"How much is Cyber Essentials going to cost me?" is one of the first questions UK small business owners ask — usually right after a client, insurer, or government tender tells them they need it. The good news: it's one of the most affordable security certifications available. The full cost, though, is a little more than the headline certificate fee.
The certificate fee
Cyber Essentials is overseen by IASME on behalf of the National Cyber Security Centre (NCSC), and the self-assessment certificate is priced on a sliding scale based on your organisation's size:
- Micro (0–9 staff): around £300 + VAT
- Small (10–49 staff): around £400 + VAT
- Medium (50–249 staff): around £450 + VAT
- Large (250+ staff): around £500 + VAT
For most small businesses that means roughly £300–£400 plus VAT for the certificate itself. The figures are set by IASME and reviewed periodically, so always check the current price before you budget.
Cyber Essentials vs Cyber Essentials Plus
The prices above are for the self-assessed Cyber Essentials. Cyber Essentials Plus adds a hands-on technical audit by an accredited assessor and costs significantly more — typically £1,400–£3,000+ depending on the number of devices and the complexity of your setup, on top of holding the base certification. Most businesses start with the self-assessed version and only move to Plus when a specific client or contract requires it.
The cost most people forget: getting ready
The certificate fee assumes you already meet the standard. In reality, the bigger "cost" for many small businesses is the work to get there — enabling multi-factor authentication, sorting out patching, removing end-of-life software, and configuring firewalls correctly. You can do this yourself for free if you have the time and the know-how, or pay for help to avoid a failed (and re-payable) submission.
This is where a gap assessment saves money: knowing exactly what's missing before you pay for certification means you don't fail the assessment and have to pay to resubmit.
So what's the realistic total?
- If you already meet the standard: just the certificate fee (~£300–£400 + VAT).
- If you need some remediation: certificate fee + a few hours of work, your own or paid support.
- If you want guided support end-to-end: certificate fee + a consultant's time to assess, fix, and prepare your submission.
Is it worth it?
For most UK small businesses, yes. Cyber Essentials is mandatory for many government contracts, increasingly expected in supply chains, and often reduces cyber insurance premiums. More importantly, the five controls it covers genuinely block the majority of common, opportunistic attacks. The badge is nice; being harder to hack is the real return.
Find out where you stand — free
Before you spend anything, it's worth knowing how close you already are. Our free Cyber Essentials self-assessment scores your business across the five controls and gives you a gap report showing exactly what to fix — no card details, about five minutes. If you'd then like help closing the gaps or preparing your submission, that's where OkamiSec comes in.