Cyber Essentials is one of the most cost-effective cybersecurity certifications available to UK businesses, but the headline IASME assessment fee rarely tells the whole story. Preparation time, technical remediation, optional consultancy support and the step up to Cyber Essentials Plus all influence what you will actually spend in your first year and at each annual renewal.
This guide breaks down every cost you can expect to encounter on the path to certification, compares pricing against other security standards such as ISO 27001 and SOC 2, and shows how to minimise spend without compromising on certification quality. Visit our Cyber Essentials hub for a wider overview of the scheme.
How much does Cyber Essentials cost in 2026?
The headline cost of Cyber Essentials is set by IASME, the sole accreditation body for the scheme. In April 2025 IASME moved to a tiered pricing model based on organisation size, and these tiers remain in effect through 2026. Pricing is published in pounds sterling and is exclusive of VAT.
Crucially, these figures cover only the IASME assessment fee, which includes one year of unlimited self‑assessment attempts and the included Cyber Liability Insurance for UK organisations with turnover under £20 million.
| Organisation Size | Employee Headcount | IASME Assessment Fee (ex VAT) | Total inc. VAT (UK) |
|---|---|---|---|
| Micro | 1 – 9 employees | £330 | £396 |
| Small | 10 – 49 employees | £400 | £480 |
| Medium | 50 – 249 employees | £450 | £540 |
| Large | 250+ employees | £500 | £600 |
Headcount is determined by the scope you certify, not the entire group. If you are certifying a UK subsidiary of a larger international parent and the scope only includes UK employees, you pay based on the UK headcount. This is one of the most common ways UK businesses unintentionally overpay — defining the scope sensibly can move you down a tier without affecting the certificate’s usefulness in tender responses.
The fee is paid directly to your chosen IASME Certification Body when you submit your self‑assessment. Some Certification Bodies add a small administration premium on top of the IASME fee, particularly when they bundle in pre‑assessment support, so it is worth comparing three or four quotes before booking.
How much does Cyber Essentials Plus cost?
Cyber Essentials Plus builds on the standard self‑assessment with an external technical audit, including authenticated vulnerability scans of your devices, a sample of user accounts and a review of your external footprint. Because the assessor must spend time physically (or remotely) testing your environment, the cost rises significantly.
Most UK businesses pay between £1,500 and £3,000+VAT for Cyber Essentials Plus, with the exact figure determined by sample size, complexity and the assessor you choose. The fee is paid to the Certification Body and is in addition to (not instead of) the IASME assessment fee for the underlying Cyber Essentials certification.
- Micro and small organisations — Typically £1,500 to £1,900+VAT, covering a sample of around 3 to 6 devices and 1 to 2 user accounts.
- Medium organisations — Typically £1,900 to £2,500+VAT, with larger device samples, multiple operating systems and several user roles.
- Large organisations or complex estates — £2,500 to £3,000+VAT and sometimes more, particularly where multiple sites, mobile fleets or cloud platforms must be sampled.
If you only need the basic certification because a tender requires it, the standard self‑assessment is enough. If your buyers, insurers or regulators specifically ask for Cyber Essentials Plus, or you sell into central government, defence or sensitive supply chains, the Plus uplift is normally non‑negotiable. Read our guide to Cyber Essentials Plus requirements to see exactly what the audit covers.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What hidden costs should you budget for?
The IASME and Plus fees are only the visible portion of the iceberg. Most organisations spend at least as much again on the work needed to pass the assessment first time. Treating these costs as part of the project budget from day one avoids nasty surprises later.
Preparation time and internal resourcing
Even the simplest Cyber Essentials self‑assessment has around 70 questions covering firewalls, secure configuration, user access control, malware protection and security update management. A first‑time applicant typically spends between 20 and 60 person‑hours gathering evidence, configuring controls and completing the questionnaire. At a fully loaded internal day rate of £400, that equates to £1,000 to £3,000 of internal time alone.
Technical remediation
Most organisations discover at least one control they cannot evidence on day one. Common remediation costs include:
- Endpoint replacement — Devices running unsupported operating systems (older Windows versions, end‑of‑life macOS) must be retired or upgraded.
- MFA roll‑out — Multi‑factor authentication is mandatory for all cloud services and administrative accounts.
- Patch management tooling — Automated patching for operating systems and applications, with all high‑risk updates applied within 14 days.
- Endpoint protection — Anti‑malware on every applicable device, centrally managed where possible.
- Account hygiene — Removing dormant accounts, separating administrative and standard accounts and enforcing strong password policies.
Consultancy and managed support
Engaging a Cyber Essentials consultant or IT managed service provider typically adds £500 to £2,500+VAT depending on scope. This buys you a gap analysis, evidence templates, policy drafting and a sense check before submission. For organisations with no internal security resource, this is usually cheaper than failing the first submission and paying for a resit.
Annual renewal fees
Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months. Renewal is not a discount — you pay the full IASME assessment fee and (if applicable) the full Plus audit fee each year. Some Certification Bodies offer multi‑year packages with a small saving, but the underlying IASME fee is unchanged.
What is the total cost of Cyber Essentials over three years?
To get a realistic picture of cost, you need to look at the three‑year total rather than just the year‑one outlay. The table below illustrates a typical small UK business (around 25 employees) that begins with a standard self‑assessment in year one and adds Cyber Essentials Plus from year two when a major customer requires it.
| Cost Component | Year 1 (CE Only) | Year 2 (CE + CE Plus) | Year 3 (CE + CE Plus) | 3‑Year Total |
|---|---|---|---|---|
| IASME assessment fee (Small tier) | £400 | £400 | £400 | £1,200 |
| Cyber Essentials Plus audit | — | £1,800 | £1,800 | £3,600 |
| Consultancy & preparation | £1,500 | £800 | £500 | £2,800 |
| Technical remediation | £2,000 | £500 | £300 | £2,800 |
| Internal time (loaded cost) | £2,400 | £1,600 | £1,200 | £5,200 |
| Typical total (ex VAT) | £6,300 | £5,100 | £4,200 | £15,600 |
These figures are illustrative and will vary widely depending on the maturity of your current security posture. Organisations that already operate good IT hygiene, MFA and patching can reduce the year‑one figure dramatically. Read our guide on how long Cyber Essentials takes to see how preparation effort maps onto cost.
How does Cyber Essentials cost compare to ISO 27001 and SOC 2?
Cyber Essentials is deliberately positioned as the entry point to certified cybersecurity for UK businesses. The cost gap between it and the next step up — ISO 27001 — is substantial.
| Standard | Typical Year‑1 Cost (UK SMB) | Annual Cost After | Best Suited For |
|---|---|---|---|
| Cyber Essentials | £500 – £2,000 | £400 – £1,500 | UK businesses bidding for government and supply chain contracts |
| Cyber Essentials Plus | £2,000 – £5,000 | £1,900 – £4,500 | UK businesses where buyers require external audit assurance |
| ISO 27001 | £3,000 – £15,000+ | £2,000 – £10,000+ | UK and international businesses needing globally recognised assurance |
| SOC 2 (Type II) | £20,000 – £100,000+ | £15,000 – £80,000+ | SaaS and technology businesses selling into the US market |
Cyber Essentials is roughly an order of magnitude cheaper than ISO 27001 and two orders of magnitude cheaper than SOC 2 Type II. For many UK businesses, Cyber Essentials covers the most common procurement and insurance requirements at a fraction of the cost. If your customer base is largely UK based and your contracts specify Cyber Essentials or Cyber Essentials Plus, there is rarely a commercial reason to spend more. See our comparison of Cyber Essentials vs ISO 27001 for a deeper breakdown.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What is the return on investment for Cyber Essentials?
The fee is only one side of the equation. For most UK organisations the certificate pays for itself within the first year through three main channels.
Contract eligibility
Cyber Essentials is mandatory for many UK central government contracts that involve handling personal data or operational information. It is also increasingly required by local authorities, NHS suppliers, defence primes and large enterprises in their supplier onboarding processes. A single won tender can pay for several years of certification.
Cyber insurance premium discounts
UK cyber insurers routinely offer 5% to 15% premium discounts to Cyber Essentials certified organisations, and many will simply not quote without it. The included IASME Cyber Liability Insurance (£25,000 cover for UK organisations under £20 million turnover) is itself worth more than the certification fee for businesses that would otherwise need to purchase their own.
Reduced breach probability
The UK Government’s Cyber Security Breaches Survey consistently shows that certified organisations experience fewer and less severe incidents. With the average cost of a UK SMB cyber incident now exceeding £15,000, even a modest reduction in incident probability more than justifies the cost.
Faster sales cycles
Holding the certificate shortens supplier due diligence questionnaires significantly. Many buyers accept Cyber Essentials Plus as a substitute for completing their own multi‑page security questionnaire, accelerating procurement timelines. Our analysis of whether Cyber Essentials is worth it explores the ROI in more detail.
DIY vs consultant: which route saves the most money?
There is no single right answer to the DIY vs consultant question. The cheapest option on paper (DIY) often becomes the most expensive if a failed submission forces remediation work under time pressure. Use the table below to choose the route that matches your situation.
| Route | Typical Extra Cost | Best For | Watch Out For |
|---|---|---|---|
| Pure DIY | £0 | Organisations with an experienced IT lead and good security hygiene already in place | Significant internal time investment; risk of failing first submission |
| Platform‑assisted | £100 – £300 per month | SMBs that want structure, templates and progress tracking without paying full consultancy rates | Choose a platform that maps directly to the IASME question set |
| Consultant‑led | £500 – £2,500+ | Organisations with little internal security expertise or tight deadlines | Make sure the consultant transfers knowledge so renewal cost falls in year two |
| Fully managed | £200 – £600 per month ongoing | Micro and small organisations outsourcing IT and security to a managed service provider | Lock‑in to a specific MSP; renewal pricing can creep up |
For most UK small businesses (10 to 49 employees), the platform‑assisted route delivers the best balance of cost and certainty. Read our guide for Cyber Essentials for small business for sector specific advice on choosing between the routes.
Why Choose ISMS.online for Cyber Essentials?
ISMS.online is built to make Cyber Essentials preparation faster, more predictable and a great deal less stressful than spreadsheets and shared drives.
- Mapped to the full IASME question set — Every Cyber Essentials control is pre‑mapped in the platform, so you assess against the standard without building your own checklist.
- Pre‑built policies and evidence templates — Acceptable use, patching, access control and incident response policies are ready to customise, cutting preparation time from weeks to days.
- Evidence vault with version control — Screenshots, configuration exports and signed‑off policies are stored against each control, ready to share with your assessor.
- Maturity dashboards — Track your readiness in real time and see exactly which questions you can already answer with full confidence.
- Multi‑framework reuse — If you later progress to ISO 27001 or SOC 2, the same evidence and policies map across, so ISMS.online helps you achieve those certifications faster too.
- Assured Service Provider partnerships — Connect directly to certified IASME assessors through the platform when you are ready to submit.
- Predictable subscription pricing — A single annual platform fee, no surprise consultancy bills, and full transparency on what you are paying for.
Related Cyber Essentials guides
Continue your Cyber Essentials journey with the other guides in this series:
- Cyber Essentials Requirements — The five control areas, scope decisions and what evidence assessors look for.
- Is Cyber Essentials Worth It? — An honest assessment of the benefits, drawbacks and who actually needs certification.
- Cyber Essentials Plus Requirements — The technical audit, vulnerability scans and what Plus delivers over the basic certification.
- Cyber Essentials Self Assessment — The SASQ workflow, scope, evidence and common pitfalls.
- How Long Does Cyber Essentials Take? — Typical UK timeline, fast-track options and what slows the process.
- Cyber Essentials Renewal — The 12-month cycle, 2026 control changes and how to prepare 60 days out.
- Cyber Essentials for Small Business — SMB-specific pricing, scope and the cost-benefit case.
- Cyber Essentials vs ISO 27001 — Scope, cost, time and recognition compared.
FAQs
How much does Cyber Essentials cost in the UK in 2026?
The IASME assessment fee for Cyber Essentials in 2026 is £330+VAT for micro organisations (1‑9 employees), £400+VAT for small (10‑49), £450+VAT for medium (50‑249) and £500+VAT for large (250+) organisations. This is the headline fee only. Most UK businesses also incur preparation, remediation and (optionally) consultancy costs, taking the realistic year‑one total to between £1,500 and £6,000 for a typical small business.
How much is Cyber Essentials Plus?
Cyber Essentials Plus typically costs between £1,500 and £3,000+VAT, depending on the size and complexity of your environment. This is in addition to the standard IASME assessment fee for Cyber Essentials, so you should budget for both. Larger or more complex estates with multiple sites, mobile fleets or cloud platforms can exceed £3,000.
What is the annual cost of Cyber Essentials?
Cyber Essentials certificates are valid for 12 months, after which you must renew. Renewal is charged at the full IASME assessment fee — there is no loyalty discount. If you also hold Cyber Essentials Plus, the audit fee is also payable annually. Annual internal preparation effort normally falls sharply after year one, so the ongoing all‑in cost is typically lower than the first year.
Are there any hidden costs for Cyber Essentials?
Yes. Beyond the IASME fee you should budget for internal preparation time (20‑60 person hours typically), technical remediation such as MFA roll‑out and endpoint upgrades, and optionally a consultant or compliance platform to guide the process. These hidden costs often equal or exceed the assessment fee in year one, which is why many organisations choose ISMS.online to make the workload predictable.
Is Cyber Essentials cheaper than ISO 27001?
Yes, by a significant margin. A typical UK SMB will spend £500 to £2,000 on Cyber Essentials in year one compared with £3,000 to £15,000+ on ISO 27001. The two standards address different needs — Cyber Essentials is a technical baseline focused on the UK market, while ISO 27001 is a full information security management system recognised globally. Many UK businesses start with Cyber Essentials and progress to ISO 27001 only when international customers or larger contracts demand it.
Can I reduce my Cyber Essentials cost by narrowing the scope?
In principle yes — the IASME tier is based on the headcount inside the certified scope, so a well‑defined sub‑scope can move you down a pricing tier. However, your scope must still satisfy whoever requires the certificate. If a customer needs the certificate to cover all of your operations, an artificially narrow scope will fail to win the contract. Define the scope to match the assurance your buyers need, not to minimise the fee at any cost.
