Cyber Essentials Cost: What UK Organisations Pay

1. Cyber Essentials certification fees are set by IASME and vary by organisation size. Current fee bands are published at iasme.co.uk.
2. Cyber Essentials Plus requires independent technical verification by an assessor, making it more expensive than the base certification at every size band.
3. First-time CE+ applicants must hold a current Cyber Essentials certificate, so total cost covers both certification levels.
4. Remediation work to meet the five required controls can cost two to three times the ASP fee for organisations with legacy environments.
5. Many UK insurers treat Cyber Essentials or CE+ as a positive underwriting signal, with some offering premium reductions for certified organisations.
6. IASME's Cyber Essentials for Small Organisations (CESO) scheme offers a lower-cost route designed for micro-businesses and sole traders.

IASME publishes indicative certification fees banded by organisation size. These are the fees paid to the Assured Service Provider (ASP): the licensed body that administers the questionnaire and issues the certificate.

Individual ASP pricing varies; some providers charge above the IASME indicative rate. Current fees are published at iasme.co.uk and are updated periodically.

Note: Fee figures must be verified against current IASME published rates before publication. IASME updates its fee schedule periodically.

Cyber Essentials Plus (CE+) costs more than base Cyber Essentials because it requires independent technical verification by an assessor from an Assured Service Provider. The base certification involves a reviewed self-assessment questionnaire. CE+ goes further: the assessor conducts hands-on testing against the same five technical controls.

Testing includes external vulnerability scanning, internal network scanning, and end-user device configuration checks. The CE+ fee is higher than the CE fee, and the gap increases with organisation size because larger environments require more testing time.

CE+ also requires a current Cyber Essentials certificate as a prerequisite, so the cost of CE+ for first-time applicants is the CE fee plus the CE+ fee. On renewal, organisations holding CE+ must renew both levels.

If CE+ is driven by a contract or insurance requirement, factor in both certification levels and the remediation work needed to pass independent verification. The technical bar for CE+ is higher than for the self-assessment, so gaps that scraped through base CE often won't pass the hands-on test.

Remediation Work

The certification fee is rarely the largest cost of Cyber Essentials. Organisations that have not previously implemented the five controls, or whose technical estate has drifted from a certified baseline, often face significant remediation work before they can certify. The Cyber Essentials checklist is a practical starting point for identifying gaps before engaging an ASP.

Common remediation requirements include:

1. Replacing or retiring unsupported software that no longer receives security updates (a CE requirement under the security update management control).
2. Reconfiguring firewalls and removing default-open rules.
3. Reviewing and restructuring user account permissions across systems.
4. Deploying and configuring malware protection across all in-scope devices.
5. Implementing multi-factor authentication, added as a CE requirement in the v3 update.

For organisations with legacy environments, remediation can cost two to three times the certification fee. Budgeting only for the assessment fee without a pre-assessment technical review is a common mistake.

Internal Staff Time

Completing the Verified Self-Assessment questionnaire takes time. For an organisation with a complex or poorly documented technical estate, identifying what's in scope, gathering evidence, and accurately answering questions across the five control areas can require several days of IT staff time. It's a real resource cost that belongs in the planning budget.

IT Consultancy

Organisations without dedicated IT security staff, which includes the majority of UK SMEs, frequently engage an IT consultant or managed service provider to support the assessment process. This may include a pre-assessment gap review, implementing required technical changes, and advising on scope decisions. Consultancy costs vary widely by provider and scope of engagement.

Retesting

If an initial submission is rejected, either because controls aren't in place or because evidence is insufficient, an organisation may need to pay for a reassessment. ASP policies on reassessment pricing vary: some include a limited number of reassessments in their fees, others charge separately. Understanding the reassessment policy before selecting an ASP is worth doing.

Cyber insurance has become part of this cost calculation. Many UK insurers treat CE or CE+ as a positive underwriting signal; some offer premium reductions, and for organisations paying material premiums, the annual certification cost can be partially or fully offset by what they save on cover.

Underwriters value CE+ more than base CE because independent verification gives them something concrete to stand behind. How much you save depends on your existing premium and your insurer's specific discount policy. If you're pursuing CE primarily for insurance purposes, confirm the insurer's position before deciding which level to certify at.

The UK government has run grant-funded programmes to support SME Cyber Essentials certification in the past, through Innovate UK and regional growth bodies. Availability and scope of such programmes changes; compliance managers should check current NCSC and DSIT guidance rather than relying on historical programme details.

IASME also runs the Cyber Essentials for Small Organisations (CESO) scheme: a simplified certification route for micro-businesses and sole traders. CESO pricing is lower than the standard CE fee.

Current CESO fees are published here.

Whether CE is worth the investment comes down to why you're pursuing it.

For most organisations pursuing CE for contract compliance, the question isn't whether to certify but how to minimise total cost. The most effective approach is a pre-assessment technical review before engaging an ASP. This surfaces remediation requirements before they become reassessment costs and reduces the staff time required to answer the questionnaire accurately.