Cyber Essentials: How much does it cost?

August 14th, 2019
Cyber Essentials: How much does it cost?

Cost of Cyber Essentials - blog feature image (900x300)

Cyber Essentials for your business, you don't look at the costs after you've decided to invest, you look at them beforehand!

The total cost of Cyber Essentials certification will vary depending on multiple factors:

  • Which level you choose
  • What security systems you have in place
  • How robust they are
  • Penetration testing
  • What improvements you need to make
  • How long it takes for assessment and update implementation
  • Cyber Essentials Certification

Remember that some of these factors are price differences and some are time costs.

Basic cost of Cyber Essentials

The Cyber Essentials questionnaire is free to download from the IASME website. IASME are one of five government-approved accreditation bodies who can help you through the process of assessing your systems and finding a certification body.

The questionnaire tells you the five controls your systems are assessed against and the sorts of things that you need to look at in relation to your security setup. The controls are:

  1. Boundary firewalls and internet gateways·
  2. Malware protection
  3. Patch management
  4. Secure configuration
  5. Access control

Once you’re ready to be assessed, you can apply for the online questionnaire. This is the version you must complete in order to receive certification. For this, IASME charge £300+VAT, and within three days you will receive a certificate for Basic Level Cyber Essentials. You also get automatic cyber liability insurance for UK domiciled organisations with less than £20m turnover (provided you pass).

You have three months from the date of your online application to complete the questionnaire and submit it for assessment. If you don’t, you will have to reapply and pay again. The timeframe is short because systems and IT security requirements change rapidly.

Should you fail the Cyber Essentials testing, you have two days to make the necessary improvements and you can resubmit your answers free of charge, and these will be reassessed. Your assessor will explain where you failed. However, if you fail again, or if you resubmit after the 48 hours, you will be required to pay the full amount again.

Help and support to get certified

Businesses that miss the deadline usually find it’s because managing the project in-house is more time-consuming than they expected. Because of that, here at ATG, we recommend our fully-managed option to all clients, which includes all the help and support they need to become Cyber Essentials verified.

Our customers see a number of benefits to choosing the managed option, not least because they know they have a team of IT experts on hand to help them with any problems or queries.

We take them through the entire process and we also provide weekly compliance reports.

This is a great way to show the ICO and any other regulatory body that they’re not only compliant, but can actively evidence the fact that they are on a day to day basis.

Pricing for fully managed starts at just £99 per month.

Cost of Cyber Essentials - quote (900x300)

Cost of Cyber Essentials Plus

Cyber Essentials Plus is the next level above and IASME say that it offers more assurance that your company is compliant with Cyber Essentials. As well as the internal system tests, there is an external test.

To be eligible for Plus, you need to complete the audit within three months of your Cyber Essentials certification, although you can do both at the same time. The cost will vary depending on the size and complexity of your network, but somewhere between £1,000 and £3,000 is possible.

The test involves a technical audit of a representative set of user devices, all servers accessible to unauthenticated users and internet gateways (usually 10%), and then decide if additional testing is needed.

If you have multiple offices, the assessor will decide on how many to visit as part of the sample, but your head office will always be included. If you have overseas premises, the assessor might need to go to these too. Although if you can prove that onsite visits have been done, they may do remote tests.

As you can see, the cost will vary considerably depending on your organisation, but you can apply to IASME for an estimated cost, or you can contact their Certification Bodies directly. They can give you a price and also guide you through the whole process when you’re ready to go ahead.

Updates and improvements

It’s worth noting that if you’re relying on out of date systems, such as Windows XP or a legacy version of Windows 7, you’ll almost certainly fail the Cyber Essentials test, as your system is unsupported.

Windows 7 EOL comes into force in January next year, so if you’re using that, upgrade to Windows 10 before you apply for assessment. You can find out costs for this via the Office website.

The results of the third-party assessment will identify vulnerabilities in your security system, and depending on the kind of business you have and the data you will hold, you will have different priorities in terms of what you need to implement or upgrade.

For instance, you may choose to replace your free cloud storage with a more secure, flexible option with a monthly fee. You may want to have a disaster recovery and data backup system in place, and pay for something that saves data regularly and gives you peace of mind that you can get information back quickly.

While this will be cheaper than paying for someone to come out and fix things if the worst happens, there will still be a cost involved, and that will be based on number of employees and how many devices they use to access their work (including personal smartphones and tablets).


The UK government recommends annual reassessment and, depending on the requirements of the industry you work in or support, it may be a strict requirement not to let your certification lapse, even by a couple of days. You may equally be advised to undertake reassessment in a shorter timeframe.

IASME will email you a month before your certificate expires. However, with ATGs fully-managed service, you don’t need to worry about renewing or completing another compliance assessment on your systems, as we take care of all of that for you. We ensure you’re always compliant so no major project annually, just ongoing governance and compliance.

We hope that this post helps explain the costs involved in obtaining your Cyber Essentials certificate. If you wish to discuss it in more detail, don’t hesitate to contact us, or you can download our Cyber Essentials: Small Business Guide for more info.