Cyber Essentials Certification
If a client, procurement team, or government framework has listed Cyber Essentials as a requirement, you need an IASME-accredited assessor who can get you certified without delay. Precursor handles scoping, gap analysis, remediation guidance, and formal assessment. CE from £1,500, CE Plus from £3,000, with fixed pricing and a typical turnaround of 1-4 weeks.
Cyber Essentials vs Cyber Essentials Plus
If you have been asked to get Cyber Essentials without a specification of level, the right answer depends on who is asking and why. Use this guide to make a defensible recommendation.
Cyber Essentials
Verified by IASME Assessor
Cyber Essentials Plus
Hands-On Technical Audit by IASME Assessor
Which Level Applies to Your Situation?
| Scenario | Recommended Level |
|---|---|
| Bidding on standard UK Government contracts | Cyber Essentials (Basic) |
| MOD supply chain or defence sector contracts | Cyber Essentials Plus |
| NHS or health sector supplier requirements | Cyber Essentials Plus |
| General SME cyber hygiene or insurance requirement | Cyber Essentials (Basic) |
| Enterprise supply chain, client-specified | Check client requirement: Basic or Plus |
| ISO 27001 preparation, compliance baseline | Cyber Essentials (Basic) as a starting point |
| Crown Commercial Service frameworks | Cyber Essentials (Basic), verify per framework |
Recommending the wrong level means going through the process twice or spending 3-5x more than necessary.
Not sure? Talk to an assessorMFA is now mandatory for all cloud services in scope.
The 2026 update to the Cyber Essentials scheme (v3.3) makes multi-factor authentication mandatory for all cloud services within the assessment boundary. Organisations renewing or applying for the first time must demonstrate MFA enforcement across Microsoft 365, Google Workspace, and any other cloud platforms in scope. If your MFA rollout is incomplete, this needs to be addressed before assessment.
Check your MFA readinessCyber Essentials and Cyber Essentials Plus: Which Level Do You Need?
Both levels are assessed against the same five NCSC technical controls. The difference is in how those controls are verified and who requires each level.
Cyber Essentials (Self-Assessment)
A verified self-assessment questionnaire covering the five NCSC technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Ideal for organisations bidding on UK Government contracts. IASME certification fee included. Certificate valid for 12 months and listed on the NCSC public register.
Cyber Essentials Plus (Hands-On Audit)
An independent, hands-on technical audit performed by our IASME-accredited assessors. We verify your controls by testing devices, scanning for vulnerabilities, and validating configuration against the NCSC Willow standard. Required by MOD supply chain, NHS, and enterprise procurement teams. See our Cyber Essentials Plus page for full audit detail.
Five Technical Controls
Every assessment covers the five NCSC-mandated controls: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management (patching within 14 days). The 2026 scheme update (v3.3) makes MFA mandatory for all cloud services in scope.
Pre-Assessment Gap Analysis
Before your formal assessment, we identify gaps in your technical controls and provide clear remediation guidance. We walk through the self-assessment questionnaire with you, translate technical questions into your environment's language, and identify remediation needed before the formal assessment begins. Recommended for first-time applicants and organisations with Microsoft 365 or Google Workspace in scope.
Ongoing Compliance Support
Cyber Essentials certification is valid for 12 months. We provide renewal reminders, annual re-assessment, and guidance on maintaining compliance as your IT environment evolves. All certificates are listed on the IASME public register and searchable via the NCSC database. Using Cyber Essentials as your compliance baseline? ISO 27001 is the next step for organisations requiring a more rigorous information security management framework.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Scoping and Gap Analysis
We scope your IT environment to determine which systems, devices, and cloud services fall within the assessment boundary. If you use Microsoft 365 or Google Workspace, those cloud services are in scope and we confirm your MFA enforcement and configuration meets the NCSC standard. Typically 1-3 days.
Remediation Support
Our team provides clear, prioritised guidance to address gaps found during the gap analysis. We help you configure firewalls, patching policies, access controls, and endpoint protection to meet the NCSC standard. Timeline depends on gaps found, typically 1-2 weeks.
Formal Assessment
For Cyber Essentials, we verify your self-assessment questionnaire (1-3 days). For Cyber Essentials Plus, our IASME assessors perform hands-on technical testing including vulnerability scanning, configuration review, and device sampling (3-5 days). Common failure points we help you avoid: treating cloud services as out of scope, BYOD not accounted for, patching window not meeting the 14-day requirement.
Certification and Badge
On successful completion, you receive your official Cyber Essentials or Cyber Essentials Plus certificate and digital badge on the same day. Certification is listed on the NCSC public register and valid for 12 months. We provide renewal reminders ahead of your expiry date.
How Much Does Cyber Essentials Certification Cost?
Pricing is scope-dependent, which is why quotes vary so widely between providers. The table below shows standard starting prices covering the majority of UK SMEs.
Cyber Essentials
All organisation sizes
From £1,500
Cyber Essentials Plus
SME (10-249 staff)
From £3,000
Cyber Essentials Plus
Mid-market (250+ staff)
From £4,500
Pre-Assessment Gap Analysis
All sizes
From £500
Fixed pricing after a 20-minute scoping call. No open-ended day rates, no hidden fees.
Get a Fixed-Price QuoteCyber Essentials is a Baseline. Not a Ceiling.
Cyber Essentials Plus includes an external vulnerability scan. For organisations requiring deeper assurance, our CREST-accredited offensive and compliance services provide the next level of evidence. Use Cyber Essentials as your compliance baseline, then build from it.
Explore Compliance ServicesCyber Essentials Plus
Hands-on technical audit with vulnerability scanning and device sampling.
ISO 27001 Consultancy
The next step for organisations requiring a rigorous ISMS framework.
Penetration Testing
CREST-accredited testing across networks, applications, and cloud.
External Network Test
Deeper assurance of your external attack surface beyond CE Plus scans.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Every uncertified tender is a contract you cannot win.
Book a free 20-minute scoping call. We confirm which certification level applies to your requirement, scope your IT environment, and provide a fixed-price quote. No obligation. No day-rate surprises.
Get a Fixed-Price QuoteCyber Essentials Certification: Common Questions
Pricing, certification levels, timelines, the 2026 MFA update, and what happens if you fail the assessment.
Cyber Essentials certification starts from £1,500 for all organisation sizes. Cyber Essentials Plus (with hands-on technical audit) starts from £3,000, scaling with device count and infrastructure complexity. Pre-assessment gap analysis starts from £500 and is recommended for first-time applicants to maximise first-time pass rates. All pricing includes the IASME certification fee and digital badge. We provide fixed-price quotes after a 20-minute scoping call, no open-ended day rates, no hidden fees.
Cyber Essentials is a UK Government-backed certification scheme operated by the NCSC (National Cyber Security Centre). It verifies that an organisation has implemented five foundational technical controls to protect against the most common cyber threats. Certification is mandatory for organisations bidding on UK Government contracts involving sensitive data, and has been since 2014. An increasing number of private sector supply chains, insurers, and enterprise procurement teams now apply the same standard.
Cyber Essentials is a verified self-assessment questionnaire: you answer questions about your controls and an IASME-accredited assessor verifies your answers. Cyber Essentials Plus adds an independent, hands-on technical audit where our assessors test your actual systems, not just your answers. CE Plus includes external vulnerability scanning, device sampling, configuration review, and MFA enforcement verification. CE Plus is typically required by MOD supply chain, NHS, and enterprise procurement teams. CE Basic is sufficient for standard government contracts and general SME cyber hygiene.
A standard Cyber Essentials self-assessment can be completed in 1-2 weeks from scoping to certificate. Cyber Essentials Plus typically takes 2-4 weeks including gap analysis, remediation support, and formal assessment. Organisations with mature IT environments often complete the process faster.
The five controls are: (1) Firewalls and internet gateways, (2) Secure configuration, (3) User access control, (4) Malware protection, and (5) Security update management (patching within 14 days). These controls protect against the most common internet-based attacks. The 2026 scheme update (v3.3) makes multi-factor authentication mandatory for all cloud services within the assessment boundary.
Yes. Since 2014, Cyber Essentials certification has been mandatory for UK Government contracts that involve handling sensitive or personal information. Many private sector organisations and supply chains also require it as a baseline security standard. For MOD and defence sector contracts, Cyber Essentials Plus is typically required. Check our comparison table above to identify the appropriate level for your specific requirement.
Yes, if the contract involves handling sensitive data. This requirement has applied to UK Government contracts since 2014. Basic Cyber Essentials is sufficient for most standard government contracts. MOD supply chain and defence sector contracts typically require Cyber Essentials Plus. Crown Commercial Service frameworks generally require Basic; verify the specific framework requirement in the procurement documentation.
Yes. If gaps are identified during the assessment, we provide clear remediation guidance and re-test at no additional cost within a defined window. Our pre-assessment gap analysis is specifically designed to maximise your first-time pass rate by identifying common failure points before the formal assessment: treating cloud services as out of scope, failing to account for BYOD devices, and not meeting the 14-day patching window requirement.
A failed assessment means a re-assessment fee and a delayed certification timeline. The most common failure causes are: unpatched devices outside the 14-day window, inconsistent MFA enforcement across cloud services, BYOD devices not accounted for in the scope, and cloud services (Microsoft 365, Google Workspace) not meeting the NCSC configuration standard. Our pre-assessment gap analysis identifies these issues before the formal assessment so you control the remediation timeline.
The 2026 update (scheme v3.3) makes multi-factor authentication mandatory for all cloud services within the assessment boundary. Organisations renewing or applying for the first time in 2026 must demonstrate MFA enforcement across Microsoft 365, Google Workspace, and any other cloud platforms in scope. The update also clarifies cloud service scope boundaries and applies the Willow standard for configuration requirements. If your MFA rollout is incomplete, this needs to be addressed before assessment.
No. Basic Cyber Essentials uses a self-assessment questionnaire, but a certification body (IASME-accredited assessor) must verify your answers before a certificate is issued. Fully DIY certification is not possible. Precursor Security are an IASME-accredited assessor; we verify your self-assessment and submit it to IASME for certification. For Cyber Essentials Plus, an assessor must also conduct the hands-on technical audit.
Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months from the date of issue. Annual renewal is required to maintain certification. Precursor Security provides renewal reminders and streamlined re-assessment for returning clients. All certificates are listed on the IASME public register and searchable via the NCSC database.
All Precursor-issued certificates are listed on the IASME public register and searchable via the NCSC database. You can verify any organisation's certification status using the IASME certificate checker. We provide renewal reminders ahead of your 12-month expiry date so your certification does not lapse.