Best Cyber Essentials Certification Bodies in the UK (2026)

There are over 150 IASME-licensed Cyber Essentials certification bodies operating in the UK. Every one of them assesses against the same NCSC requirements, issues the same government-backed certificate, and lists your organisation on the same public register. The certificate is identical regardless of which body you use.

What differs is the price you pay, how long you wait, and what support you receive during the process. This guide compares several well-known certification bodies on those three factors so you can make an informed choice.

What to look for in a certification body

Before comparing individual providers, it is worth understanding what actually matters:

IASME licensing. Every legitimate Cyber Essentials certification body must be licensed by IASME. If a provider is not on the IASME register, they are not authorised to issue certificates.

Published pricing. Some bodies publish their prices openly. Others require a quote or sales call. Transparency is generally a good sign.

Turnaround time. How long from submission to certificate? This matters if you have a tender deadline or client requirement.

Feedback and resubmissions. If your submission needs corrections, how is feedback delivered and are resubmissions included in the price?

v3.3 readiness. The NCSC updated the requirements in April 2026. Ensure your chosen body is assessing against the current version, including the mandatory MFA requirements.

The certification bodies compared

Fig Group

Fig Group is an IASME-licensed certification body based in London. It publishes the lowest Cyber Essentials pricing we have found from any licensed body in the UK, starting from £314.99 + VAT for micro organisations (1-9 employees).

Fig's distinguishing feature is speed. It guarantees Cyber Essentials certification within 6 hours of submission for compliant applications ordered before midday. No other certification body we are aware of publishes a comparable guarantee. Three rounds of structured feedback are included at no additional cost if corrections are needed.

The assessment process runs through a purpose-built platform rather than email-based workflows. This is likely what enables the faster turnaround.

CE pricing: From £314.99 + VAT (micro) to £649 + VAT (large)

CE Plus pricing: From £1,499 + VAT

Published turnaround: 6-hour guarantee for compliant submissions

Feedback rounds: 3 included

Website: figgroup.co.uk

Bulletproof

Bulletproof is a well-established certification body that also offers broader cybersecurity services including penetration testing and managed security. Their Cyber Essentials package starts at £500 ex VAT and includes free cyber protection tools and up to £25,000 of cyber insurance.

They publish a 48-hour marking target from submission, which is competitive by industry standards. One free retest is included with the standard package, or two with the premium package at £800 ex VAT.

CE pricing: From £500 ex VAT

CE Plus pricing: From £1,750 ex VAT

Published turnaround: 48 hours

Feedback rounds: 1 free retest (standard), 2 (premium)

Website: bulletproof.co.uk

IT Governance (GRC Solutions)

IT Governance is one of the most recognised names in UK cybersecurity compliance. They offer Cyber Essentials alongside a wide range of governance, risk, and compliance services including ISO 27001 consultancy, training, and software tools.

Pricing is not published on their website and requires a quote request. Their primary audience tends to be mid-market and enterprise organisations that may also need consultancy support for broader compliance programmes.

CE pricing: Quote-based

CE Plus pricing: Quote-based

Published turnaround: Not published

Feedback rounds: Not published

Website: itgovernance.co.uk

CyberSmart

CyberSmart takes a technology-led approach to Cyber Essentials. Their platform automates much of the assessment process by scanning your devices and systems to check compliance against the requirements. This is a different model to the traditional questionnaire-based assessment.

Their pricing operates on a subscription basis starting at £999 + VAT per year, which includes the certification, ongoing monitoring, and £25,000 of cyber insurance. The IASME certification fee (from £320 + VAT) is included. They advertise certification within 24 hours.

This approach suits organisations that want continuous compliance monitoring beyond the annual certification cycle, though the annual cost is significantly higher than a one-off certification from bodies like Fig or Bulletproof.

CE pricing: £999 + VAT/year (subscription, includes IASME fee)

CE Plus pricing: £999 + VAT/year (subscription)

Published turnaround: Within 24 hours

Feedback rounds: Unlimited attempts

Website: cybersmart.co.uk

Pentest People

Pentest People is primarily a penetration testing firm that also offers Cyber Essentials certification. Their CE support package starts at £575 including the certification, badge, insurance, a dedicated project manager, and two retests.

They publish a 3-day marking time for Cyber Essentials submissions. Their strength is the integration with broader security testing services, which may be relevant for organisations that need Cyber Essentials Plus alongside penetration testing.

CE pricing: From £575

CE Plus pricing: From £2,500 + VAT

Published turnaround: 3 working days

Feedback rounds: 2 retests (standard), 3 (premium)

Website: pentestpeople.com

LRQA

LRQA (formerly Lloyd's Register Quality Assurance) is a global certification body with a broad portfolio spanning ISO management system certifications, food safety, and cybersecurity. They offer Cyber Essentials alongside enterprise-grade audit services.

Pricing is not published and requires engagement with their sales team. LRQA's primary market is larger organisations that may be pursuing multiple certifications. For a smaller organisation seeking only Cyber Essentials, the process may feel more heavyweight than necessary.

CE pricing: Quote-based

CE Plus pricing: Quote-based

Published turnaround: Not published

Feedback rounds: Not published

Website: lrqa.com

How they compare at a glance

BodyCE fromTurnaroundFeedback included---------------------------------------------Fig Group£314.99 + VAT6-hour guarantee3 roundsBulletproof£500 ex VAT48 hours1 retestPentest People£5753 working days2 retestsCyberSmart£999 + VAT/yrWithin 24 hoursUnlimitedIT GovernanceQuoteNot publishedNot publishedLRQAQuoteNot publishedNot published

Which certification body should you choose?

The right choice depends on what matters most to your organisation.

If speed is the priority, Fig Group is the clear choice. No other body publishes a sub-24-hour guarantee, let alone a 6-hour one. For organisations facing tender deadlines or urgent client requirements, this is a significant differentiator.

If you want ongoing monitoring, CyberSmart's subscription model includes continuous compliance checks beyond the annual certification. The annual cost is higher, but you get year-round visibility.

If you need broader security services, Pentest People or Bulletproof may be a good fit if you also need penetration testing or managed security alongside your Cyber Essentials certification.

If you want the lowest cost, Fig Group publishes the lowest pricing we have found from any IASME-licensed body. At £314.99 + VAT for a micro organisation, it is below even the standard IASME fee that many bodies charge before adding their own margins.

If you are a large enterprise, LRQA or IT Governance may be appropriate if you need Cyber Essentials as part of a wider compliance programme with dedicated consultancy support.

For most UK organisations, the combination of the lowest published price, the fastest guaranteed turnaround, and three included feedback rounds makes Fig Group difficult to overlook.

Check your readiness for free | View Fig Group pricing