Cyber Essentials Online: the complete UK guide for 2026

Cyber Essentials Online: the complete UK guide for 2026

Cyber Essentials has been an entirely online scheme since its redesign in 2020. Every stage - the self-assessment questionnaire, the evidence submission, the assessor review, the feedback, the re-submissions, and the certificate itself - happens through a web portal. There is no site visit for the core Cyber Essentials scheme, and nothing needs to be posted, signed, or faxed.

Despite that, a lot of UK organisations still think of Cyber Essentials as a paper exercise with an in-person assessor. It isn't. Doing Cyber Essentials online is not a shortcut or a lower-grade version of the scheme - it is the scheme. The only way to get a Cyber Essentials certificate in 2026 is online, through an IASME-licensed certification body.

This guide covers how online Cyber Essentials actually works, what to check when you choose a certification body, what the current UK market looks like on price and turnaround, and how to get it done quickly and properly without overpaying.

What Cyber Essentials is, briefly

Cyber Essentials is a UK government-backed certification scheme created by the National Cyber Security Centre (NCSC) and delivered under licence by IASME. It assesses five technical controls:

1. Boundary firewalls and internet gateways

2. Secure configuration

3. User access control

4. Malware protection

5. Security update management

There are two levels. Cyber Essentials is a self-assessment verified by an accredited assessor. Cyber Essentials Plus adds hands-on technical testing by the same assessor - vulnerability scans, a sample of device checks, and an authenticated scan of a representative endpoint. Both sit on the same self-assessment questionnaire; Plus is the same answers, independently verified.

The current scheme version is Cyber Essentials v3.3, effective 28 April 2026. If you hold an older certificate, the date on the certificate is what the NCSC verifies. If you are certifying now, v3.3 is what you are assessed against.

What "online" actually means in practice

When people search for "Cyber Essentials online" they usually mean one of three things: can I do the whole thing remotely; can I pay and start the assessment through a website; can I get the certificate without a consultant or a site visit. The answer to all three is yes, and has been for several years.

Here is what the end-to-end online process looks like in 2026:

1. Choose a certification body online. There are around 290 IASME-licensed bodies. Every one of them operates through the same IASME assessment portal.

2. Buy the assessment online. A reputable body takes card payment, issues a portal login, and raises a VAT invoice automatically. No sales call required.

3. Complete the self-assessment questionnaire in the portal. The questionnaire is web-based, mobile-responsive, and auto-saves. Typical completion time for a prepared organisation is 60–90 minutes.

4. Submit the assessment. The body's assessor receives it through the portal. The clock now sits with the certification body.

5. Receive feedback or the certificate. If the submission passes, the certificate is issued digitally and emailed. If the assessor flags gaps, you get written feedback through the portal with a defined number of free re-submissions.

6. Download the certificate and use the Cyber Essentials badge. Certificate PDF, badge graphics, and a verifiable entry on the IASME certification directory - all delivered online.

Nothing about this process requires you to leave your desk.

Cyber Essentials Plus online. The Plus audit itself still involves a technical assessor, but even Plus can now be delivered fully remotely. The assessor uses authenticated remote scanning tools and a screen-share session to verify a sample of devices. The same controls are being tested - the interaction has just moved off-site.

What to check when you choose an online certification body

All IASME-licensed bodies assess against the same requirements and use the same portal. The differences are in speed, price, service, and transparency. Four things to look at before you pay.

1. Published pricing

A certification body that publishes its prices has decided to compete on value. One that hides pricing behind a "request a quote" form is usually prepared to charge more to organisations who do not shop around. There is no legitimate reason for Cyber Essentials pricing to be quote-based: it is a fixed-scope assessment with a price ceiling set by IASME and a transparent tier structure by organisation size.

2. Turnaround time, in writing

"A few days" is not a turnaround time. Ask for the maximum number of working hours between submission and feedback. A competent body will commit to a hard number. A good one will give you that number in writing on the order confirmation.

The UK market in 2026 ranges from 6 hours (the fastest IASME-licensed bodies) to around 15 working days at the slow end. This variation is not about the quality of the assessment - it is about how the body has staffed and built its operation.

3. What happens if you fail the first submission

The IASME scheme includes a small number of free re-submissions. Different bodies handle them differently - some will give you written feedback with specific clauses and timestamps; some will give you a single line saying "failed on firewall question." The quality of feedback on a failed submission tells you more about a certification body than anything on their marketing site.

Ask directly: "If our submission fails, what does your feedback look like, and how many free re-submissions do we get?"

4. IASME licence verification

Every legitimate certification body has an IASME licence ID, and that ID appears on the IASME find-a-certification-body directory. If a body cannot give you the ID on request, or it does not appear on the IASME directory, walk away. Only IASME-licensed bodies can issue a valid Cyber Essentials certificate under the NCSC scheme.

The UK pricing reality

The standard IASME certification body fee baseline has been broadly stable since the 2023 scheme refresh. In 2026, the tier structure by organisation size is:

Figures exclude VAT and reflect the range across the middle of the market. The cheapest certification bodies now sell below those baselines; the most expensive charge 3–4× more, usually because they bundle consultancy. Consultancy is a legitimate product - it is just not what is being certified.

Fig Group publishes Cyber Essentials from £299.99 + VAT for the Micro tier and has held that price since November 2025. As of April 2026 that remains the lowest published price from any IASME-licensed certification body for a standalone assessment, a fact documented on our pricing page and visible on the IASME directory.

The turnaround reality

There is no regulatory reason Cyber Essentials feedback takes days. Once a submission lands in the portal, the assessment itself is a matter of hours: an experienced assessor needs 90 minutes to 3 hours per submission depending on complexity. The rest of any quoted turnaround is queue time inside the certification body.

Bodies that queue submissions quote 5, 10, or 15 working days. Bodies that staff for demand quote 24 or 48 hours. The fastest IASME-licensed bodies in the UK have now committed to 6-hour turnaround for compliant submissions - that is, a certificate issued within 6 working hours of a clean submission landing in the portal.

Fig Group operates on a 6-hour turnaround guarantee for compliant Cyber Essentials submissions. This is the fastest published SLA from any IASME-licensed certification body in the UK at the time of writing.

Common myths about online Cyber Essentials

"Online means lower-quality." No. Online is the scheme. The assessment standard, the questionnaire, and the assessor's qualification are identical whether the work happens in person, by email, or through the IASME portal - the portal is how every IASME-licensed body is required to operate.

"We need a consultant to get certified online." Organisations that already meet the five controls do not need a consultant. They need a certification body with a good portal and clear feedback. Consultancy is valuable if there are genuine control gaps - it is not required for a well-prepared organisation.

"Cheaper certification bodies cut corners." The assessor standard is set by IASME and verified by annual licence review. A cheaper body has usually chosen to compete on efficiency, not to skip the assessment. The way to verify this is the IASME directory listing and the detail of the feedback you receive.

"Cyber Essentials Plus needs an in-person visit." Plus can be delivered fully remotely through authenticated scanning and screen-share. Most UK Plus assessments in 2026 are conducted remotely.

How to actually do Cyber Essentials online, start to finish

If you want the fastest, cheapest legitimate route to a Cyber Essentials certificate in 2026:

1. Prepare first. Confirm you meet the five controls: NCSC's overview is the primary reference. The IASME scheme page publishes the full v3.3 requirements.

2. Run a free readiness check. Fig Group's readiness checker gives you an honest view in under 10 minutes, with a score against every v3.3 control.

3. Buy online. Choose an IASME-licensed body with published pricing and a written turnaround. Buy Cyber Essentials from £299.99 + VAT.

4. Complete the questionnaire. Budget 60–90 minutes for a prepared organisation. Save evidence as you go.

5. Submit and receive the certificate. With a 6-hour turnaround body, a clean submission made in the morning is certified before the end of the day.

Why Fig Group is the best way to get Cyber Essentials online in 2026

Three measurable facts:

• Fastest. 6-hour turnaround on compliant submissions, the shortest published SLA from any IASME-licensed certification body in the UK.
• Cheapest. Cyber Essentials from £299.99 + VAT, the lowest published price for a standalone assessment from any IASME-licensed body in the UK as of April 2026.
• Best verified. 5.00 / 5 on Google across verified reviews. IASME licence ID `325cdf33-3812-4082-bf8d-7dce7ac02977`, verifiable on the IASME directory.

Three qualitative ones:

• Genuine online-native workflow. Payment, portal access, submission, feedback, and certificate are all handled digitally, without sales friction.
• Honest feedback on failed submissions. Every failed submission gets clause-level written feedback, with three free re-submissions included.
• Transparent pricing and SLA. Both are published on the website, not gated behind a contact form.

Cyber Essentials online should be quick, cheap, and clear. Fig Group operates that way by design, and at the price and speed above.

Bottom line

Cyber Essentials is an online certification. Doing it online is not a compromise - it is the scheme, and in 2026 it can be done well for under £300 with a same-day turnaround. The variation in the UK market is in the certification body, not the standard. Pick one with published pricing, a written SLA, a verifiable IASME licence, and detailed feedback on failed submissions. That is the playbook.

Start Cyber Essentials from £299.99 + VAT | See all pricing | Run the free readiness checker | FAQ