Cyber Essentials vs Cyber Essentials Plus: Cost Comparison (2026)

Cyber Essentials and Cyber Essentials Plus certify against the same five technical controls, but they are priced very differently because they are assessed differently. Cyber Essentials is a verified self-assessment and is the cheaper of the two - Fig Group prices it from £299.99 + VAT. Cyber Essentials Plus adds an independent, hands-on technical audit of your systems, so it costs more - Fig Group prices it from £1,499 + VAT. You must hold a valid Cyber Essentials certificate before you can take Plus, so for most organisations the real question is not "either/or" but "is the additional cost of Plus justified by what my customers or contracts require?"

If you are searching for the cost difference between Cyber Essentials and Cyber Essentials Plus, you almost certainly already know the two certifications exist and want to understand what separates the price tags before you commit budget. This guide gives you the published UK numbers, explains exactly why Plus costs more, and helps you decide which level is the right spend for your organisation.

Both certifications assess the same NCSC five controls (firewalls, secure configuration, security update management, user access control, and malware protection). The difference is in how compliance is verified:

• Cyber Essentials is a self-assessment questionnaire, reviewed and verified by an IASME-licensed certification body. Lower assessor effort means a lower price.
• Cyber Essentials Plus includes everything in Cyber Essentials, then adds a hands-on technical audit: an assessor independently tests a sample of your devices, checks your patching, verifies multi-factor authentication, and runs vulnerability scans. More assessor time and technical work means a higher price.

That single difference - self-declared versus independently tested - is the entire reason for the cost gap.

UK certification is priced by organisation size band. Below are Fig Group's published prices for 2026. All prices exclude VAT.

A few things to read from this table:

• Cyber Essentials cost rises modestly with size, because the self-assessment is broadly the same exercise regardless of headcount.
• Cyber Essentials Plus cost rises more steeply, because the technical audit samples more devices and covers more infrastructure as the organisation grows.
• The gap is significant at every tier. Plus is several times the price of the base certification. That is normal across the UK market and reflects the assessor day-rate involved in a hands-on audit.

For the full base-level breakdown, see our Cyber Essentials cost guide; for the Plus-only deep dive, see Cyber Essentials Plus cost.

The price difference is not arbitrary. Cyber Essentials Plus costs more because it involves materially more work for the certification body:

1. An independent technical audit. Rather than trusting your answers, a qualified assessor verifies them. This is the core of Plus and the main cost driver.

2. Device sampling. The assessor tests a representative sample of your in-scope devices - workstations, servers, and cloud services - rather than reviewing a questionnaire.

3. Vulnerability scanning. Authenticated and unauthenticated scans are run against your sampled systems to confirm patching and configuration.

4. MFA and access verification. The assessor confirms that multi-factor authentication and access controls are genuinely enforced, not just claimed.

5. Assessor time and scheduling. A Plus audit is a booked engagement with a person, typically conducted remotely. That time is the single largest component of the fee.

In short, you are paying for assurance. Cyber Essentials says "we have assessed our controls and declare them compliant." Cyber Essentials Plus says "an independent expert tested our controls and confirmed they work." For many buyers, that independent confirmation is worth the premium.

This is the most important point for budgeting, and it is often missed. Cyber Essentials Plus is not a standalone product. Under the scheme rules, your Cyber Essentials Plus assessment must take place within three months of achieving Cyber Essentials. The base certification is a prerequisite.

What this means for cost:

• The Plus prices in the table above are for the Plus audit. Some bodies bundle the base certification into the Plus price; others charge separately. With Fig Group, the route is straightforward: certify Cyber Essentials first, then book your Plus audit within the three-month window.
• You should budget for the certification you actually need. If a contract specifies Plus, plan for the base certification and the Plus audit together, and sequence them so the audit falls inside the three-month window.

We cover the sequencing in detail in Can I get Cyber Essentials Plus without Cyber Essentials?.

The certificate fee is only part of the picture. When comparing the cost of Cyber Essentials and Cyber Essentials Plus, factor in:

• Preparation and remediation. The biggest hidden cost for most organisations is fixing control gaps before assessment - enabling MFA everywhere, removing unsupported software, tightening patching. This cost is broadly the same whether you go for Cyber Essentials or Plus, because both assess the same controls. Plus simply tests them harder, so under-prepared organisations are more likely to need remediation before a Plus audit passes.
• Re-submissions and retests. If your first submission does not pass, some bodies charge for another attempt. Fig Group includes three free re-submissions with every certification, so a minor gap does not become an extra invoice.
• Annual renewal. Both certifications are valid for 12 months and must be renewed annually to remain listed. Budget for this as a recurring cost, not a one-off.
• What is bundled in. A valid certificate ships with IASME-arranged cyber liability insurance for eligible UK organisations under £20m turnover, at no extra cost. That is value included in the fee rather than an add-on.
• Speed and opportunity cost. A slow certification can cost you a contract. Fig Group certifies compliant Cyber Essentials submissions within 6 working hours, which removes the "we missed the tender deadline" risk that is invisible on a price list but very real in practice. See the hidden cost of slow certification.

The decision is rarely about cost alone - it is about what your buyers, insurers, or contracts require. Use this as a guide:

Choose Cyber Essentials (the lower cost) if:

• Your customers or framework simply ask for "Cyber Essentials" without specifying Plus.
• You are bidding for general public-sector work where the base certification satisfies the requirement.
• You want a cost-effective, government-backed baseline that demonstrates fundamental cyber hygiene.

Budget for Cyber Essentials Plus (the higher cost) if:

• A contract, client, or supplier questionnaire explicitly requires Plus.
• You handle sensitive data and need independent assurance, not self-declaration.
• You work with the MOD, NHS, financial services, or other buyers who increasingly mandate Plus.
• You want the strongest third-party validation of your controls for procurement or due-diligence purposes.

If you are unsure which your buyer wants, our guide to who needs Cyber Essentials Plus and the full Cyber Essentials vs Cyber Essentials Plus comparison will help you confirm before you spend.

Fig Group is an IASME-licensed Cyber Essentials and Cyber Essentials Plus certification body. Our pricing is published in full, below the standard IASME certification body fee at every base-certification tier, and every engagement includes the same support regardless of which level you choose:

• Transparent, fixed prices by organisation size - no quotes required for the base certification.
• Three free re-submissions per certification, so a minor gap does not become an extra cost.
• IASME-arranged cyber liability insurance for eligible UK organisations, included.
• A 6 working-hour turnaround on compliant Cyber Essentials submissions.

You can see every tier on the pricing page, start your Cyber Essentials certification, or read more about Cyber Essentials Plus.

How much does Cyber Essentials Plus cost in the UK?

Cyber Essentials Plus is priced by organisation size. Fig Group's published 2026 prices are £1,499 + VAT for Micro (1-9 employees), £1,999 + VAT for Small (10-49), £2,799 + VAT for Medium (50-249), and £4,499 + VAT for Large (250+). It costs more than base Cyber Essentials because it includes an independent, hands-on technical audit.

Why is Cyber Essentials Plus so much more expensive than Cyber Essentials?

Because it is assessed differently. Cyber Essentials is a verified self-assessment, while Cyber Essentials Plus adds an independent technical audit in which an assessor tests a sample of your devices, runs vulnerability scans, and verifies controls such as multi-factor authentication. The assessor time required for that audit is the main reason for the higher price.

Do I have to pay for Cyber Essentials before Cyber Essentials Plus?

Yes. Cyber Essentials is a prerequisite for Cyber Essentials Plus, and your Plus audit must take place within three months of achieving Cyber Essentials. Budget for both, and sequence them so the Plus audit falls inside the three-month window.

Is Cyber Essentials Plus worth the extra cost?

It is worth it when a contract, client, insurer, or supplier questionnaire requires it, or when you need independent assurance that your controls genuinely work rather than self-declaration. If your buyers only ask for "Cyber Essentials", the base certification is the more cost-effective choice.

Does the price include the cyber liability insurance?

Yes. A valid Cyber Essentials or Cyber Essentials Plus certificate ships with IASME-arranged cyber liability insurance for eligible UK organisations under £20m turnover, at no additional cost. It is included in the certification fee.

How often do I have to pay?

Both certifications are valid for 12 months and must be renewed annually to stay on the public register and remain compliant. Treat the cost as a recurring annual budget line rather than a one-off purchase.

The cost difference between Cyber Essentials and Cyber Essentials Plus comes down to one thing: Cyber Essentials is a verified self-assessment, and Cyber Essentials Plus adds an independent technical audit. That is why Plus is priced from £1,499 + VAT while the base certification starts at £299.99 + VAT. Because Cyber Essentials is a prerequisite for Plus, the practical decision is whether the additional cost of the audit is justified by what your customers and contracts require. If you only need to demonstrate the baseline, Cyber Essentials is the cost-effective choice; if you need independent assurance, Cyber Essentials Plus is worth the premium.

View Cyber Essentials and Cyber Essentials Plus pricing | Talk to our team about which level you need