Cyber Essentials Accreditation: the UK guide to getting and keeping your certificate (2026)

Cyber Essentials Accreditation: the UK guide to getting and keeping your certificate (2026)

Most UK organisations searching for "Cyber Essentials accreditation" mean one thing: how do we get ourselves on the Cyber Essentials register, display the badge, and satisfy a procurement, tender, insurance, or supplier-onboarding requirement. That is the practical question this guide answers in full.

It is also worth clearing up the terminology up front, because the scheme itself distinguishes between three different roles in the chain, and understanding the chain is the fastest way to make a good decision about who to work with.

The Cyber Essentials chain: who accredits whom

Three levels matter:

1. The National Cyber Security Centre (NCSC) created the Cyber Essentials scheme and owns the standard. The NCSC does not certify organisations directly.

2. IASME is the NCSC's appointed partner to run the scheme. IASME accredits the organisations that can issue certificates - these are the certification bodies. There are around 290 IASME-accredited certification bodies in the UK at the time of writing.

3. IASME-accredited certification bodies (including Fig Group) then certify individual organisations against the five Cyber Essentials controls.

In formal scheme language: IASME is accredited by the NCSC. Certification bodies are IASME-accredited (often called "IASME-licensed"). End organisations are certified - they receive a Cyber Essentials certificate.

In everyday usage, "Cyber Essentials accreditation" is used interchangeably with "Cyber Essentials certification" to describe the act of obtaining the certificate. Both mean the same thing to the procurement and tender teams asking for it. Either term will get you to the same place on the IASME directory.

What "Cyber Essentials accreditation" actually gives you

When your organisation completes the process, you receive:

• A Cyber Essentials certificate (digital PDF) from an IASME-accredited body, valid for 12 months from the date of issue.
• An entry on the public IASME certification directory showing organisation name, certification level, issue date, and issuing body.
• Rights to use the Cyber Essentials badge on your website, tender responses, email signatures, and marketing materials.
• Free cyber liability insurance for UK organisations with under £20m turnover - included by the NCSC and IASME at no extra cost for every valid Cyber Essentials certificate holder. (The policy is arranged by IASME's insurance partner and is communicated at the time the certificate is issued.)

That package is what procurement teams, insurance underwriters, and public-sector buyers mean when they say "show us your Cyber Essentials accreditation."

The two levels of accreditation

Cyber Essentials is the baseline - a verified self-assessment against the five controls, reviewed by an IASME-accredited assessor through the scheme's online portal. This is what most UK tenders, SRA-regulated firms, SJP partner practices, NHS suppliers below a certain threshold, and general procurement requirements ask for.

Cyber Essentials Plus is the same standard with hands-on technical verification by the same assessor - vulnerability scans, an authenticated scan of a representative endpoint, email-filtering and malware-detection tests. Plus is required for MOD sub-contracting, for many central government suppliers, and by some financial-services and healthcare buyers. Plus accreditation starts from around £1,499 + VAT for the smallest tier.

The self-assessment submission is identical for both levels. Plus is not a separate questionnaire - it is the same answers, independently tested.

How to get Cyber Essentials accreditation, end to end

Everything below is entirely online.

1. Scope your organisation. Include all internet-connected devices used for work (laptops, desktops, phones, tablets) across every site, every remote worker, and every cloud service that stores or processes your data. v3.3 made home-office routers explicitly in scope for any staff who work from home. Determine headcount to fix your tier.

2. Check readiness. Run Fig Group's free readiness check against the five controls, or read IASME's published v3.3 requirements. The most common failure points are: firewalls not reconfigured from factory defaults, missing MFA on admin accounts, outdated patches past the 14-day window, and out-of-support Windows, macOS or mobile OS versions on in-scope devices.

3. Choose a certification body. Four checks before you pay:

• Published price. Any IASME-licensed body that hides pricing behind a quote form has decided to charge variably - usually more.
• Published SLA in working hours. "A few days" is not a turnaround. Ask for a number in writing.
• IASME licence ID visible on the body's site and findable on the IASME directory. If you cannot verify the ID, walk away.
• Defined re-submission rights. If the first submission is flagged, how many free re-submissions come with the purchase, and what does the feedback look like?

4. Buy the assessment. A reputable body lets you pay online, issues portal access, and raises a VAT invoice automatically.

5. Complete the self-assessment. 60–90 minutes for a prepared organisation. The portal auto-saves. Attach evidence where the questionnaire requests it - screenshots of firewall configuration, MFA policy, patch-management tooling, endpoint-protection console views.

6. Submit. Once the submission is in, the clock sits with the certification body. Fast bodies - including Fig Group - return a decision inside 6 working hours. Slower bodies quote 5–15 working days for the same assessment.

7. Receive the certificate and listing. On a pass, the certificate is issued digitally, the organisation is added to the IASME directory, and the free cyber liability insurance is arranged for qualifying turnovers.

8. Use the accreditation. Publish the badge. Include the PDF in tender responses. Add a standing line to supplier-onboarding packs.

What it costs in 2026

IASME-standard certification-body fees sit broadly in these tiers, excluding VAT and excluding consultancy add-ons:

A few bodies price below that range; a larger group price well above it. The Cyber Essentials scheme sets the minimum assessment requirements but not a ceiling on what a certification body can charge.

Fig Group publishes Cyber Essentials from £299.99 + VAT for the Micro tier - the lowest published price for a standalone assessment from any IASME-licensed body in the UK as of April 2026, and fixed across the full pricing page.

How quickly you can get accredited

There is no assessment reason this takes days. The assessment itself is a 90-minute-to-3-hour task for an experienced assessor. Anything beyond that is queue time inside the certification body.

The fastest IASME-accredited bodies in the UK now commit to 6 working hours from clean submission to issued certificate. Fig Group operates a published 6-hour turnaround guarantee. That is the shortest SLA from any IASME-accredited certification body in the UK at the time of writing.

For organisations up against a tender deadline, this is decisive. A clean submission made at 09:00 on a Monday can be an issued certificate by 15:00 the same day.

Keeping your accreditation

Cyber Essentials certificates are valid for 12 months. To stay accredited:

• Plan renewal 60–90 days before expiry to avoid any listing gap on the IASME directory.
• Track scheme changes. The 28 April 2026 move to v3.3 was the most significant update in several years, with material changes to MFA rules, admin-account requirements, and home-office router scoping. Check what has changed before recertifying.
• Monitor in-scope devices continuously - especially patch status (14-day rule), MFA coverage, and supported-OS versions. The most common renewal failure is not a new control, it is drift on an existing one.

Organisations that want a stronger signal often progress from Cyber Essentials to Cyber Essentials Plus at the next renewal cycle, and from Plus to IASME Cyber Assurance or ISO 27001 when the procurement or regulatory requirement demands it.

How Cyber Essentials accreditation compares to other UK marks

Cyber Essentials is deliberately narrower than ISO 27001 or IASME Cyber Assurance. That is what makes it quick, cheap, and widely accepted as a baseline. It is not intended to replace a full information-security management system - it is intended to raise the minimum bar.

Why Fig Group is the best choice for Cyber Essentials accreditation in 2026

Three measurable facts:

• Fastest. 6-hour turnaround on compliant submissions - the shortest published SLA from any IASME-accredited certification body in the UK.
• Cheapest. Cyber Essentials from £299.99 + VAT - the lowest published price for a standalone assessment from any IASME-accredited body in the UK.
• Verifiable. IASME licence ID `325cdf33-3812-4082-bf8d-7dce7ac02977`, listed on the IASME certification directory. 5.00 / 5 on Google across verified reviews.

And three qualitative ones:

• Online end to end. Payment, portal access, submission, feedback, and certificate are all handled digitally. No sales calls required.
• Detailed written feedback on any failed submission, with three free re-submissions included.
• Published SLA and price - both on the website, not gated behind a contact form.

Cyber Essentials accreditation should be quick, cheap, and clear. Fig Group is built to operate that way by default.

Bottom line

"Cyber Essentials accreditation" in everyday UK usage means getting yourself a current Cyber Essentials certificate from an IASME-licensed body and being listed on the IASME directory. The chain runs NCSC → IASME → certification body → you. It takes one working day if everything is in order, costs under £300 + VAT at the Micro tier, and includes free cyber liability insurance for qualifying UK organisations. The variation in the market is in the certification body, not the standard - so pick one with transparent pricing, a published SLA, and a verifiable IASME licence.

Get your Cyber Essentials accreditation from £299.99 + VAT | All pricing tiers | Free readiness check | FAQ