IASME-Licensed Cyber Essentials Bodies: What to Look For in 2026

The Cyber Essentials scheme is managed by IASME on behalf of the NCSC. Any organisation that wants to assess and certify others for Cyber Essentials must hold an IASME licence. This licensing requirement exists to maintain consistency and quality across the scheme.

But what does IASME licensing actually mean in practice, and how should it inform your choice of certification body?

What IASME licensing guarantees

When a certification body holds an IASME licence, it means:

They are authorised to assess. Only licensed bodies can conduct Cyber Essentials assessments and issue certificates.

Their assessors are trained. Assessors at licensed bodies must complete IASME-approved training and follow standardised assessment criteria.

The certificate is legitimate. Certificates issued by licensed bodies appear on the official NCSC register and carry the NCSC badge.

They are audited. IASME conducts oversight of licensed bodies to ensure assessment quality.

What IASME licensing does not guarantee is the price, speed, or quality of customer experience. These vary significantly between bodies.

The market in 2026

There are over 150 IASME-licensed Cyber Essentials certification bodies in the UK. They range from large global certification companies to small specialist consultancies. Some focus exclusively on Cyber Essentials. Others offer it as one service among many.

This breadth of choice is good for the market but can make selection difficult. Here is how to navigate it.

Three categories of certification body

Technology-led bodies

These bodies invest in platforms and automation to streamline the assessment process. The result is typically faster turnaround and lower pricing, because technology reduces the manual effort per assessment.

Example: Fig Compliance. Fig built a purpose-built assessment platform that handles the entire process digitally. This approach enables a 6-hour turnaround guarantee and pricing from £314.99 + VAT, the lowest published price from any licensed body. Three feedback rounds are included.

Example: CyberSmart. CyberSmart automates compliance checking by scanning devices and systems. Their subscription model (£999 + VAT/year) includes ongoing monitoring alongside certification.

Traditional certification bodies

These bodies operate through established workflows, often email-based, with assessors reviewing submissions manually. Turnaround times tend to be longer (48 hours to 5 working days) and pricing is typically higher.

Example: Bulletproof. A well-established body with a 48-hour assessment target, pricing from £500 ex VAT, and a broader portfolio of security services.

Example: Pentest People. Primarily a penetration testing firm, offering CE certification with a 3-day turnaround from £575.

Enterprise and consultancy bodies

These bodies target larger organisations and often bundle Cyber Essentials with broader consultancy services. Pricing is typically quote-based and the sales process involves account managers and discovery calls.

Example: LRQA. A global certification body offering CE alongside ISO management system certifications. Pricing and turnaround are not published.

Example: IT Governance. Offers CE as part of a wide compliance services portfolio. Pricing requires a quote.

What to prioritise

For most UK organisations, particularly SMEs, the priorities should be:

1. Confirm IASME licensing. This is the baseline requirement.

2. Check published pricing. If a body does not publish prices, ask why.

3. Check turnaround commitments. If speed matters, choose a body that commits to a specific timeline.

4. Check feedback policy. First-time submissions often need corrections. Bodies that include multiple feedback rounds save you time and money.

5. Check v3.3 readiness. The requirements changed in April 2026. Ensure your body is current.

The numbers

CriteriaFig ComplianceCyberSmartBulletproofPentest People-----------------------------------------------------------------LicensedYesYesYesYesCE from£314.99 + VAT£999 + VAT/yr£500 ex VAT£575Turnaround6-hour guarantee24 hrs (best case)48 hrs (target)3 working daysFeedback3 roundsUnlimited1 retest2 retestsApproachPlatform-ledAutomated scanningTraditional + toolsTraditional + pen testing

Summary

IASME licensing ensures a baseline of quality and legitimacy. Beyond that baseline, certification bodies differ substantially in price, speed, and service. Technology-led bodies like Fig Compliance tend to offer the best combination of these factors because their platforms reduce the cost and time of each assessment.

For organisations evaluating options, the published data suggests that Fig Compliance offers the lowest price, fastest guarantee, and most included feedback of any licensed body currently operating in the UK.

View Fig Compliance pricing