Skip to main content
Cyber Essentials articlecyber essentials cost7 min read

Last updated 18 June 2026

Cyber Essentials Cost in 2026: What You'll Really Pay

The real cost of Cyber Essentials in 2026: assessment fees by company size, Plus quote factors, hidden preparation costs, and the three practical routes through it.

The number on the certification body's website is not the number that leaves your bank account. Sometimes the real figure is smaller than you fear; usually it is bigger than the headline. This article breaks down what Cyber Essentials actually costs a UK business in 2026: the official fee, the hidden costs, the three paths through the work, and the one mistake that makes you pay the fee twice.

The official assessment fee

The Cyber Essentials assessment fee is tiered by organisation size. The smallest organisation band currently starts from around £320 + VAT, with higher bands for small, medium, and large organisations. Always check IASME's current Cyber Essentials pricing before budgeting, because their fee table is the authority and can change.

That fee buys assessment of your self-assessment questionnaire and, if your answers hold up, certification valid for 12 months. Everyone pays it. No preparation route, tool, or consultant removes it.

Cyber Essentials Plus is a different budget conversation

Cyber Essentials Plus is the audited version: an assessor tests your systems rather than only reviewing your answers. It is quote-based and depends on size, scope, device count, and your chosen certification body. Basic certification is the prerequisite.

Before buying the expensive one, read your contract carefully. Most small companies certifying for a customer or tender requirement need Basic. If the contract says "Cyber Essentials Plus", it means it. Do not assume Plus when the wording does not demand it.

The three hidden costs

Your time. The questionnaire runs to over a hundred questions across scoping, firewalls, secure configuration, access control, malware protection, and patching. The government's own process evaluation found that many certified organisations needed help getting through it. For a founder going in cold, several evenings is realistic.

Remediation. Preparing honestly surfaces things you have to fix before your answers are true: multi-factor authentication rolled out to every user, an ageing laptop whose operating system is out of support, router firmware that has not been touched for years. For most modern small businesses this is configuration time rather than purchase orders, but if you are carrying old hardware, certification year is when it finally sends its invoice.

Failing. This is the cost nobody explains properly. If the assessor finds problems, you normally get two working days to fix them and resubmit at no charge. That is enough for a badly worded answer or a setting you can flip. It is not enough to roll out MFA company-wide, replace an unsupported server, or redo your scope. If the problem cannot be fixed in that window, or the resubmission still fails, you pay the assessment fee again.

Three ways through it

Pure DIY: £0 plus your evenings. The official guidance is free, and the question set is freely previewable. A careful, technical founder can do this. The cost is time, and the risk is guessing wrong on scope and evidence.

Hire help: typically £500 to £2,000. Consultants and certification bodies offer guided packages. If you have no IT person, no spare time, and a contract deadline next month, this is often the right buy. You are paying to compress time and risk.

DIY with a system. The middle path is doing the work yourself with a local offline Builder that walks you through the annual renewal, flags high-risk gaps, and keeps last year's answers and evidence context somewhere you can reopen. That is the category RightCyber sits in. Check the current RightCyber pricing page before buying, because product pricing belongs there rather than in a dated article. If you want it done for you, hire a person. If you were doing it yourself anyway, a system beats a guess.

A realistic all-in budget

For a 10-person company in 2026, pure DIY is usually the assessment fee plus several evenings and any remediation. DIY with a preparation tool adds the tool cost but can reduce wasted time and late rework. Consultant-led preparation adds professional fees, often taking the total into four figures. Cyber Essentials Plus is a separate audited engagement and needs its own budget.

The expensive versions of Cyber Essentials are the unplanned ones: the failed retry, and the consultant hired in a panic five days before a tender deadline.

Do not forget: it is annual

The certificate expires after 12 months. Budget it as a yearly line, not a one-off. Keep this year's answers and evidence somewhere you can reopen, because renewal with last year's work to hand is usually much faster than rebuilding from scratch. Renewal from scratch is the whole bill again, including the evenings.

FAQ

How much does Cyber Essentials cost for a small business?
The smallest organisation band currently starts from around 320 pounds plus VAT for the assessment fee, but IASME's current fee bands are the authority. The realistic all-in cost also includes preparation time and any remediation.
Is Cyber Essentials a one-off cost?
No. Certification lasts 12 months, so the fee and the preparation effort recur annually. Keeping answers and evidence organised is what makes renewal cheaper.
What happens to the fee if I fail?
You normally get two working days to fix issues and resubmit free. If the problems cannot be fixed in that window, or the resubmission still fails, you reapply and pay again.
Is Cyber Essentials Plus worth it?
Only if a contract or customer requires it, or you want independently audited assurance. Plus tests the same five controls rather than only reviewing self-assessment answers.

RightCyber

Prepare the evidence behind the answers.

RightCyber helps you prepare the answers and evidence behind your Cyber Essentials submission, with the evidence kept on your machine rather than uploaded to the website.

Last reviewed against official sources

Reviewed 18 June 2026 against current IASME, NCSC, or UK government sources. Official sources remain authoritative if requirements change.

RightCyber is an independent preparation tool and is not affiliated with or endorsed by IASME or the NCSC. This article is general guidance, not legal or professional advice.