Cyber Essentials cost in the UK typically ranges from £100-£400 for self-assessment and £400-£3,500 for Cyber Essentials Plus. At CyPro, we help you budget, choose the right route and evaluate supplier quotes. The National Cyber Security Centre sets the controls and guidance for the scheme NCSC, 2024, the Cabinet Office published procurement expectations in PPN 014 GOV.UK, 2025, and supplier pricing examples are listed on the Digital Marketplace pricing document Digital Marketplace, 2024. Cyber essentials costing is a key part of that picture.
- Price difference: Cyber Essentials costs are lower for self-assessment, while Cyber Essentials Plus includes hands-on verification and carries higher fees.
- Who runs it: The National Cyber Security Centre publishes the controls and guidance for Cyber Essentials NCSC, 2024.
- Procurement rule: Public-sector procurement references Cyber Essentials in PPN 014, which affects supplier requirements GOV.UK, 2025.
- Supplier pricing: Many certification bodies and suppliers publish pricing models on the Digital Marketplace, which is a useful reference for quotes Digital Marketplace, 2024.
- How we help: At CyPro, we map Cyber Essentials requirements to ISO 27001 and UK GDPR obligations and convert supplier quotes into a clear budget and scope.
Table of Contents
📘 What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme that sets baseline cyber controls for organisations, run by the National Cyber Security Centre and administered by IASME, with two certification levels: Cyber Essentials and Cyber Essentials Plus.
Who runs the scheme?
The National Cyber Security Centre (NCSC) defines the controls and publishes guidance, and IASME Certification Ltd operates the assessment and certification process. The NCSC’s Cyber Essentials pages explain the scheme’s scope and technical requirements in plain terms, including controls on firewalls, secure configuration, user access and patching for organisations in the UK (NCSC).
Levels and what they test
Cyber Essentials is a self-assessment questionnaire that checks basic technical controls, while Cyber Essentials Plus adds an independent technical audit and verification of those controls. The Plus audit includes on-site or remote technical tests of endpoints and external facing systems to confirm the controls work in practice; detailed guidance on the Plus process and certification criteria is available from certified bodies and on the official Cyber Essentials pages (GOV.UK, PPN 014).
Where Cyber Essentials fits with other requirements
Cyber Essentials sits below ISO 27001 and UK GDPR in maturity. Cyber Essentials aligns with procurement rules: UK public-sector suppliers must meet the scheme’s expectations where relevant, so certification often appears in tender requirements. For organisations deciding whether to pursue certification, consider that Cyber Essentials provides a baseline, while ISO 27001 and the NCSC’s Cyber Assessment Framework provide fuller, risk-led assurance.
At CyPro, we help organisations assess whether Cyber Essentials or Cyber Essentials Plus meets their compliance and commercial needs, and we can map the certification requirements to ISO 27001 controls and UK GDPR obligations. For most UK SMEs, the scheme is a pragmatic first step towards stronger cyber hygiene and procurement readiness.
🔧 How does Cyber Essentials work?
Cyber Essentials is a UK government backed scheme that checks a defined set of baseline controls to reduce common internet-facing risks. The self-assessment route verifies configuration, patching, user access, malware protection and perimeter defences by questionnaire, while Cyber Essentials Plus adds hands-on technical checks by an accredited assessor to confirm controls work in practice (NCSC, Cyber Essentials overview).
Assessment steps
The self-assessment requires an organisation to complete a set questionnaire and submit evidence to an accredited certifier, who issues the certificate if answers meet the scheme criteria. The Cyber Essentials Plus assessment includes external vulnerability checks and a limited sample of internal device checks carried out by the certifier, not a full penetration test. The National Cyber Security Centre defines the scope and control statements used by all certifiers (NCSC, Cyber Essentials overview).
What assessors look for
Assessors focus on five control areas: Boundary firewalls and internet gateways, secure configuration, user access control, malware protection and patching. Typical evidence is firewall or router screenshots, endpoint protection logs, patch-management reports and lists of privileged accounts. For Cyber Essentials Plus, the assessor verifies perimeter defences and inspects a sample of devices to confirm the controls are implemented.
Timing, costs and funded routes
Time to certification varies with preparation: A competent IT team can complete the self-assessment in days, while Cyber Essentials Plus audits are commonly scheduled over two to four weeks depending on certifier availability and remediation needs. For market pricing benchmarks, see the UK Digital Marketplace G-Cloud pricing document for Cyber Essentials services (G-Cloud pricing, 2024).
The UK Cabinet Office guidance PPN 014 has increased demand for Cyber Essentials in public procurement, and several funded routes exist for eligible organisations to access Cyber Essentials Plus support (PPN 014, 2025).
At CyPro, we recommend an internal gap-check before you start formal certification, because early remediation shortens assessment time and lowers Cyber Essentials cost. If you want hands-on help preparing evidence, our Cyber Security Audit service and our Cyber Essentials Plus support speed preparation and reduce surprises on audit day.
🔎 Who needs Cyber Essentials?
Cyber Essentials is appropriate for organisations that need to show basic, government‑backed cyber hygiene, particularly suppliers to UK public bodies, small and medium sized enterprises (SMEs), charities and software vendors who want a quick assurance baseline.
Regulatory and procurement triggers
Under the UK government’s published guidance, public‑sector suppliers are expected to meet Cyber Essentials standards when required by contracting authorities, and the Cabinet Office’s PPN 014 sets out how the scheme supports supplier eligibility for many frameworks (PPN 014, 2025). The National Cyber Security Centre (NCSC) describes Cyber Essentials as the government‑backed baseline for basic protections, which is why many tenders and supplier questionnaires reference the scheme (NCSC, Cyber Essentials overview).
Commercial and insurance drivers
Many insurers and larger corporate customers now list Cyber Essentials as the minimum they expect from suppliers, because the certification proves simple controls are in place. This makes Cyber Essentials a common commercial requirement for vendors competing for contracts where security checks are carried out.
Organisation size, data sensitivity and maturity
SMEs, charities and startups benefit most from Cyber Essentials: It covers password hygiene, patched devices, firewall and secure configuration with a low administrative overhead. Organisations processing high volumes of special category personal data, regulated financial services firms, or those with mature security teams will generally need higher standards such as ISO 27001 or an internal Security Operations Centre, plus Cyber Essentials where procurement demands it.
At CyPro, we recommend Cyber Essentials when procurement, insurer or market requirements demand a recognised baseline, or when leaders need a fast, affordable way to reduce obvious exposure. For teams without security resource, pair Cyber Essentials with our Cyber Essentials Plus service or a short-term Virtual CISO engagement to keep remediation and cyber essentials cost predictable.
🧾 How much does Cyber Essentials cost in the UK?
Typical 2026 price ranges: Cyber Essentials costs for the self-assessment are about £100 to £400, and Cyber Essentials Plus from about £400 to £3,500, depending on supplier, size and assessment depth.
Key Takeaway
Budget for Cyber Essentials cost plus remediation and retest fees: Most UK organisations pay the certificate fee plus £500 to £5,000 for tech fixes and consultancy in 2026.
What drives the price
Assessment scope, organisation size and whether you choose a bundled assessor or a pure test provider directly determine the cost. External evidence shows the UK government lists accredited suppliers with standardised rates, but many suppliers add consultancy time for evidence gathering and remediation (GOV.UK).
| Organisation size | Cyber Essentials (self) | Cyber Essentials Plus | Typical inclusions |
|---|---|---|---|
| Micro, <10 staff | £100 to £250 | £400 to £900 | Self-assessment or basic Plus tests, one endpoint scan |
| SME, 10-250 staff | £150 to £400 | £800 to £2,200 | Assessor support, network and endpoint testing, remediation guidance |
| Mid-market, 250-1,000 staff | £300 to £600 | £1,800 to £3,500+ | Detailed Plus audit, multiple site testing, consultancy for evidence |
Breakdown of common costs
Cyber Essentials costs for the certificate are the visible part: Assessors charge per submission or per device for Plus. Consultancy and remediation typically add the bulk: Asset discovery, patching backlogs, adding Multi-Factor Authentication, and documentation. Government guidance and supplier schedules are useful benchmarks when estimating total spend (GCA guidance).
Organisations often underestimate staff time. Expect one to four days of internal work for self-assessment, and one to three weeks of combined assessor and IT effort for a Plus audit, depending on remediation. If you use a retained consultancy or buy a remediation bundle, factor monthly support fees of £1,000 to £6,000 until evidence is ready.
Hidden costs and renewal
Hidden Cyber Essentials costs include repeat tests after remediation, hardware or licence upgrades, and hiring short-term help. Renewals are annual, with similar certificate fees and potential re-tests for Plus. When procurement, insurers or Government frameworks require proof, allow contingency of 20 to 50 percent above the assessor fee for fixes and retesting.
At CyPro, we help clients understand Cyber Essentials costs by modelling the total cost of ownership and showing which fixes are one-off versus ongoing, reducing surprises at audit time.
🔍 What is the difference between Cyber Essentials and adjacent certifications?
Direct answer: Cyber Essentials covers a small set of baseline technical controls, Cyber Essentials Plus adds independent technical verification, and ISO 27001 is a full information security management system covering people, process and technology.
Cyber Essentials focuses on five technical controls to reduce common internet-based threats, while Cyber Essentials Plus includes on-site or remote testing by an accredited body to confirm controls actually work. ISO 27001 requires documented policies, a risk assessment process and continual improvement, so it is broader and takes longer to implement.
| Dimension | Cyber Essentials | Cyber Essentials Plus | ISO 27001 |
|---|---|---|---|
| Scope | Five baseline technical controls: Boundary firewalls, secure configuration, user access control, malware protection, patching | Same controls as Cyber Essentials, plus independent technical verification | Organisation-wide management system covering policies, risk register, controls and continual improvement |
| Pricing and cost of ownership | Low one-off assessment and annual renewal, suitable for SMB budgets | Higher fees for testing and certification, plus remediation and retest costs | Higher professional fees, tooling and audit costs, multi-year programme investment |
| Time-to-value | Days to weeks | Weeks to months (depending on remediation) | Months to a year or more |
| UK procurement and insurance fit | Meets many public procurement minimums (PPN guidance) | Stronger assurance for buyers and insurers | Preferred where procurement or regulators demand management systems |
| Organisation size suitability | Micro to small organisations or those needing quick proof | SMBs wanting stronger assurance | Mid-market and larger organisations or regulated firms |
Overlap and gaps
Cyber Essentials and Cyber Essentials Plus both validate the same basic controls, so they overlap on configuration, patching and access controls. Cyber Essentials Plus closes the gap by proving controls are effective through testing. ISO 27001 fills gaps that Cyber Essentials cannot: Formal governance, supplier risk management, incident response planning and documented risk treatment.
Implication for procurement, insurance and risk posture
For UK procurement, the National Cyber Security Centre recommends Cyber Essentials as the government-backed baseline and many contracting authorities accept it as proof of minimal cyber hygiene; see the NCSC guidance for details via National Cyber Security Centre. Insurers and larger buyers often prefer ISO 27001 or Cyber Essentials Plus when a higher assurance level is required; pricing differences materially affect which is practical. For context on breach economics and how stronger controls change outcomes, see IBM’s 2025 analysis at Cost of a Data Breach Report 2025: The AI Oversight Gap – IBM.
Recommend choosing Cyber Essentials where you need rapid, low-cost evidence of basic controls for procurement or insurance. Choose Cyber Essentials Plus if you must demonstrate controls work in practice, and choose ISO 27001 when you need an auditable management system aligned to long-term regulatory or contractual obligations. For help sizing the right option to budget and risk, see our Cyber Resilience service at Cyber Resilience.
🔍 When should you get Cyber Essentials?
Get Cyber Essentials when you must prove basic cyber hygiene to buyers, insurers or regulators, when a tender or contract asks for it, or when you need a quick way to lower basic risk while you plan wider security work.
Immediate triggers
Public procurement and many large corporate buyers require Cyber Essentials as a minimum, so tender deadlines are the most common trigger. The UK Cabinet Office guidance and PPN 014 reinforced this requirement for suppliers in 2025, so if you are bidding for public contracts, start the process early to meet procurement timelines.
Commercial and insurance reasons
Insurers and procurement teams often ask for more assurance, like Cyber Essentials Plus or ISO 27001, but Cyber Essentials is still accepted as baseline evidence of hygiene for many SME-focused policies and supplier checks. Getting certification can reduce friction in sales processes and speed contract close.
When you should outsource or get help
Choose external help when your internal IT team lacks time, when remediation is needed to reach the standard, or when you want an audit-ready submission. Outsourcing reduces internal staff time and shortens the remediation window; our recommended approach balances the cost of consultant hours against the delay to your bid or renewal.
Case Study, UK legal firm achieved cert in 6 weeks and won a contractA UK legal firm, ~120 staff, faced a supplier requirement to hold Cyber Essentials for a major local government tender and had limited internal IT capacity to implement fixes.
We conducted a rapid gap assessment, delivered prioritised remediation, and prepared the certification evidence using our Cyber Security Consultants and Cyber Essentials Plus services to fast-track audit readiness.
Consider the cyber essentials cost trade-off: Paying for external help can add to upfront spend, but it usually reduces staff diversion and shortens time-to-certification, which matters if a procurement deadline or insurance renewal is looming. For benchmarking, see IBM’s findings on breach costs and detection timelines when planning the wider risk case for investment (IBM, 2025) and their supplementary report on AI and breach impact (IBM media, 2025).
🧭 How to choose a Cyber Essentials provider
Choose a provider based on accreditation, UK support, clear pricing and a defined remediation and retest policy. Ask for assessor accreditation, sample size for evidence review, fixed fees for testing and a clear SLA for retest windows to control the cyber essentials cost.
Key selection criteria
Accreditation matters: The assessor must be on the scheme publisher list and able to issue the certificate you need. Ask the supplier to show their accreditation badge and the assessor ID they will use during your audit. Check whether the provider offers both the self-assessment Cyber Essentials and the hands-on Cyber Essentials Plus audit, because the latter affects price, time and evidence requirements.
Scope and sample size determine cost. A small 20-user office with standard cloud services needs less evidence than a hybrid estate with bespoke servers, so confirm how many users, devices and network segments the supplier will include in the fixed price. Also confirm what counts as a rescope event, and how rework is charged.
Questions to ask suppliers
- What is included in the fixed price? Ask for line items: Audit time, number of devices, evidence review, retest and certification fee.
- How long from engagement to certificate? Typical windows are 2 to 8 weeks depending on evidence readiness.
- What is the retest policy? Confirm if one free retest is included, or whether each retest is charged.
- Can you bundle remediation? Check whether the provider fixes issues or only reports them; remediation is often priced separately and affects total cost.
Cyber Essentials costs you see should include the scheme fee, assessor time and any remote testing. If a supplier quotes a very low headline fee but leaves out retest or remediation, the real price will rise. For benchmark pricing and procurement artefacts, training and credentials pages can provide context when comparing hourly rates and bundled offers; see IBM training credentials and IBM training as examples of how vendors publish standardised pricing and packages.
Recommend asking for three priced scenarios: Do-it-yourself self-assessment cost, assessor-led Cyber Essentials cost, and assessor-led Cyber Essentials Plus with remediation included cost. Our approach shows the total near-term cost and the post-certification support options that affect ongoing cyber hygiene.
Red flags include vague deliverables, open-ended hourly estimates, long lead times without interim milestones and assessors who cannot confirm the retest policy in writing. Clear answers to the checklist above will keep the cyber essentials cost predictable and avoid last-minute surprises.
❓ Frequently asked questions
Do I need Cyber Essentials if I already have ISO 27001?
The key fact: ISO 27001 often covers the same technical controls, but Cyber Essentials is a focused badge many UK buyers and suppliers still request. At CyPro, we recommend mapping your ISO 27001 scope to the Cyber Essentials controls and sharing that mapping with assessors to speed certification and avoid duplicate evidence collection.
How long does Cyber Essentials certification take?
The key fact: A basic self-assessment can be completed in days, while Cyber Essentials Plus usually takes two to six weeks for technical verification. Timelines extend when unpatched devices, complex remote-working configurations or large asset inventories need remediation. Plan for discovery, fixes and a retest window when scheduling certification.
Can I outsource Cyber Essentials to a consultant?
The key fact: Yes, you can outsource assessor tasks and remediation support to consultants who speed evidence gathering and technical fixes. Choose consultants with UK experience, clear fixed-price packages and documented delivery scopes to avoid bill shock. Ensure the assessor relationship and certificate issuance remain transparent to your procurement team.
What are the hidden costs of getting Cyber Essentials?
The key fact: Hidden cyber essentials costs commonly include remediation labour, additional software licences, staff time and potential retesting after failed checks. Budget beyond assessor fees for patching, multi-factor authentication and basic network segmentation. Allow a contingency to cover unexpected device discoveries or legacy systems that need replacing to meet the standard.
Is Cyber Essentials enough for cyber insurance?
The key fact: Cyber Essentials can help with underwriting for some lower-risk policies, but many insurers expect stronger controls or extra evidence. Always check your insurer’s requirements, provide policy-specific evidence and treat Cyber Essentials as part of a broader security programme rather than a standalone insurance guarantee.
Contact Us
