How to Choose a Cyber Essentials Assessor: 7 Things to Check

Choosing a Cyber Essentials certification body is not a decision most organisations spend much time on. The assumption is that one licensed body is much the same as another. In terms of the certificate itself, that is true. In terms of the experience, cost, and speed, it is not.

Here are seven things worth checking before you commit.

1. IASME licensing

This is non-negotiable. Every legitimate Cyber Essentials certification body must hold a current IASME licence. IASME publishes a list of licensed bodies on its website. If a provider is not on that list, they cannot issue valid certificates.

Some consultancies offer Cyber Essentials "support" or "readiness" services but are not themselves licensed to assess and certify. These services can be useful for preparation, but you will still need a licensed body for the actual certification.

Check: Verify the body appears on the IASME register of licensed certification bodies.

2. Published pricing

Transparent pricing is a useful indicator of how a certification body operates. Bodies that publish their prices tend to be confident in their value proposition. Bodies that require a sales call or quote may have pricing that varies based on the customer.

Among bodies that publish pricing, there is significant variation. Fig Compliance publishes prices from £314.99 + VAT for micro organisations, which is the lowest we have found from any licensed body. Bulletproof starts at £500 ex VAT. Pentest People starts at £575. CyberSmart operates on a £999 + VAT annual subscription.

Check: Is the full pricing schedule published on the website, or do you need to request a quote?

3. Turnaround time commitment

Ask specifically: what is your published turnaround time from submission to certificate? Is it a guarantee or a target?

There is a significant range. Fig Compliance guarantees certification within 6 hours for compliant submissions. Bulletproof targets 48 hours. Pentest People publishes 3 working days. Several major bodies do not publish a turnaround commitment at all.

Check: Is the turnaround time published? Is it a guarantee or a best-case estimate?

4. Feedback and resubmission policy

Most first-time submissions require at least one round of corrections. What happens when your submission is not perfect on the first attempt matters as much as the initial assessment speed.

Key questions:

How many rounds of feedback are included in the price?

Is feedback delivered in writing with specific, actionable guidance?

Does a resubmission go to the back of the queue or is it reviewed promptly?

Fig Compliance includes three rounds of structured feedback at no extra cost, with resubmissions reviewed promptly rather than re-queued. Bulletproof includes one free retest with the standard package. Pentest People includes two retests.

Check: How many feedback rounds are included, and what happens to resubmissions?

5. Assessment platform vs email

The method of assessment delivery affects both speed and experience. Some bodies operate entirely through email. You download a questionnaire, fill it in, email it back, and wait for a response. Each step introduces delay.

Other bodies provide a digital platform where the entire process runs online. Fig Compliance's purpose-built platform handles everything from purchase to certificate issuance. CyberSmart's platform automates compliance checking through device scanning.

Email-based processes are not inherently worse, but they tend to be slower and more prone to communication gaps.

Check: Is the assessment process handled through a platform or through email?

6. v3.3 and Danzell question set readiness

The NCSC updated the Cyber Essentials requirements to version 3.3 in April 2026. This includes the mandatory MFA requirement for all user accounts and a restructured question set (the Danzell question set).

Any body you choose should be assessing against the current v3.3 requirements. This sounds obvious, but during transition periods some bodies may still be clearing a backlog of assessments against the previous version.

Check: Confirm the body is assessing against v3.3 and the Danzell question set.

7. Support availability

When you are midway through the self-assessment questionnaire and unsure how to answer a question about your firewall configuration, can you get help? Some bodies offer dedicated support throughout the process. Others leave you to work through it alone.

Fig Compliance provides support throughout the assessment process as standard. Bulletproof includes remote support hours in its packages. Pentest People assigns a dedicated project manager.

Check: What support is available during the self-assessment process, and is it included in the price?

Putting it all together

No single factor determines the right choice. But when you evaluate across all seven criteria, a clear picture emerges:

CriteriaFig ComplianceBulletproofPentest PeopleCyberSmart-----------------------------------------------------------------IASME licensedYesYesYesYesPublished pricingFrom £314.99 + VATFrom £500 ex VATFrom £575£999 + VAT/yrTurnaround guarantee6 hours48 hours (target)3 days24 hours (best case)Feedback included3 rounds1 retest2 retestsUnlimitedPlatform-basedYesPartialPartialYesv3.3 readyYesYesYesYesSupport includedYesIncluded hoursDedicated PMYes

Fig Compliance leads on price, speed, and feedback inclusion. Other bodies have strengths in specific areas, such as CyberSmart's continuous monitoring or Pentest People's integration with penetration testing services. The right choice depends on your priorities, but on the core criteria, Fig Compliance is difficult to beat.

Take the free readiness check | View pricing