Frequently Asked Questions

If you have a question about Cyber Essentials that is not addressed below, please contact [email protected]

How much does it cost for a basic level Cyber Essentials assessment?

The pricing of Cyber Essentials has a tiered structure based on organisation size. Prices start from $420£320 + VAT€380 for an assessment for micro-organisations. Small, medium and large organisations pay a little more, on a sliding scale up to a maximum of $780£600 + VAT€710 which aims to reflect the complexity involved in assessing larger organisations . The pricing structure uses the criteria used by the UK government which defines the size of an organisation based on number of employees:

A micro organisation has between 0-9 employees and Cyber Essentials will cost $420£320 + VAT€380.

A small organisation has between 10-49 employees and Cyber Essentials will cost $570£440 + VAT€520.

A medium organisation has between 50-249 employees and Cyber Essentials will cost $650£500 + VAT€590.

A large organisation has 250 employees or more and Cyber Essentials will cost $780£600 + VAT€710.

On average, how long does certification take to complete?

It is a good idea to download the question set in advance (available for free from the website here) and prepare the answers before applying. By doing this, you can ensure that there are no unexpected aspects that may take a significant amount of time to comply with. As soon as you have paid, we will send you login details for your online assessment portal.  You will have 6 months to complete your assessment before your account is deleted and unfortunately, we cannot issue a refund if this happens.

If you have prepared your answers in advance, filling out the self-assessment might only take about an hour. Once the questions have been submitted, most Assessors will aim to get the results back to you within 3 days.  If you have not been successful, you will then have 2 working days to address the issues, update your answers and resubmit.  The Assessor will then aim to take no more than 3 days to remark the assessment. If you have not included enough information for the Assessor to be able to mark a question, they will return it to you asking for more information.  This step will also take a few days.

Where can I find the document which describes the full requirements for the Cyber Essentials Scheme?

You can download the requirements for IT infrastructure document from the UK Government website here.

For which UK government contracts will I need Cyber Essentials certification?

Cyber Essentials is now required in a large number of central government contracts and an increasing number of local government contracts.

You can see the document to UK Government Procurement Officers which specifies that Cyber Essentials is required in many cases for suppliers to government departments here.

In particular, Cyber Essentials is required for Ministry of Defence suppliers for all of their supply chain that handles defence information.

What's the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment questionnaire but also includes a technical audit of the organisation’s systems to verify that the Cyber Essentials controls are in place. The audit includes an internal and external vulnerability scan and then focuses on a random selection of user devices, all internet gateways and all servers which are accessible to internet users. The Assessor will test a random sample of these systems (typically around 10 per cent) and then make a decision about whether further testing is needed.

The controls for Cyber Essentials and Cyber Essentials Plus are exactly the same but the level of assurance is different. Cyber Essentials Plus offers a higher level of assurance as the controls have been checked by a third party to ensure they are correctly implemented.

How much does it cost for a Cyber Essentials Plus assessment?

As the Cyber Essentials Plus assessment needs more dedicated time from technical experts, it is more expensive than the verified self-assessment. The cost will depend on the size and complexity of the network.  IASME has a number of Certification Bodies who are trained and licensed to do the Cyber Essentials Plus audit. The Cyber Essentials Plus assessment has to be quoted for individually. You can submit some details via the form here, and you will be emailed quotes from three different Certification Bodies. The audits can be run remotely or in person.

As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400. Our Certification Bodies aim to minimise the cost to your company.

Is a vulnerability scan required as part of the Cyber Essentials basic level?

The verified self-assessment level of Cyber Essentials does not include any additional test or vulnerability scan. However, one of your board members will have to sign a declaration to verify that all the answers you have entered are true.

Can I see the self-assessment questions before I pay for an assessment?

You can download all the self-assessment questions in pdf and excel format free of charge here.

What is involved in a Cyber Essentials Plus assessment ?

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The Assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

The Cyber Essentials question set is part of the Cyber Essentials Plus certification process.  If you have achieved the verified self-assessment Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage.

How many of the questions do I need to get right to pass?

You need to be compliant in nearly all the questions to pass the Cyber Essentials assessment. In particular, you will not be able to attain Cyber Essentials if you are using unsupported software within the scope of the assessment.

Are there any automatic fail questions?

Any company using unsupported software in the scope of the assessment will fail to achieve Cyber Essentials certification.

If I fail, will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a report including all the answers you gave and comments from the Assessor against any that were considered non-compliant. If you fail the assessment, this feedback should help you improve your security so you can pass in the future.

Where can I get more information about the included Cyber Insurance?

We have a separate set of frequently asked questions and answers about the included insurance here. For further information contact [email protected] or call +44 (0)1905 21681.

If I fail, will I have to pay again to take the assessment again?

If you fail, we allow you two working days to examine the feedback from the Assessor and change any simple issues with your network and policies. You can then update your answers and the Assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

I am not sure I understand the questions - where can I get help?

To help organisations get started in understanding their cyber security, IASME, in partnership with the National Cyber Security Centre, have created a free online tool. The Cyber Essentials Readiness Tool is accessible in the form of a set of interactive questions on the IASME website. The process of working through the questions will inform you about your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. You will be directed towards guidance written in plain English based on your answers, and at the end of the process, be presented with a tailored action plan and detailed guidance for your next steps towards certification.

You can find a central source of trusted, up-to-date information about the Cyber Essentials scheme in the Cyber Essentials Knowledge Hub. Browse or search this resource to find reliable information and support to help answer your questions and guide you through the Cyber Essentials certification process.

For in depth and bespoke support, you can contact a Cyber Advisor who works for a National Cyber Security Centre Assured Service Provider. Cyber Advisors can provide small and medium sized organisations with reliable and cost effective cyber security advice and practical support.

You can contact an IASME Certification Body. They are trained and licensed by IASME to assess whether an organisation meets the criteria required for Cyber Essentials certification and issue that certification. Certification Bodies also offer consultancy to help you understand the assessment questions and how they relate to your company.

For simple questions , you can ask the Cyber Essentials LinkedIn advice group. Join this group here.

How can I become an Assessor?

To become an IASME Certification Body and Assessor, someone from your company will need to attend and pass the relevant Assessor courses.  More details about requirements for Assessors can be seen here. We work with companies of all sizes; micro companies and sole traders are welcome partners.

How long does the certification last before I have to renew my Cyber Essentials certification?

Cyber Essentials is an annually renewable certification.

Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months. We remove companies from our ‘certified organisations’ list if they have not been certified in the past year.

How long will I have to complete and submit my assessment?

You will have 6 months from the date of application to complete and submit your assessment. After this time, your account may be closed and you would have to apply and pay again if you wanted to be assessed.

How can I remember to recertify within a year?

We will email you with a reminder roughly a month before you have to be recertified.

When I recertify will I have to enter all the information again?

You do need to enter all the information each time you certify. This serves as an annual review of your cyber security. Please note, some of the questions may have been updated and changed. Please remember to keep a copy of your answers when you submit so you can refer to them when you recertify the following year.