That fee buys the assessment itself: access to the question set, review of your answers by a licensed assessor, the pass or fail verdict, and, if you pass, the certificate and verifiable digital badge. If you fail, you get a short window, currently 48 hours, to fix the issues and resubmit once without paying again. Miss that window and the next attempt is a new fee, which is one of several reasons preparation matters more than shopping around.

Passing also includes cyber liability insurance at no extra cost for UK organisations under £20 million turnover that certify their whole organisation. For a micro business, the insurance alone can justify the fee.

What Cyber Essentials Plus costs

Cyber Essentials Plus is priced differently, and this is where the market gets murky. IASME does not fix the Plus fee: each certification body sets its own, because the work varies with the size and complexity of your estate. An assessor has to test a sample of your systems, run vulnerability scans, and verify your controls actually hold, and testing eight laptops in one office is not the same job as testing a hundred devices across three sites and a warehouse.

A passing Cyber Essentials certificate is the prerequisite, so the standard assessment fee applies alongside whatever you pay for the Plus audit itself. Our own Plus prices are published rather than quoted on request:

£1,195Micro, 0-9 employees, + VAT, fixed
£1,450Small, 10-49 employees, + VAT, fixed
£1,750+Medium, 50-249 employees, from, + VAT
£2,500+Large, 250+ employees, from, + VAT

Micro and small estates are predictable enough to price fixed. Medium and large ones are not: the final price depends on how many devices, sites and system types the sampling has to cover, so we scope those before quoting.

Optional support, priced upfront

Most businesses need neither of these. When you do, the prices are published rather than discovered:

Optional supportPriceWhat it is
Self-assessment support package£250 + VATWe work through the question set with you, so every answer is accurate and evidenced first time.
Technical pre-assessmentfrom £995 + VATWe test your controls before the real assessment, so nothing on the day is a surprise.

Where the real money goes

Here is the part the pricing pages skip. For most businesses, the assessment fee is the smallest number in the project. The real spend is fixing what the assessment will find, and it varies enormously depending on where you are starting from.

A business already running supported software, applying updates promptly and using multi-factor authentication might spend nothing beyond the fee and a few hours of someone’s time on the question set. A business with machines on unsupported operating systems, no multi-factor authentication, and nobody who knows what is on the network is looking at genuine remediation: replacement hardware or licences, configuration work, and the hours to do it. Since April’s version 3.3 rules, some of those gaps are automatic failures, so they cannot be talked around; they have to be fixed.

The honest framing is this: that spend is not the cost of certification. It is the cost of security your business needed anyway, and the assessment is simply the thing that made it visible and gave it a deadline.

How to keep the total down

  • Self-check before you book anything. The question set is free, the official requirements document is public, and we have published a full preparation guide and checklist. An hour with them tells you whether you are ready or what stands in the way.
  • Fix the automatic failures first. Missing multi-factor authentication on cloud services and unsupported software fail the assessment outright under the 2026 rules. Everything else is negotiable effort; these are not.
  • Do not pay for help you do not need. A tidy ten-person business with modern kit can usually pass on the standard fee alone. Support earns its money when the estate is messy, the answers are uncertain, or a failure would cost you a contract deadline, and it should be priced before you say yes, not after.
  • Get the size band right. The tier is set by total headcount under the government's size definitions. Worth checking before you pay rather than after.
  • Budget for the renewal. Certificates last 12 months. The second year is almost always cheaper in effort, because the housekeeping is done; the fee, though, is annual.

What we charge

The standard assessment with us costs the IASME fee for your size band. Nothing added. Cyber Essentials Plus is priced as above: fixed for micro and small organisations, scoped from a published starting price for medium and large. And if a scoping call reveals you would fail today, we tell you what to fix and let you decide who fixes it: no obligation to buy the remediation from us, or anything else.

If you want to know exactly what certification would cost your business, get in touch. One conversation, real numbers, and you will know whether you would pass today, wherever in the UK you are.

Assessment fees quoted are IASME’s published tiered pricing as of July 2026 and are subject to change by IASME; see the IASME Cyber Essentials FAQ for the current schedule.