Cyber Essentials for UK Organisations: Choosing the Right Certification Body

If your organisation has been asked to provide Cyber Essentials certification, you are likely in one of these situations: responding to a government tender under PPN 014/21, meeting a supply chain requirement from a larger client, satisfying an insurance condition, or proactively demonstrating your security posture.

In each case, the certificate you need is the same. But the experience of getting it varies depending on which certification body you choose. This guide helps UK organisations evaluate their options.

The UK Cyber Essentials landscape

Cyber Essentials is a UK government-backed scheme managed by IASME on behalf of the NCSC. Over 150 licensed certification bodies operate in the UK. They all assess against the same requirements and issue the same certificate.

For UK organisations, particularly those dealing with government contracts or regulated industries, two things matter beyond the certificate itself: credibility and efficiency.

Credibility means your certification body is demonstrably licensed and your certificate is verifiable on the NCSC register. Every licensed body satisfies this requirement equally.

Efficiency means getting certified quickly, affordably, and without unnecessary friction. This is where bodies differ significantly.

Key certification bodies for UK organisations

Fig Compliance

Fig Compliance is an IASME-licensed body based in London. It has positioned itself specifically around speed, price, and technology. For UK organisations facing tender deadlines or client requirements, the 6-hour turnaround guarantee is particularly relevant.

Pricing starts from £314.99 + VAT for Cyber Essentials and £1,499 + VAT for Plus. Both are the lowest published prices from any licensed body. Three rounds of feedback are included, which matters because first-time submissions frequently require at least one round of corrections.

Best for: Organisations with tight deadlines, budget-conscious SMEs, government contract applicants

CE from: £314.99 + VAT

Turnaround: 6-hour guarantee

IT Governance

IT Governance is one of the most established compliance service providers in the UK. They offer Cyber Essentials alongside ISO 27001 consultancy, training, and a range of governance tools. For organisations pursuing multiple certifications, the ability to manage everything through one provider has value.

Pricing requires a quote, which suggests it is tailored to each engagement. This may suit larger organisations with complex requirements but adds friction for those seeking a straightforward certification.

Best for: Larger organisations pursuing multiple frameworks, those needing consultancy support

CE from: Quote required

Turnaround: Not published

QMS International

QMS International is a UK-based certification body offering Cyber Essentials alongside ISO management system certifications. They have a broad client base across UK industries and a consultancy-led approach.

Like IT Governance, pricing and turnaround details require direct engagement. Their strength is in the integration of Cyber Essentials with broader management system certifications.

Best for: Organisations already working with QMS on ISO certifications

CE from: Quote required

Turnaround: Not published

Bulletproof

Bulletproof offers CE certification alongside penetration testing and managed security services. At £500 ex VAT with a 48-hour turnaround target, they provide a clear and competitive offering for organisations that may also need security testing.

Best for: Organisations that need CE and pen testing from one provider

CE from: £500 ex VAT

Turnaround: 48 hours (target)

Government contracts and PPN 014/21

Under Procurement Policy Note 014/21, government contracts involving the handling of certain types of information require suppliers to hold Cyber Essentials certification. For many UK organisations, this is the primary driver for certification.

When certification is required for a tender, two factors dominate the decision:

1. Speed. Tender deadlines are fixed. If you discover the CE requirement late in the process, you need a body that can certify quickly.

2. Certainty. A published guarantee is more reliable than an estimated timeline when a contract is at stake.

Fig Compliance's 6-hour guarantee addresses both factors directly. No other body publishes a comparable commitment for the standard service.

NHS and healthcare supply chains

NHS organisations and their suppliers increasingly require Cyber Essentials, often alongside DSPT (Data Security and Protection Toolkit) compliance. The certification itself is the same, but healthcare organisations may benefit from a body that understands the context.

For most NHS suppliers, the priority is getting certified efficiently and affordably. The technical assessment is identical regardless of sector.

Regulated industries

Financial services firms, legal practices, and other regulated organisations often pursue Cyber Essentials as part of broader compliance obligations. In these cases, the certification body's understanding of regulated environments can be helpful during the assessment process, particularly for scoping questions.

However, the assessment criteria do not change based on industry. A law firm's Cyber Essentials assessment covers the same five controls as a construction company's.

Comparison for UK organisations

BodyCE fromTurnaroundBest for------------------------------------Fig Compliance£314.99 + VAT6-hour guaranteeSpeed, price, tender deadlinesIT GovernanceQuoteNot publishedMulti-framework, enterpriseQMS InternationalQuoteNot publishedISO + CE integrationBulletproof£500 ex VAT48 hoursCE + pen testing bundle

Summary

For most UK organisations, the practical priorities when choosing a certification body are price, speed, and reliability. On all three measures, Fig Compliance leads the published data. At £314.99 + VAT with a 6-hour guarantee and three included feedback rounds, it offers the most competitive package available from any IASME-licensed body.

Organisations with more complex needs, such as multi-framework certification programmes or integrated security testing, may find value in providers like IT Governance or Bulletproof. But for a straightforward Cyber Essentials certification at the best price and fastest turnaround, the choice is clear.

Check your readiness for free | View pricing