Cyber Essentials cost UK 2026: what you’ll actually pay.
Cyber Essentials costs from £320 ex VAT for the IASME self-assessment fee, rising with organisation size, while Cyber Essentials Plus typically runs £1,400–£3,000+ once the hands-on audit is added. The fee is the easy part — it’s the remediation and the annual renewal that catch businesses out.
- The IASME assessment fee for Cyber Essentials is tiered by size: £320 (micro) up to £600 (medium/large), ex VAT.
- Cyber Essentials Plus adds an independent technical audit, pushing the total to roughly £1,400–£3,000+ for a small business.
- The fee is only part of it — remediation to fix failing controls is the variable cost nobody quotes upfront.
- Certification lasts 12 months, so treat it as an annual cost, not a one-off.
The IASME certification fee, by organisation size
Cyber Essentials is a UK government-backed scheme run by IASME. The headline cost — the bit everyone quotes — is the IASME assessment fee for the self-assessment certification. It’s tiered by how many people are in your organisation, and it’s the same fixed fee whoever you certify through:
| Organisation size | Headcount | IASME assessment fee (ex VAT) |
|---|---|---|
| Micro | 0–9 staff | £320 |
| Small | 10–49 staff | £400 |
| Medium | 50–249 staff | £600 |
| Large | 250+ staff | £600 |
That fee covers the assessment itself: you complete the IASME questionnaire, submit it, and a certification body marks it. Pass, and you’re certified for 12 months. It does not cover any work to actually meet the five controls, and it doesn’t cover anyone helping you fill the questionnaire in correctly.
Cyber Essentials vs Cyber Essentials Plus: the cost difference
Cyber Essentials Plus is the same five technical controls, but with an independent, hands-on technical audit on top — an external vulnerability scan plus on-device tests across a sample of your devices, carried out by a certification body. You must achieve standard Cyber Essentials first, then complete CE Plus within three months.
That audit is real, skilled work, so it adds materially to the bill. For a small business, the total CE Plus cost typically lands between £1,400 and £3,000+ ex VAT, driven mainly by how many devices are in scope and which certification body you use.
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| What it is | Self-assessment questionnaire | Self-assessment plus hands-on audit |
| Independent testing | No | Yes — scan + on-device tests |
| Typical total (small business, ex VAT) | From £320 (assessment fee) | ~£1,400–£3,000+ |
| Valid for | 12 months | 12 months |
| Timing | Standalone | Within 3 months of achieving CE |
If you’re weighing up which one you need, our guide to Cyber Essentials vs Cyber Essentials Plus walks through the contract and insurance requirements that usually make the decision for you.
The costs nobody puts on the quote
The assessment fee is predictable. The total cost of getting certified is not, because it depends on how far your current setup is from the standard. The variable costs are:
- Remediation. If you fail on unsupported operating systems, missing MFA, unpatched high or critical vulnerabilities, default passwords or unrestricted admin rights, that work has to be done before you can pass. This is the single biggest swing in the total.
- Consultancy and support. Help interpreting the questions, scoping your assets correctly, and gathering evidence. Cheap if your house is in order, valuable if it isn’t.
- Annual re-certification. Certification expires after 12 months. You pay the assessment fee (and, for CE Plus, the audit) again every year.
- A failed CE Plus audit. If the on-device tests find issues, you fix them and re-test — which can mean paying for the audit again. Going in prepared is far cheaper than going in hopeful.
The certificate is cheap. Being genuinely ready to pass it is where the real budget goes — and it’s money well spent, because it’s the same work that actually protects you.
DIY or use a partner?
If your controls are already solid — supported software, MFA everywhere, prompt patching, tidy admin rights — the standard self-assessment is genuinely doable in-house, and you might only pay the IASME fee. The trouble is that most first-time applicants don’t fall into that camp.
A partner earns their fee in two places: fixing the gaps so you pass first time, and — for CE Plus — making sure the audit doesn’t turn up surprises that mean a paid re-test. Ongoing patch management in particular keeps you in a state where re-certifying each year is routine rather than a scramble. Before you decide, it’s worth reading our full Cyber Essentials Plus guide to understand what the audit actually involves.
Either way, the honest framing is this: Cyber Essentials is one of the highest-value compliance spends a UK SMB can make, because it wins contracts, satisfies insurers, and the controls block most commodity attacks. See how we run it on our Cyber Essentials page.
Questions we get asked.
How much does Cyber Essentials cost in the UK?
The IASME certification fee for the self-assessment is tiered by size, ex VAT: Micro (0–9 staff) £320; Small (10–49) £400; Medium (50–249) £600; Large (250+) £600. That’s the assessment fee only — remediation work to meet the controls, or partner support to complete the questionnaire, is extra.
How much more does Cyber Essentials Plus cost?
CE Plus adds an independent, hands-on technical audit on top of the self-assessment, so the total typically ranges from about £1,400 to £3,000+ ex VAT for a small business, depending on device count and the certification body. Remediation, if controls aren’t yet in place, is on top of that.
Is the Cyber Essentials cost annual?
In effect, yes. Certification is valid for 12 months, then you re-certify — paying the IASME assessment fee (and, for CE Plus, the audit fee) again. Budget for it as a recurring annual cost, not a one-off.
Should I DIY Cyber Essentials or use a partner?
If your controls are already in good shape and you have the time, the self-assessment is doable in-house. Most small businesses fail first time on unsupported software, missing MFA or unpatched vulnerabilities, so a partner who fixes the gaps usually saves money overall — especially for CE Plus, where a failed audit means paying for a re-test.
Where we help.
Get a fixed
CE quote.
Book 30 minutes. We’ll scope your devices, flag the gaps that would fail you, and give you an honest, all-in price for Cyber Essentials or CE Plus — no surprises on the invoice.