Frequently Asked Questions

The pricing of Cyber Essentials has a tiered structure based on organisation size. Prices start from €380 + VAT for an assessment for micro-organisations. Small, medium and large organisations pay a little more, on a sliding scale up to a maximum of €710 which aims to reflect the complexity involved in assessing larger organisations (see table below).

Pricing Structure

Pricing Structure

Micro Organisations	0-9 Employees	€380
Small Organisations	10-49 Employees	€520
Medium Organisations	50-249 Employees	€590
Large Organisations	250+ Employees	€710

It is a good idea to download the question set in advance (available for free from the website here)and prepare the answers before applying. By doing this, you can ensure that there are no unexpected aspects that may take a significant amount of time to comply with. As soon as you have paid, we will send you login details for your online assessment portal.  You will have 6 months to complete your assessment before your account is deleted and unfortunately, we cannot issue a refund if this happens.

If you have prepared your answers in advance, filling out the self-assessment might only take about an hour. Once the questions have been submitted, most Assessors will aim to get the results back to you within 3 days.  If you have not been successful, you will then have 2 working days to address the issues, update your answers and resubmit.  The Assessor will then aim to take no more than 3 days to remark the assessment. If you have not included enough information for the Assessor to be able to mark a question, they will return it to you asking for more information.  This step will also take a few days.

You can download the requirements from the UK Government website here.

You can see our overview here.

Cyber Essentials is now required in a large number of central government contracts and an increasing number of local government contracts.

You can see the document to UK Government Procurement Officers which specifies that Cyber Essentials is required in many cases for suppliers to government departments here.

In particular, Cyber Essentials is required for Ministry of Defence suppliers for all of their supply chain that handles defence information. 

Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment questionnaire but also includes a technical audit of the organisation’s systems to verify that the Cyber Essentials controls are in place. The audit includes an internal and external vulnerability scan and then focuses on a random selection of user devices, all internet gateways and all servers which are accessible to internet users. The Assessor will test a random sample of these systems (typically around 10 per cent) and then make a decision about whether further testing is needed. 

The controls for Cyber Essentials and Cyber Essentials Plus are exactly the same but the level of assurance is different. Cyber Essentials Plus offers a higher level of assurance as the controls have been checked by a third party to ensure they are correctly implemented.

As the Cyber Essentials Plus assessment needs more dedicated time from technical experts, it is more expensive than the verified self-assessment. The cost will depend on the size and complexity of the network.  IASME has a number of Certification Bodies who are trained and licensed to do the Cyber Essentials Plus audit. The Cyber Essentials Plus assessment has to be quoted for individually. You can submit some details via the form here or via the IASME website, and you will be emailed quotes from three different Certification Bodies. The audits can be run remotely or in person.

As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400. Our Certification Bodies aim to minimise the cost to your company.

The verified self-assessment level of Cyber Essentials does not include any additional test or vulnerability scan. However, one of your Board members will have to sign a declaration to verify that all the answers you have entered are true.

You can download all the self-assessment questions in pdf and excel format free of charge here. 

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The Assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

The Cyber Essentials question set is part of the Cyber Essentials Plus certification process.  If you have achieved the verified self-assessment Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage.

You need to be compliant in nearly all the questions to pass the Cyber Essentials assessment. In particular, you will not be able to attain Cyber Essentials if you are using unsupported software within the scope of the assessment.   

Any company using unsupported software in the scope of the assessment, will fail to achieve Cyber Essentials certification.

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a report including all the answers you gave and comments from the assessor against any that were considered non-compliant. If you fail the assessment this feedback should help you improve your security so you can pass in the future.

We have a separate set of frequently asked questions and answers about the included insurance here.  For further information contact [email protected] or call +44 (0)1905 21681.

If you fail, we allow you two working days to examine the feedback from the Assessor and change any simple issues with your network and policies. You can then update your answers and the Assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

To help organisations get started in understanding their cyber security, IASME, in partnership with the National Cyber Security Centre, have created a free online tool. The Cyber Essentials Readiness Tool is accessible in the form of a set of interactive questions on the IASME website. The process of working through the questions will inform you about your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. You will be directed towards guidance written in plain English based on your answers, and at the end of the process, be presented with a tailored action plan and detailed guidance for your next steps towards certification.

For in depth and bespoke support, you can contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licensed to certify against Cyber Essentials and can offer consulting services to help organisations of all sizes achieve certification.

For simple questions, you can ask the Cyber Essentials LinkedIn advice group.

You can post your questions and receive free advice from the “Cyber Essentials Advice Group”. Join this group here.

To become an IASME Certification Body and Assessor, someone from your company will need to attend and pass the relevant Assessor courses.  More details about requirements for Assessors can be seen here. We work with companies of all sizes; micro companies and one man bands are welcome partners.

You can see links to some helpful websites here.

Cyber Essentials is an annually renewable certification.

Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months. We remove companies from our ‘certified organisations’ list if they have not been certified in the past year.

You will have 6 months from the date of application to complete and submit your assessment. After this time, your account may be closed and you would have to apply and pay again if you wanted to be assessed.

We will email you with a reminder roughly a month before you have to be re-certified. 

You do need to enter all the information each time you certify. This serves as an annual review of your cyber security. Please note, some of the questions may have been updated and changed.