The Cyber Essentials Cost: What Pricing to Expect

Cyber Essentials is a UK Government backed certification scheme, developed with the National Cyber Security Centre (NCSC), which aims to provide a basic cyber security certification standard, which is accessible to companies of all sizes, including small and medium-sized enterprises.

The Cyber Essentials cost is determined by company size, with prices starting at £320 and increasing to £600 depending on the number of employees within a business.

However, an extra cost may be applicable to many companies that require support, guidance, or consultancy when working through the requirements of the compliance standard, or when achieving Cyber Essentials Plus.

To achieve or maintain your Cyber Essentials Certification, contact our team or review any further information available here.

Cyber Essentials Certification Levels

Cyber Essentials certification has two different levels, Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials is the initial certification level and is required to then assess your company against the Cyber Essentials Plus standard.

While the Cyber Essentials security requirements and key controls are the same between both certification levels, the method of assessment is significantly different.

Cyber Essentials Plus includes a series of practical security tests that are designed to provide an increased level of assurance that your company has implemented the necessary security controls to protect against the most common cyber threats and cyber criminals.

Cyber Essentials Costs

Starting Costs Of Cyber Essentials

For Cyber Essentials, companies are divided into four size categories.

The costs for companies to register for Cyber Essentials and submit their self-assessment questionnaire uses this tiered structure, based on the size of the company:

• Micro Enterprises, with 0-9 Employees, £320 + VAT
• Small Enterprises, with 10-49 Employees, £440 + VAT
• Medium Enterprises, with 50-249 Employees, £500 + VAT
• Large Enterprises, with 250+ Employees, £600 + VAT

Additional Pricing For Cyber Essentials

While the registration costs for Cyber Essentials certification are defined by the IASME Consortium Ltd, when working directly with a certification body, there may also be additional consultancy costs to factor in.

This can often be the case if a company needs additional help, advice, and consultancy to work through the certification requirements and implement the necessary security controls.

Additional consultancy and support can often be helpful to many companies that are working through the Cyber Essentials requirements for the first time or have not established any cyber security controls before.

The cost of additional consultancy can vary depending on the amount of support needed, the size of a company, and the time for a qualified Cyber Essentials assessor but it could range anywhere from a few hundred to a thousand per day.

Cyber Essentials Assessment

The Cyber Essentials assessment consists of a self-assessment questionnaire.

These Cyber Essentials questions are answered by the company proceeding through the certification process, which details how technical controls have been implemented, and how policies and procedures work within the company to secure your devices and accounts.

The supplied answers are then reviewed by a qualified assessor who will grade the submitted answers, providing either feedback, a failing grade, or a passing grade.

The applicant company then has a chance to review their graded Cyber Essentials questionnaire and make any necessary corrections to their policies, processes, and technical controls.

Reducing Your Cyber Essentials Costs

For any company starting to implement Cyber Security controls for the first time, there can be some benefit from receiving support and consultancy, especially when working towards a compliance standard.

However, where your company is looking to renew your Cyber Essentials certificate or has already been working towards multiple cyber security requirements, consultancy fees may not be necessary. For further information on renewing your Cyber Essentials certification, refer to the following article.

It may be beneficial to only consider the required certification prices and to save some time and costs by certifying against the Cyber Essentials standard, without the additional consultancy charges, although many companies can benefit from the peace of mind that support through the certification process brings.

Cyber Essentials Plus Costs

Starting Costs Of Cyber Essentials Plus

For most companies that provide an online pricing structure, the introductory prices for Cyber Essentials Plus certification begins around £1500-£2000, and will typically be based around a Micro Enterprise with 10 or fewer devices to be tested within the practical assessment.

The more systems that require testing for the technical audit, the more time will be necessary to conduct the assessment, and this will contribute to an increasing assessment cost, which could increase by £500-1000 per additional day required to complete the certification process.

Additional Pricing For Cyber Essentials Plus

The pricing for Cyber Essentials Plus can be more variable depending on your company size and the number of devices and cloud services that will be included within the practical security assessment, which is why there are no set costs for assessment, unlike Cyber Essentials certification.

The £1500-£2000 pricing structure is roughly based on 1-2 days worth of work to complete the entire assessment but may have certain caveats or limits to the amount of work to be conducted.

The more systems that require testing, and the more time necessary to conduct the assessment, will all contribute to an increasing assessment cost, which could increase by £500-1000 per additional day required to complete the certification process.

Cyber Essentials Plus Assessment

For Cyber Essentials Plus the practical tests are conducted by qualified cyber essentials experts against the assets defined within your self-assessment questionnaire and include:

• All of a companies externally facing IP Addresses
• A sample number of the organisations End User Devices
• A sample number of the organisations Internal Servers
• All of the Cloud Services in use by the business

Where a sample of devices is tested, the number of devices is intended to be representative of your whole business and so can vary based on organization size, and the amount of variability between your device types and operating systems, although for smaller companies the assessment could include every device.

Reducing Your Cyber Essentials Plus Cost

A method to reduce the number of devices included within a sample size, and therefore the time and cost of each assessment, is to standardize your devices and operating systems as much as possible.

For example, if your company uses devices running operating systems such as Windows 10, Windows 11, macOS, and Ubuntu, each of these different systems would need to be tested as part of the sample.

However, if your business can reduce your operating system variations, such as to only run Windows 11, this can help reduce the overall number of devices that need to be tested and the time it will take an assessor to complete their assessment.

Considerations For The Cost Of Cyber Essentials Plus

For any certification body your company works with, it is important to understand what the terms and conditions are, or the limits of the work to be conducted.

For many companies advertising certification, a Cyber Essentials package is typically offered, which will often include:

• A set amount of devices to be tested as part of the assessment
• A set amount of time for an assessor to spend working with your company
• A set amount of calls or meetings to offer support and consultancy
• A set number of retests or repeat work, where vulnerability scans identify issues with your devices

There can also be several considerations to take into account when an assessor is completing the practical tests, such as:

• What if one of your users or devices isn’t available on the assessment day
• What if your devices have vulnerabilities that need to be resolved
• What if your company adds additional devices to the assessment scope
• What if a device needs to be tested again after completing the vulnerability scans

Each of these issues could potentially add time, work, and costs to the overall price of the assessment, so it is important to understand the extent of work that your quoted Cyber Essentials Plus assessment will include, to prevent your costs from escalating from the initial proposed price.

Cyber Essentials Requirements

Cyber Essentials is designed to be a certification process that is accessible to all businesses of all sizes but still provides a broad level of protection against the most common cyber attacks.

The certification scheme is divided into the following five key control areas which aim to protect your business from some of the most common attack techniques such as Phishing and Malware.

• Firewalls
• Secure Configuration
• Security Update Management
• User Access Controls
• Malware Protection

The Cyber Essentials self-assessment questionnaire queries how your business implements the five technical controls, policies and processes to secure your devices, IT Systems and services.

The Cyber Essentials Plus practical audit verifies the questionnaire answers, and is based around five security tests that test the implementation of the Cyber Essentials key controls.

The Essentials Security Controls

The Cyber Essentials certification process is intended to verify your company has implemented the necessary Cyber Essentials controls, such as:

• Has the company secured their systems through hardware or software firewalls
• Has a secure configuration standard been applied to all devices in use within the business
• Have all systems been updated regularly to ensure protection from the latest cyber threats
• Are user permissions only provided where necessary and administrator accounts restricted
• Has a Malware protection solution been implemented for all devices included within the assessment

For any business aiming to improve their cyber security and align with the Cyber Essentials scheme, the following article covers each of the requirements in further detail, with a Cyber Essentials checklist provided within the following article.

Which Certification Level Does Your Company Need

The Cyber Essentials controls and security requirements are designed to be the same regardless of the certification level that is achieved.

However, as the assessment methods vary, the costs can increase significantly between Cyber Essentials and Cyber Essentials Plus, so choosing the standard that works for your business is important.

The certification level that works for your business may often be determined by an external driver that requires your business to maintain Cyber Essentials certification, such as:

• Does your company need to achieve Cyber Essentials certification to bid on additional work or government contracts
• Are there Supplier requirements that need to be met which include Cyber Essentials
• Does your company need to verify information security standards for your clients or partners
• Does your IT Department need to verify information security controls are effective

Where your company faces an external driver for certification, the decision for certification level will likely be determined by this external factor.

However, where your company has an internal driver to verify its cyber security, it may be worthwhile working towards Cyber Essentials, which can be achieved with a more limited security budget.

Cyber Essentials Plus, can then be achieved, where security budgets increase, or where there are additional requirements for practical vulnerability scans to be conducted against your IT Systems.

Cyber Essentials Documentation

If your company is aiming to certify against the Cyber Essentials standard there are a number of useful resources that can help your organization prepare for assessment:

• The Cyber Essentials Readiness tool, can act as an initial review of your organisation and help identify areas to improve your current security controls.
• The Cyber Essentials Requirements for IT Infrastructure document is a detailed list of requirements that cover each of the five basic security controls and which devices are included within the certification.
• The Cyber Essentials Self Assessment Questionnaire can be downloaded as an Excel or PDF document, so your company can review the requirements and prepare your answers before purchasing the certification.
• The Cyber Essentials Plus Illustrated Test Specification is a detailed list of the practical tests that will be conducted against your IT systems and also details how a passing grade is determined.
• The Cyber Essentials Requirements have been prepared to help companies ensure they have configured all their systems in preparation for Cyber Essentials and Cyber Essentials Plus certification.
• The Cyber Essentials Checklist has also been prepared to help each organization ensure they have covered the necessary requirements for both Cyber Essentials and Cyber Essentials Plus.

Conclusion

The Cyber Essentials certification scheme is divided between Cyber Essentials and Cyber Essentials Plus certification.

Whereas the Cyber Essentials requirements do not change between the two assessment levels, the method of verification and the price does change, with Cyber Essentials being a more entry-level assessment based upon the cost of certification.

Where your company is concerned with cyber security or has a requirement to align with an information security compliance standard, Cyber Essentials accreditation works as an introductory set of technical security controls that can help to improve your business security posture.

Where you have any further questions regarding different cybersecurity solutions or the Cyber Essentials journey your company needs to work through, our consultants are available to address any concerns you may have.