cyber-essentials-cost
  • Cyber Essentials
  • 4th Jun 2026
  • 1 min read

Cyber Essentials Cost: What UK Organisations Pay

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short..
  • Cyber Essentials costs depend on organisation size. IASME sets certification fees using size-based bands, with current pricing published on its official website.
  • Cyber Essentials Plus costs more than standard certification. Independent technical testing is required, and organisations must hold a valid Cyber Essentials certificate before progressing to CE+.
  • Remediation is often the biggest expense. Organisations with legacy systems or weak security controls frequently spend more on meeting the requirements than on certification itself.
  • Certification can deliver financial benefits. Many insurers view Cyber Essentials positively during underwriting, and micro-businesses may qualify for lower-cost certification through the Cyber Essentials for Small Organisations (CESO) scheme.

The true cost of Cyber Essentials extends beyond the certification fee. Organisations should budget for any remediation work needed to meet the five technical controls, as well as ongoing maintenance to retain compliance. For many businesses, however, the combination of improved security posture, customer assurance, procurement eligibility, and potential insurance benefits makes certification a worthwhile investment.

 

Working towards certification? Our Cyber Essentials resource hub brings together everything in one place: the five controls, certification costs, the self-assessment questionnaire, and what Cyber Essentials Plus actually tests. Start there to plan your route to certification. 

Expert View

undefined-May-25-2026-06-11-05-9774-PM

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn



 

 

What our experts say about hidden Cyber Essentials costs

 

 

"Most organisations budget for the ASP fee and overlook the rest. Remediation work to close gaps in the five controls frequently costs two to three times the certification fee for organisations with legacy environments. A pre-assessment review before engaging an assessor is the single most effective way to control total outlay."

IASME Certification Fee Structure

IASME publishes indicative certification fees across four size bands, based on employee count. The figures below are the IASME assessment fee, paid to your chosen Certification Body when you submit. Bodies can add a premium on top, so the price you pay may sit above the indicative rate. All fees are exclusive of VAT. Current rates are published at iasme.co.uk and updated periodically.

 

Organisation size CE indicative fee CE+ fee Notes
Micro (1–9 employees) £330 + VAT Quoted individually Sole traders and micro-businesses
Small (10–49 employees) £400 + VAT Quoted individually Small businesses
Medium (50–249 employees) £450 + VAT Quoted individually Mid-market
Large (250+ employees) £500 + VAT Quoted individually Enterprise

 

All fees are exclusive of VAT and cover the IASME assessment fee only, which includes 12 months of unlimited self-assessment attempts and, for UK organisations with turnover under £20m, bundled cyber liability insurance. Individual Certification Bodies may add a premium on top of the IASME fee. Cyber Essentials Plus is priced separately by the Certification Body based on scope and complexity; most UK organisations pay between £1,500 and £3,000 + VAT. 

 

Cyber Essentials vs Cyber Essentials Plus: Cost Difference

Cyber Essentials Plus (CE+) costs more than base Cyber Essentials because it requires independent technical verification by an assessor from an Assured Service Provider. The base certification involves a reviewed self-assessment questionnaire. CE+ goes further: the assessor conducts hands-on testing against the same five technical controls.

 

Testing includes external vulnerability scanning, internal network scanning, and end-user device configuration checks. The CE+ fee is higher than the CE fee, and unlike the banded CE fee it's quoted individually: pricing scales with the scope and complexity of your environment (number of devices, internet-facing systems, and cloud services) rather than headcount alone. 

 

CE+ also requires a current Cyber Essentials certificate as a prerequisite, so the cost of CE+ for first-time applicants is the CE fee plus the CE+ fee. On renewal, organisations holding CE+ must renew both levels. 

 

If CE+ is driven by a contract or insurance requirement, factor in both certification levels and the remediation work needed to pass independent verification. The technical bar for CE+ is higher than for the self-assessment, so gaps that scraped through base CE often won't pass the hands-on test.

The Costs That Are Frequently Missed

Remediation Work

The certification fee is rarely the largest cost of Cyber Essentials. Organisations that have not previously implemented the five controls, or whose technical estate has drifted from a certified baseline, often face significant remediation work before they can certify. The Cyber Essentials checklist is a practical starting point for identifying gaps before engaging an ASP.

 

Common remediation requirements include:

  1. Replacing or retiring unsupported software that no longer receives security updates (a CE requirement under the security update management control).
  2. Reconfiguring firewalls and removing default-open rules.
  3. Reviewing and restructuring user account permissions across systems.
  4. Deploying and configuring malware protection across all in-scope devices.
  5. Implementing multi-factor authentication, added as a CE requirement in the v3 update.

For organisations with legacy environments, remediation can cost two to three times the certification fee. Budgeting only for the assessment fee without a pre-assessment technical review is a common mistake.

 

Internal Staff Time

Completing the Verified Self-Assessment questionnaire takes time. For an organisation with a complex or poorly documented technical estate, identifying what's in scope, gathering evidence, and accurately answering questions across the five control areas can require several days of IT staff time. It's a real resource cost that belongs in the planning budget.

 

IT Consultancy

Organisations without dedicated IT security staff, which includes the majority of UK SMEs, frequently engage an IT consultant or managed service provider to support the assessment process. This may include a pre-assessment gap review, implementing required technical changes, and advising on scope decisions. Consultancy costs vary widely by provider and scope of engagement.

 

Retesting

If an initial submission is rejected, either because controls aren't in place or because evidence is insufficient, an organisation may need to pay for a reassessment. ASP policies on reassessment pricing vary: some include a limited number of reassessments in their fees, others charge separately. Understanding the reassessment policy before selecting an ASP is worth doing.

Does Cyber Essentials Reduce Cyber Insurance Costs?

Cyber insurance has become part of this cost calculation. Many UK insurers treat CE or CE+ as a positive underwriting signal; some offer premium reductions, and for organisations paying material premiums, the annual certification cost can be partially or fully offset by what they save on cover. This is one of the wider benefits of Cyber Essentials certification

 

Underwriters value CE+ more than base CE because independent verification gives them something concrete to stand behind. How much you save depends on your existing premium and your insurer's specific discount policy. If you're pursuing CE primarily for insurance purposes, confirm the insurer's position before deciding which level to certify at.

Government Support and Grants for SMEs

The UK government has run grant-funded programmes to support SME Cyber Essentials certification in the past, through Innovate UK and regional growth bodies. Availability and scope of such programmes changes; compliance managers should check current NCSC and DSIT guidance rather than relying on historical programme details.

 

IASME also runs the Cyber Essentials for Small Organisations (CESO) scheme: a simplified certification route for micro-businesses and sole traders. CESO pricing is lower than the standard CE fee.

 

Current CESO fees are published here.

Is Cyber Essentials Worth the Cost?

Whether CE is worth the investment comes down to why you're pursuing it.

 

Driver

Cost Consideration

ROI Position

Government contract requirement

Mandatory: no certification means no contract.

Certification cost is a condition of revenue.

Cyber insurance

Cert cost vs. premium reduction.

Often cost-positive if premium savings exceed certification and remediation outlay.

Supply chain requirement

Mandatory for specific contracts.

Cost of certification equals cost of accessing that market.

Internal security posture

Cert cost plus remediation.

Value depends on risk reduction; harder to quantify.

 

For most organisations pursuing CE for contract compliance, the question isn't whether to certify but how to minimise total cost. If your driver is public sector procurement, certification is a condition of bidding rather than an option.

 

The most effective approach is a pre-assessment technical review before engaging an ASP. This surfaces remediation requirements before they become reassessment costs and reduces the staff time required to answer the questionnaire accurately.

Key Facts

  1. Cyber Essentials certification fees are set by IASME and vary by organisation size. Current fee bands are published at iasme.co.uk.
  2. Cyber Essentials Plus requires independent technical verification by an assessor, making it more expensive than the base certification at every size band.
  3. First-time CE+ applicants must hold a current Cyber Essentials certificate, so total cost covers both certification levels.
  4. Remediation work to meet the five required controls can cost two to three times the ASP fee for organisations with legacy environments.
  5. Many UK insurers treat Cyber Essentials or CE+ as a positive underwriting signal, with some offering premium reductions for certified organisations.
  6. IASME's Cyber Essentials for Small Organisations (CESO) scheme offers a lower-cost route designed for micro-businesses and sole traders.

Ready to Certify? Talk to SureCloud About Assure.

SureCloud Assure supports organisations through the full Cyber Essentials and Cyber Essentials Plus certification pathway. Request a demo to see how Gracie AI Agents with Personas and Skills handles evidence gathering and readiness tracking, cutting internal preparation time by up to 50-65%.Related reading: Cyber Essentials Complete Guide | Cyber Essentials Plus | Cyber Essentials Checklist
Related articles:
  • Cyber Essentials

Cyber Essentials Plus v3.2 (Willow): What Changed

  • Cyber Essentials

How to Complete the Cyber Essentials Questionnaire

  • Cyber Essentials

The 5 Cyber Essentials Controls Explained

Share this article

FAQ’s

How much does Cyber Essentials cost in 2026?

 It depends on your size and your Certification Body. IASME sets four indicative fee bands by employee count (micro, small, medium, large), all exclusive of VAT, with smaller organisations paying less than mid-market or enterprise.


The certification fee is only part of the total cost: remediation work, internal staff time, and IT consultancy should all be included in cost planning. Current IASME fee bands are published here.

Is Cyber Essentials Plus significantly more expensive than Cyber Essentials?

Yes. CE+ requires independent technical testing by an assessor, which takes more time and commands a higher fee than the reviewed self-assessment process for base CE. The CE+ fee increases with organisation size because larger environments require more testing.
First-time CE+ applicants also need a current Cyber Essentials certificate, so the total cost is the CE fee plus the CE+ fee. On annual renewal, both fees apply.

Can I get Cyber Essentials certification for free?

There's no free route to Cyber Essentials certification for most organisations. IASME has run subsidised or grant-funded programmes for micro-businesses and SMEs in the past, and the CESO scheme offers a lower-cost route for micro-businesses. Availability of subsidised programmes changes; check current NCSC and DSIT guidance. The certification fee paid to an Assured Service Provider is unavoidable.

What is the cheapest way to get Cyber Essentials?

Do the work before you engage an ASP. Run an honest pre-assessment against the five controls, fix what you find, then submit. That single step avoids reassessment fees, reduces the staff time spent on the questionnaire, and is far cheaper than discovering gaps during the formal process. 
The Cyber Essentials hub provides a full overview of scheme requirements to support that preparation.