Skip to main content
NCSC · IASME · CE & CE Plus

Cyber Essentials Certification UK
Pass first time, stay certified

Cyber Essentials and Cyber Essentials Plus readiness, aligned with the NCSC scheme run by IASME. Required for many central UK Government contracts handling personal or sensitive data, and now a common procurement and cyber-insurance requirement for enterprise buyers.

Five technical controls. One certification.

CE / CE+
Firewalls · Secure Configuration · User Access · Malware · Patch Management

Source: NCSC Cyber Essentials scheme, administered by IASME. Cyber Essentials Plus adds an independent on-site assessment of the same controls.

What we deliver

Pre-Assessment Gap Scan

Walk-through of your boundary, devices, software, and account-management posture against each of the five CE controls. Output: green/amber/red scorecard, evidence checklist, and a remediation runbook tailored to your environment.

Evidence Pack & Submission

We help you assemble the IASME questionnaire answers, screenshots, and configuration evidence. Reviewed before submission so you do not pay twice. Includes a re-test pass if a control needs to be tightened.

CE Plus Onsite Readiness

For Cyber Essentials Plus we run an internal dry-run of the IASME on-site test (vulnerability scan, malware test, account separation, MFA verification) so the formal assessor finds nothing surprising.

Why most SMEs fail first time

BYOD & cloud-service scope

CE scope changed in 2022 (Evendine update) and again in 2025. Personal devices accessing work email, cloud SaaS configuration, and home-router boundaries trip up most submissions. We map your real scope before you answer the questionnaire.

Patch & MFA evidence

The two most common fail points. CE asks for high-risk patches inside 14 days and MFA on cloud services with externally exposed accounts. We give you a continuous-evidence approach so re-cert in 12 months is straightforward.

Defence supplier route

The Defence Cyber Protection Partnership (DCPP) cyber risk profile tooling increasingly references Cyber Essentials as a baseline for MOD supply contracts at the lower risk tiers, with Cyber Essentials Plus expected at higher tiers. If you are bidding on UK defence frameworks or sub-contracting under a prime, CE/CE+ is no longer optional — we time the readiness work to your bid window so the certificate lands before contract award.

Cloud + zero-trust update

The latest CE technical-question update tightened scope around cloud admin interfaces, externally exposed services, and zero-trust patterns for remote work. Microsoft 365 + Entra ID baseline, Google Workspace admin scope, and AWS / Azure root-account separation are now first-page evidence items, not edge cases.

Cyber Essentials cost 2026

IASME publishes a banded fee structure by organisation size. Figures below are the published 2026 self-assessment fees and exclude VAT. Cyber Essentials Plus is priced separately by your assessment body and depends on sample size.

Organisation sizeCE self-assessment feeTypical readiness timeline
Micro — 0 to 9 employees~ £3201 to 2 weeks
Small — 10 to 49 employees~ £4402 to 4 weeks
Medium — 50 to 249 employees~ £7003 to 6 weeks
Large — 250+ employees~ £1,1404 to 8 weeks

Source: IASME-published Cyber Essentials pricing bands for 2026. Confirm current figures with the IASME-accredited Certification Body you submit through. Consultancy support fees (gap scan, evidence pack, remediation) are separate.

Cyber Essentials FAQ

What is Cyber Essentials and who runs it?+

Cyber Essentials is a UK government-backed certification scheme covering five technical controls — firewalls, secure configuration, user access control, malware protection, and patch management. It is run by the NCSC and administered by IASME and its accredited delivery partners.

What is the difference between Cyber Essentials and Cyber Essentials Plus?+

Cyber Essentials is a self-assessment verified by an IASME-accredited Certification Body. Cyber Essentials Plus adds an independent on-site (or remote) technical assessment of the same five controls, including external vulnerability scanning and authenticated tests on a sample of devices.

How long does Cyber Essentials certification last?+

Cyber Essentials certification is valid for 12 months and must be renewed annually. The five controls and the underlying threat model do change over time — the 2026 update tightened scope around cloud services, MFA, and bring-your-own-device.

How much does Cyber Essentials cost in 2026?+

IASME publishes a banded fee structure. 2026 self-assessment certification fees range from roughly £320 (micro 0-9 employees) to around £1,140 (250+ employees) excluding VAT. Cyber Essentials Plus and consultancy support are priced separately.

What is the role of IASME in Cyber Essentials?+

IASME Consortium has been the sole Cyber Essentials Partner since April 2020, appointed by the NCSC. IASME accredits Certification Bodies who in turn certify Assessor companies. SummitBridge Horizon supports the readiness, evidence and remediation phases; the formal assessment and certificate issue is performed by an IASME-accredited body.

Can I do Cyber Essentials myself or do I need a consultant?+

A capable internal IT team with documented controls can complete the self-assessment without outside help. In practice most SMEs underestimate the 2025–26 scope changes (BYOD, cloud services, MFA on externally exposed admin) and fail first submission. A pre-assessment gap scan and evidence pack review typically saves 2-4 weeks of re-work.

Stop guessing about CE readiness

We'll tell you in 15 minutes whether you're a fortnight from passing or three months out, and what the actual fixes are.