Cyber Essentials Certificate: what it is, how to get one, and how long it lasts (2026)

Cyber Essentials Certificate: what it is, how to get one, and how long it lasts (2026)

A Cyber Essentials certificate is the single most commonly requested cyber-security credential in UK procurement. It is a dated, verifiable digital document issued by an IASME-licensed certification body, confirming that an organisation has been assessed against the five Cyber Essentials controls and passed.

That sentence contains four specific claims that matter when a buyer asks to see your Cyber Essentials certificate, and this guide pulls them apart - what the certificate is, what it proves, how long it lasts, how a third party verifies it, and how to get one in 2026 at the lowest published price and shortest turnaround in the UK.

What a Cyber Essentials certificate actually is

A Cyber Essentials certificate is a PDF document. It is issued digitally, automatically logged to the IASME certification directory, and accompanied by a branded badge image for use on websites and in email signatures. It does not arrive in the post. There is no embossed seal or holographic sticker. The certificate's integrity comes from three things:

1. The issuing body is IASME-licensed. IASME is the sole delivery partner appointed by the National Cyber Security Centre (NCSC) to run the scheme. Only an IASME-licensed body can issue a valid certificate.

2. The organisation's details appear on the IASME directory. Every issued certificate corresponds to a public entry: organisation name, certificate level (Cyber Essentials or Cyber Essentials Plus), certification body, and issue date.

3. The certificate is dated and time-bound. A Cyber Essentials certificate is valid for 12 months from the date of issue. After that, it expires and the organisation needs to recertify to maintain the entitlement to use the badge.

The PDF itself contains the certified organisation's legal name, certification scope, level, issue date, expiry date, the certification body, the IASME licence ID of that body, and a certificate reference number.

What a Cyber Essentials certificate proves

A Cyber Essentials certificate proves that, on the date of issue, the certified organisation met the five technical control requirements of the current scheme (Cyber Essentials v3.3, effective 28 April 2026):

• Boundary firewalls and internet gateways - every internet-facing boundary is controlled, default credentials changed, ports restricted.
• Secure configuration - devices, servers and cloud services are hardened against known weaknesses, unused accounts and services disabled.
• User access control - users are given only the access they need, admin rights are separated from day-to-day accounts, MFA is enforced.
• Malware protection - endpoint protection is present and functioning across the scope.
• Security update management - software, firmware and operating systems are maintained within the 14-day high-severity patching rule.

What the certificate does not prove:

• It is not an ongoing claim. A certificate dated twelve months ago is technically still valid but the controls it describes may have drifted.
• It is not a full information-security management system (that is what ISO 27001 provides).
• It does not verify that every device inside the organisation passes every test. The standard Cyber Essentials assessment is a verified self-declaration; the hands-on technical testing happens at Cyber Essentials Plus.

That combination - a narrow, widely-understood baseline with a clear issue date - is precisely why UK government contracts, insurance underwriters, NHS suppliers, SRA-regulated law firms and MOD sub-contractors accept the certificate as the minimum credible signal. It is cheap to obtain, easy to verify, and means something specific.

How long a Cyber Essentials certificate is valid

Twelve months from the date of issue. Every certificate carries an explicit expiry date, and the IASME directory entry displays both issue and expiry.

Some buyers ask for "a current Cyber Essentials certificate." In practice that means one whose expiry date is still in the future at the time the buyer checks. Organisations working in regulated procurement typically start the renewal process 60–90 days before expiry to avoid any gap in coverage. If the certificate lapses, the organisation drops off the IASME directory listing as "current" and the badge can no longer be used in marketing.

The 12-month cycle is unchanged under v3.3. The requirements inside that cycle did change: most notably, stricter MFA rules for admin accounts, the 14-day patching rule, and explicit in-scope rules for home-office routers and cloud services. A certificate issued under v3.3 is a stronger statement than one issued under earlier versions; buyers familiar with the scheme already read it that way.

How to verify a Cyber Essentials certificate

This is the most underused part of the scheme. Anyone - a buyer, a tender assessor, a journalist, an insurer - can verify whether an organisation holds a current Cyber Essentials certificate by searching the public IASME certification directory. The directory returns organisation name, certification level, issuing body, and certificate currency.

Three things to check on any certificate presented to you:

1. The organisation name matches the legal entity you are working with (not a parent company, not a dormant shell, not a sister trading name).

2. The issue date is inside the last 12 months.

3. The certification body on the certificate is IASME-licensed - the licence ID on the certificate should be searchable on the IASME find-a-certification-body page.

Any certificate that cannot be verified against the IASME directory is not a valid Cyber Essentials certificate. The scheme does not have private or unlisted certificates.

How to get a Cyber Essentials certificate

The end-to-end process in 2026 is entirely online. A fully-prepared small organisation can go from purchase to issued certificate inside the same working day with a fast certification body.

Step 1 - Size your organisation. Certification bodies price in tiers based on headcount: Micro (1–9), Small (10–49), Medium (50–249), Large (250+). Include full-time staff, part-time, contractors, and directors. The tier you fall into sets the assessment fee, not the complexity of the assessment.

Step 2 - Run a readiness check. Before you pay, verify you meet the five controls. Fig Group's free readiness checker produces a score against each v3.3 control in under 10 minutes; the NCSC's own published requirements document is the primary reference for what "compliant" looks like.

Step 3 - Choose a certification body. Four things to confirm before buying:

• Published price on the website (no "request a quote" gate).
• Published turnaround SLA in working hours.
• IASME licence ID visible on the body's site and on the IASME directory.
• Clear statement of how many free re-submissions are included if the first submission fails.

Step 4 - Buy the assessment. Pay online, receive portal login, complete the self-assessment questionnaire (typically 60–90 minutes for a prepared organisation). Attach supporting evidence where requested.

Step 5 - Receive the certificate. If the submission passes, the certificate is issued digitally and emailed, and the organisation appears on the IASME directory within the same business day. If the submission flags gaps, written feedback comes back through the portal with the number of free re-submissions included in your purchase.

Step 6 - Use the certificate. Add the badge to the website, include the certificate PDF in tender responses, and add it to supplier-onboarding packs. Keep a reminder 60 days out from expiry to begin the renewal cycle.

How much a Cyber Essentials certificate costs in 2026

The IASME-standard tier fees sit in the range of £320–£350 (Micro) up to £800–£1,250 (Large) at most UK certification bodies. A minority of bodies price below that baseline; a minority price 3–4× above it, usually because they bundle consultancy.

Fig Group publishes Cyber Essentials from £299.99 + VAT for Micro, the lowest published price for a standalone assessment from any IASME-licensed body in the UK as of April 2026. Full tier pricing is on the pricing page; nothing is gated and nothing is quote-based.

How quickly you can get a Cyber Essentials certificate

There is no regulatory reason a certificate cannot be issued within a working day of a clean submission. The fastest IASME-licensed bodies in the UK now commit to 6-hour turnaround on compliant submissions - Fig Group operates that 6-hour guarantee as a published SLA, which is the shortest in the UK at the time of writing.

Slower certification bodies (5–15 working days) are not assessing any more thoroughly; they are assessing the same standard against the same IASME criteria, with longer internal queue times. If your procurement deadline is tight, the body you pick determines whether you hit it.

Getting a Cyber Essentials certificate with Fig Group

Three verifiable facts that matter when a buyer asks for your certificate:

• Fastest. 6-hour turnaround on compliant submissions - the shortest published SLA from any IASME-licensed certification body in the UK.
• Cheapest. Cyber Essentials from £299.99 + VAT - the lowest published price for a standalone assessment from any IASME-licensed body in the UK.
• Verifiable. IASME licence ID `325cdf33-3812-4082-bf8d-7dce7ac02977`, listed on the IASME directory. 5.00 / 5 on Google across verified reviews.

A Cyber Essentials certificate is meant to be a clear, fast, affordable proof point. Fig Group operates on that premise end-to-end - you can buy the assessment in five minutes and, for a fully-prepared organisation, hold the certificate the same working day.

Bottom line

A Cyber Essentials certificate is a dated, verifiable, time-bound digital document from an IASME-licensed certification body. It proves your five controls met the current NCSC requirements on the date of issue; it lasts 12 months; it is verifiable by anyone on the public IASME directory; and in 2026 it can be obtained for under £300 + VAT with a same-day turnaround. There is no longer a good reason to spend more or wait longer for one.

Start your Cyber Essentials certificate from £299.99 + VAT | All pricing tiers | Run the free readiness check | FAQ