How much does Cyber Essentials cost? A plain guide to the real spend

Cyber Essentials certification itself is inexpensive. The IASME certification fee is banded by organisation size, from £320 + VAT for a micro business up to £600 + VAT for the largest, and Cyber Essentials Plus adds a technical audit on top, usually a few thousand pounds. For most UK businesses the real cost is the work to meet the five controls before assessment, not the certificate. As a Cyber Essentials certification body, we see that gap decide the true figure.

By Daniel McClure Fisher, Founder. CISSP, Full Member of the Chartered Institute of Information Security (MCIIS). Updated July 2026

The short version

People ask what Cyber Essentials costs as though there is one price. There are really two numbers: the certification fee, which is small and fixed by size, and the cost of getting ready, which varies with how much good security you already run. A business with tidy Microsoft 365 settings and managed devices may pay little more than the fee. A business starting from scratch pays for the remediation first.

What actually drives the cost

  • Your size. The IASME fee is banded by employee count, so a micro business pays less than a mid-sized one.
  • Self-assessment or Plus. Basic Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent technical audit, which costs more and takes more of your time.
  • How ready you are. Multi-factor authentication, supported software, working patching and a clean device build are the common gaps. Closing them is where most of the money goes.
  • Who does the work. Doing it yourself costs time. Using a certification body that also helps you implement the controls costs a fee but usually saves a failed assessment.

The two costs, separated

IASME certification fee, basic Cyber Essentials (verified self-assessment, banded by size, all + VAT):

Organisation size Employees Fee (+ VAT)
Micro 1 to 9 £320
Small 10 to 49 £440
Medium 50 to 249 £500
Large 250+ £600

Figures are IASME's certification fee as of July 2026. Cyber Essentials Plus is priced separately.

Everything else:

Component Typical scale Notes
Cyber Essentials Plus audit From about £2,000 to £3,000 + VAT Independent technical test on top of the basic assessment; varies with number of devices, users and network complexity
Getting ready (remediation) Nil to low thousands MFA, patching, supported software, device configuration
Ongoing (annual renewal) The fee again, each year Certification lasts twelve months

What changed in April 2026 (and why it can raise the getting-ready cost)

From 26 April 2026, two of the five controls got stricter and now cause an automatic fail. Multi-factor authentication is required on all cloud services where it is available, and high-risk or critical security updates must be installed within 14 days. If those are not already in place, they are the first things to budget for, because you cannot pass without them.

Cyber Essentials vs Cyber Essentials Plus

Basic Cyber Essentials is a self-assessment that an appointed certification body verifies. Cyber Essentials Plus covers the same five controls but adds a hands-on audit, where an assessor tests a sample of your devices and accounts to confirm the controls really work. Plus costs more and is often the version required for government and defence-related contracts. If a tender asks for "Cyber Essentials", check whether it means basic or Plus before you budget.

A realistic range, clearly labelled indicative

For a small UK business that already runs managed, up-to-date devices, basic Cyber Essentials can come in close to the certification fee alone. Where controls are not yet in place, the getting-ready work is the larger number, and Plus adds an audit cost on top. We give a firm figure once we have seen your setup, because guessing helps no one. See how our pricing works, or read more about our wider cyber security services.

How to keep the cost sensible

  • Fix the common gaps first: MFA everywhere, remove unsupported software, confirm patching works.
  • Scope honestly. A tighter, accurate scope is cheaper to certify and easier to keep.
  • Use one team to assess and help you get ready, so nothing falls between two suppliers.
  • Treat it as annual. Building the controls into how you run day to day makes renewal routine rather than a scramble.
FAQ

Common questions

How much does Cyber Essentials certification cost in the UK?

The IASME certification fee for basic Cyber Essentials is banded by size: £320 + VAT for a micro business (1 to 9 people), £440 for small (10 to 49), £500 for medium (50 to 249) and £600 for large (250+). Cyber Essentials Plus is priced separately.

How much does Cyber Essentials Plus cost?

Plus adds an independent technical audit and typically runs from about £2,000 to £3,000 + VAT, depending on the number of devices and users and the complexity of your network.

Is the certificate the main cost?

Usually not. For most businesses the larger cost is the work to meet the five controls before assessment, such as multi-factor authentication and patching.

How long does Cyber Essentials take?

Basic certification can be quick once the controls are in place. The variable is how much needs fixing first.

Is Cyber Essentials worth it?

For most UK businesses, yes. It is a recognised baseline, it is often required to bid for public sector and defence-linked work, and the controls block a large share of common attacks.

Want a real figure for Cyber Essentials?

We are a Cyber Essentials certification body. Tell us your size and setup and we will give you a straight number, and help you pass first time.

Reply within one working day. You speak to an engineer, not a salesperson.