Cyber Security can feel confusing when you first start looking into it.
You know your business needs to be protected. You may have heard customers, suppliers, insurers or tender applications mention Cyber Essentials. But the first question most businesses ask is simple:
What is Cyber Essentials, and how much does it actually cost?
In this guide, we’ll break down what Cyber Essentials is, how the certification works, what Cyber Essentials Plus includes, and why some providers charge more than the official certification fee.
What Is Cyber Essentials?
Cyber Essentials is a UK Government backed cyber security scheme designed to help businesses protect themselves against common online threats.
It focuses on five key technical controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management
These are the basics every business should have in place.
Cyber Essentials is not about making your business impossible to hack. No certification can promise that. Instead, it helps reduce the risk of common cyber attacks by making sure your business has the right cyber security foundations in place.
For many businesses, Cyber Essentials is also a useful way to show customers, suppliers and partners that cyber security is being taken seriously.
What Is Cyber Essentials Certification?
Cyber Essentials certification is based on a verified self-assessment.
This means your business answers a set of questions about how your IT systems are set up, managed and protected. An assessor then reviews your answers to check whether your business meets the required standard.
For some organisations, the questionnaire is fairly straightforward. For others, it highlights gaps that need fixing before certification can be achieved.
This is why preparation matters.
The cost of the certificate is one thing. Your business also needs to be technically ready.
What Is Cyber Essentials Plus?
Cyber Essentials Plus is the next level up from Cyber Essentials.
It is based on the same core requirements, but instead of only completing a self-assessment, your systems are independently tested.
This means an assessor carries out technical checks to make sure the required cyber security controls are actually in place.
Cyber Essentials Plus is usually more expensive because it involves han
How Much Does Cyber Essentials Cost?
Cyber Essentials has an official pricing structure based on the size of your organisation.
| Organisation size | Number of employees | Official Cyber Essentials cost |
|---|---|---|
| Micro organisation | 0–9 employees | £320 + VAT |
| Small organisation | 10–49 employees | £440 + VAT |
| Medium organisation | 50–249 employees | £500 + VAT |
| Large organisation | 250+ employees | £600 + VAT |
The official fee usually covers the certification assessment itself.
It does not always include extra help with preparation, technical changes, admin support or fixing issues that may stop your business from passing.
That is where additional provider costs can come in.
How Much Does Cyber Essentials Plus Cost?
Cyber Essentials Plus usually costs between £1,500 and £5,500 + VAT, depending on the size and complexity of your business.
Unlike standard Cyber Essentials, there is not one fixed national price for Cyber Essentials Plus.
This is because Cyber Essentials Plus includes independent technical testing. The cost can vary depending on:
- How many devices need to be tested
- How complex your IT setup is
- Whether you have remote workers
- Whether you use cloud services
- Whether issues need fixing before testing
- How much support you need from your provider
A small business with a simple setup will usually sit at the lower end of the range. A larger or more complex organisation may pay more.
Is Cyber Essentials Worth It?
For many UK businesses, yes.
Cyber Essentials is worth it because it gives your business a recognised cyber security standard to work towards. It can help reduce risk, improve customer trust and support tender applications.
It is especially useful if:
- You work with larger organisations
- You bid for public sector or supply chain contracts
- Your customers ask about cyber security
- You handle sensitive business or customer data
- You want a clear cyber security baseline
- You want to show you take security seriously
The process itself can also be valuable.
A lot of businesses only discover weak points when they go through the assessment. Things like old devices, missing updates, shared accounts, weak passwords and poor admin controls can easily be missed during day-to-day work.
Cyber Essentials gives your business a clear framework to follow.
Why Do Some Providers Charge More Than the Official Cyber Essentials Fee?
This is where a lot of confusion comes from.
The official Cyber Essentials fee covers the certification assessment. However, some providers charge more because they include additional support around the certification process.
That extra support may include:
- Helping you understand the requirements
- Reviewing your current IT setup
- Checking whether your answers are accurate
- Identifying issues before you submit
- Supporting technical changes
- Reducing the admin involved
- Helping manage the certification process
This does not mean the official certification fee has changed.
It means the provider is charging for their time, guidance and support on top of the assessment cost.
For some businesses, this support is not needed. If you have a strong internal IT team and your systems are already well managed, you may be comfortable completing the assessment yourself.
For other businesses, support can be useful because it saves time, reduces admin and helps avoid submitting incorrect answers.
FAQ’S
What happens if I fail Cyber Essentials?
However, you need to be confident that your answers are accurate and that your systems meet the requirements. If you are unsure about things like firewalls, admin accounts, device updates or malware protection, it may be worth getting support before submitting.
Does Cyber Essentials include Cyber Essentials Plus?
No. Cyber Essentials and Cyber Essentials Plus are separate certifications.
Cyber Essentials is the verified self-assessment. Cyber Essentials Plus includes independent technical testing and usually costs more.
Do small businesses need Cyber Essentials?
Small businesses can benefit from Cyber Essentials because they are often targeted by common cyber attacks such as phishing, weak passwords and unpatched devices.
It gives smaller organisations a clear structure to follow without making cyber security overly complicated.
Is Cyber Essentials required for tenders?
Sometimes, yes.
Cyber Essentials is often requested in tender applications, especially when working with government bodies, larger organisations or supply chains that have stricter cyber security requirements.
Even when it is not mandatory, having the certificate can help show that your business takes cyber security seriously.
Does Cyber Essentials guarantee my business is secure?
No certification can guarantee complete security.
Cyber Essentials helps protect your business against many common cyber threats, but it should be seen as a strong baseline rather than the whole answer.
Good cyber security also includes staff awareness, backups, monitoring, strong policies and ongoing IT management.
