How Much Does Cyber Essentials Certification Cost?
The certification fee is the small part. Here's the full 2026 picture: IASME assessment fees by organisation size, what Cyber Essentials Plus audits cost, and the remediation budget most guides skip.
Quick answer
Basic Cyber Essentials certification costs from around £300+VAT for micro organisations to around £500+VAT for large ones — a tiered IASME assessment fee (2026) that includes cyber liability insurance for eligible UK organisations under £20 million turnover. Cyber Essentials Plus adds an independent audit priced by the certification body, typically from around £1,500+VAT. The real first-year budget is usually dominated by remediation — retiring unsupported software, MFA rollout and access-control fixes — not the fee itself.
What Drives Your Total Cost
Organisation size
The IASME fee tiers by headcount: micro (1–9), small (10–49), medium (50–249) and large (250+) organisations pay progressively more — roughly £300 to £500+VAT in 2026.
Basic or Plus
Plus adds an independent technical audit priced by the certification body — typically from around £1,500+VAT depending on size and scope, on top of the basic fee.
Remediation gap
The dominant variable. Unsupported software, missing MFA and loose admin rights all need fixing before you can honestly pass — this is where first-year budgets actually go.
Estate complexity
More device types, BYOD and home-working kit mean more scope to evidence — and more audit time at the Plus tier.
Preparation approach
A gap analysis before applying costs less than a failed Plus audit and re-test. Prepared businesses certify in weeks; unprepared ones pay twice.
Annual renewal
Certification lasts 12 months. Budget the fee annually — and the ongoing hygiene that makes renewal routine rather than a project.
Cyber Essentials Costs by Tier (2026)
| Feature | Cost Item | Typical Cost+VAT |
|---|---|---|
| Basic CE — micro organisation (1–9 staff) | IASME assessment fee | from ~£300 |
| Basic CE — small organisation (10–49) | IASME assessment fee | ~£400–£450 |
| Basic CE — medium/large (50+) | IASME assessment fee | ~£450–£500+ |
| Cyber Essentials Plus audit | Set by certification body | from ~£1,500 |
| Remediation & preparation | The real variable | £0 to several thousand, gap-dependent |
The fee is not the budget
Every Cyber Essentials pricing conversation should start with this distinction: the certification fee is fixed and small; the remediation is variable and usually bigger. The IASME assessment fee for basic certification tiers by organisation size — from around £300+VAT for micro organisations (1–9 employees) up to around £500+VAT for large ones (2026 fees, set by IASME) — and includes cyber liability insurance for eligible UK organisations with under £20 million turnover. Cyber Essentials Plus adds an independent audit priced by the certification body performing it, typically from around £1,500+VAT.
Where first-year budgets actually go
For a typical SME, the spend that matters is closing the gap between current practice and the five controls: retiring end-of-support software (often the expensive one — licence upgrades or replacements), rolling out MFA properly, separating admin accounts, and getting patching onto a managed cadence. A business already running disciplined managed IT may spend nothing beyond the fee; one with years of drift can spend several times the fee putting the basics right. That's not a scheme problem — it's the scheme doing its job.
How to spend less on this
Two moves. First, gap-analyse before you apply — knowing exactly what will fail turns remediation into a planned project instead of an audit-day surprise, and at the Plus tier it avoids paying for a re-test. Second, make the controls somebody's day job: the five controls are precisely what a managed security service runs continuously — managed cybersecurity covers endpoint protection, patching and access control as operations, which makes annual recertification an evidence-gathering exercise rather than a scramble. AMVIA holds Cyber Essentials Plus ourselves; we prepare clients the same way we passed it. Start with what Cyber Essentials involves or talk to the team about a readiness assessment.
Frequently Asked Questions
The IASME assessment fee tiers by organisation size: from around £300+VAT for micro organisations (1–9 employees), roughly £400–£450+VAT for small (10–49), and around £450–£500+VAT for medium and large organisations. The fee includes cyber liability insurance for eligible UK organisations under £20 million turnover.
Plus pricing isn't fixed centrally — each certification body sets its own audit fee, typically from around £1,500+VAT depending on organisation size and estate complexity, on top of the basic certification you must hold first. Complex, multi-site estates cost more to audit.
Not hidden, but commonly unbudgeted: remediation. Retiring unsupported software, MFA rollout, access-control fixes and patching discipline are prerequisites for an honest pass, and for most SMEs this dwarfs the assessment fee. A gap analysis up front turns it into a known number.
For most UK SMEs, yes — on eligibility alone. It's required for certain government contracts and increasingly demanded in supplier questionnaires, so the certificate protects revenue, not just systems. The bundled insurance and the forced annual hygiene are the bonus.
Yes — annually, at both tiers. Budget the fee each year, and treat the controls as ongoing operations rather than an annual project: businesses running the five controls continuously find renewal routine, while those who certify-and-forget pay for remediation twice.
Get a Certification Readiness Assessment
Know your gap — and your real budget — before you apply. From a provider that holds Cyber Essentials Plus itself. No obligation.
Related Resources
Cyber Essentials Explained
What the certification is, the five controls, and why UK buyers now expect it.
Cyber Essentials vs Cyber Essentials Plus
Self-assessment or audited certification — what each proves and which buyers demand which.
How Much Does Managed Cybersecurity Cost?
The ongoing service costs that keep the five controls running between renewals.
Managed Cybersecurity
The full AMVIA security stack — the five controls as day-to-day operations.
Protect your business → Get Cybersecurity Assessment