Cyber Essentials Cost and Requirements: A 2026 Guide

Introduction
Cyber Essentials keeps coming up in the same conversation: a client has been asked for it by a customer, an insurer, or a public-sector tender, and nobody in the business is sure what it involves or what it costs. That is a reasonable position to be in. The scheme is straightforward once you have been through it, but the pricing is banded, the terminology trips people up, and most of what gets written about it is a certification body's sales page. This is the straight version: what it is, what it costs, and what actually fails first assessment.
What Cyber Essentials is
Cyber Essentials is a UK government-backed certification scheme, run by the National Cyber Security Centre (NCSC) and delivered through IASME, the scheme's official delivery partner. It sets a minimum standard of technical cyber security controls that any organisation, from a two-person consultancy to a large enterprise, should have in place. It is not a legal requirement, but it has become a de facto one in practice: a growing number of contracts, particularly government and supply-chain work, will not go ahead without it, and cyber insurers increasingly price policies against it.
The five technical controls
Certification is built around five control areas. Whichever route you take, self-assessment or Plus, these are what get checked:
- Firewalls: filtering traffic at the boundary between your network and the internet, correctly configured rather than left on factory defaults.
- Secure configuration: devices and software set up to remove unnecessary accounts, services and default passwords that widen the attack surface.
- User access control: access granted on the basis of role and need, with admin rights kept to the people who actually need them.
- Malware protection: anti-malware tooling or application allow-listing in place across the estate, not just on a handful of machines.
- Security update management: a working patch management process, so known vulnerabilities in operating systems and applications get closed within a reasonable window rather than sitting open for months.
None of these are exotic. What Cyber Essentials tests is whether they are consistently applied across every device and account, not whether any single one exists somewhere in the business.
Basic self-assessment vs Cyber Essentials Plus
There are two levels, and the difference matters for both cost and what a certificate actually proves.
Cyber Essentials (self-assessment) is a questionnaire covering the five controls. A senior signatory within your organisation confirms the answers, and an IASME-accredited assessor reviews and marks the submission. It is quick to complete once the controls are actually in place, and it is the entry point most small businesses start with.
Cyber Essentials Plus adds independent, hands-on technical verification on top of the same five controls. An assessor examines a sample of your devices and network directly, rather than taking your word for it, including on-site or remote testing of patch levels, configuration and malware protection. It carries more weight with larger clients and insurers precisely because it is externally verified, not self-reported, but it takes more preparation and cannot be rushed the way a self-assessment questionnaire can.
What Cyber Essentials actually costs
This is the part everyone actually wants to know, so here it is plainly, with the caveat that these figures are set by the scheme and its accredited certification bodies, not by us.
The IASME assessment fee for basic Cyber Essentials is banded by organisation size. As of 2026, that works out at roughly £300-330 plus VAT for micro organisations (1-9 employees), rising through small and medium bands to around £500 plus VAT for large organisations (250+ employees). The NCSC's own overview describes the scheme as "starting at £320 plus VAT," which is broadly consistent with the micro-band figure once rounding is accounted for. That fee includes one year of unlimited self-assessment attempts, and organisations with UK turnover under £20 million get free cyber liability insurance bundled in automatically.
Cyber Essentials Plus costs considerably more because of the technical testing involved. Typical figures reported by certification bodies put micro and small organisations at around £1,500-1,900 plus VAT, medium organisations at £1,900-2,500 plus VAT, and larger or more complex estates at £2,500-3,000 plus VAT or more, depending on the number of devices and locations sampled.
Two things are worth being clear about. First, those figures are the certification body's assessment fee only: they do not include the cost of fixing whatever the assessment finds, which is usually where the real budget goes. Second, we are not a certification body ourselves, and we do not charge a fixed fee for our own part of the process, because it varies with how much remediation your estate actually needs. What we offer is a free quote after a gap assessment: we tell you honestly where you stand against the five controls before you spend anything with an accredited body.
How long it takes
Once the five controls are genuinely in place, completing and submitting the self-assessment questionnaire is quick, often a matter of days, and IASME-accredited assessors typically mark submissions within a few working days after that. The variable that actually determines your timeline is remediation. An organisation with tidy patching, sensible access control and a properly configured firewall might be assessment-ready within a week or two. An organisation with a patching backlog, shared admin accounts and a firewall nobody has touched since installation is looking at several weeks of remediation work first, and that is the stage where most delays happen. Certification, once granted, is valid for 12 months, so this is not a one-off exercise: it needs renewing every year, and the controls need to hold up in the meantime, not just on submission day.
The failures we see most often
Across the assessments we have supported, the same handful of issues come up again and again:
- Patch management with no real process. Updates get applied when someone notices, not on a schedule, leaving known vulnerabilities open for months.
- Firewall rules nobody remembers writing. Old rules from a departed supplier or a one-off project left open long after they were needed.
- Shared or excessive admin accounts. Convenient day to day, and one of the fastest ways to fail the user access control section.
- Default configurations on new devices. Routers, switches and software installed and left on factory settings rather than hardened.
- Inconsistent malware protection. Covered on the main office machines, missed on laptops, remote workers' devices or older kit still in use.
Every one of these is fixable, usually without replacing hardware, but they need finding before the assessor finds them.
Where PacketCollection fits in
We are not a Cyber Essentials certification body, and we never claim to be. Certificates are issued by IASME-accredited assessors, and that stays their job. Our job is the work either side of it: a plain-English gap assessment against the five controls, the remediation to close whatever it finds, help preparing your self-assessment answers, or getting your estate genuinely ready for a Cyber Essentials Plus audit. If you already work with an accredited certification body, we can work alongside them; if you do not have one yet, we can point you towards one once you are ready.
If a client, insurer or tender is asking you for Cyber Essentials and you are not sure where you currently stand, our Cyber Essentials service covers the gap assessment and remediation end to end. If you want a broader look at your network security beyond the scheme's five controls, our security audit service goes further, covering vulnerability assessment and penetration testing alongside compliance.
Either way, get in touch for a free consultation. We will tell you honestly where your gaps are before you spend a penny on assessment fees, not after.