Cyber Essentials Certification UK
Pass first time, stay certified
Cyber Essentials and Cyber Essentials Plus readiness, aligned with the NCSC scheme run by IASME. Required for many central UK Government contracts handling personal or sensitive data, and now a common procurement and cyber-insurance requirement for enterprise buyers.
Five technical controls. One certification.
Source: NCSC Cyber Essentials scheme, administered by IASME. Cyber Essentials Plus adds an independent on-site assessment of the same controls.
What we deliver
Pre-Assessment Gap Scan
Walk-through of your boundary, devices, software, and account-management posture against each of the five CE controls. Output: green/amber/red scorecard, evidence checklist, and a remediation runbook tailored to your environment.
Evidence Pack & Submission
We help you assemble the IASME questionnaire answers, screenshots, and configuration evidence. Reviewed before submission so you do not pay twice. Includes a re-test pass if a control needs to be tightened.
CE Plus Onsite Readiness
For Cyber Essentials Plus we run an internal dry-run of the IASME on-site test (vulnerability scan, malware test, account separation, MFA verification) so the formal assessor finds nothing surprising.
Why most SMEs fail first time
BYOD & cloud-service scope
CE scope changed in 2022 (Evendine update) and again in 2025. Personal devices accessing work email, cloud SaaS configuration, and home-router boundaries trip up most submissions. We map your real scope before you answer the questionnaire.
Patch & MFA evidence
The two most common fail points. CE asks for high-risk patches inside 14 days and MFA on cloud services with externally exposed accounts. We give you a continuous-evidence approach so re-cert in 12 months is straightforward.
Defence supplier route
The Defence Cyber Protection Partnership (DCPP) cyber risk profile tooling increasingly references Cyber Essentials as a baseline for MOD supply contracts at the lower risk tiers, with Cyber Essentials Plus expected at higher tiers. If you are bidding on UK defence frameworks or sub-contracting under a prime, CE/CE+ is no longer optional — we time the readiness work to your bid window so the certificate lands before contract award.
Cloud + zero-trust update
The latest CE technical-question update tightened scope around cloud admin interfaces, externally exposed services, and zero-trust patterns for remote work. Microsoft 365 + Entra ID baseline, Google Workspace admin scope, and AWS / Azure root-account separation are now first-page evidence items, not edge cases.
Cyber Essentials cost 2026
IASME publishes a banded fee structure by organisation size. Figures below are the published 2026 self-assessment fees and exclude VAT. Cyber Essentials Plus is priced separately by your assessment body and depends on sample size.
| Organisation size | CE self-assessment fee | Typical readiness timeline |
|---|---|---|
| Micro — 0 to 9 employees | ~ £320 | 1 to 2 weeks |
| Small — 10 to 49 employees | ~ £440 | 2 to 4 weeks |
| Medium — 50 to 249 employees | ~ £700 | 3 to 6 weeks |
| Large — 250+ employees | ~ £1,140 | 4 to 8 weeks |
Source: IASME-published Cyber Essentials pricing bands for 2026. Confirm current figures with the IASME-accredited Certification Body you submit through. Consultancy support fees (gap scan, evidence pack, remediation) are separate.
Cyber Essentials FAQ
What is Cyber Essentials and who runs it?+
Cyber Essentials is a UK government-backed certification scheme covering five technical controls — firewalls, secure configuration, user access control, malware protection, and patch management. It is run by the NCSC and administered by IASME and its accredited delivery partners.
What is the difference between Cyber Essentials and Cyber Essentials Plus?+
Cyber Essentials is a self-assessment verified by an IASME-accredited Certification Body. Cyber Essentials Plus adds an independent on-site (or remote) technical assessment of the same five controls, including external vulnerability scanning and authenticated tests on a sample of devices.
How long does Cyber Essentials certification last?+
Cyber Essentials certification is valid for 12 months and must be renewed annually. The five controls and the underlying threat model do change over time — the 2026 update tightened scope around cloud services, MFA, and bring-your-own-device.
How much does Cyber Essentials cost in 2026?+
IASME publishes a banded fee structure. 2026 self-assessment certification fees range from roughly £320 (micro 0-9 employees) to around £1,140 (250+ employees) excluding VAT. Cyber Essentials Plus and consultancy support are priced separately.
What is the role of IASME in Cyber Essentials?+
IASME Consortium has been the sole Cyber Essentials Partner since April 2020, appointed by the NCSC. IASME accredits Certification Bodies who in turn certify Assessor companies. SummitBridge Horizon supports the readiness, evidence and remediation phases; the formal assessment and certificate issue is performed by an IASME-accredited body.
Can I do Cyber Essentials myself or do I need a consultant?+
A capable internal IT team with documented controls can complete the self-assessment without outside help. In practice most SMEs underestimate the 2025–26 scope changes (BYOD, cloud services, MFA on externally exposed admin) and fail first submission. A pre-assessment gap scan and evidence pack review typically saves 2-4 weeks of re-work.
Stop guessing about CE readiness
We'll tell you in 15 minutes whether you're a fortnight from passing or three months out, and what the actual fixes are.