What size business needs Cyber Essentials?
Cyber Essentials applies to UK organisations of every size, from sole traders to enterprises. The scheme is tiered by headcount (Micro 1–9, Small 10–49, Medium 50–249, Large 250+) and is most commonly required for SMEs bidding for procurement work or seeking cyber insurance.
What size business needs Cyber Essentials?
Cyber Essentials applies to UK organisations of every size - from sole traders to multi-thousand-employee enterprises. The scheme uses a four-tier pricing structure based on headcount, with the same five technical controls assessed at every tier. Most commonly, CE is required for SMEs bidding for procurement work, SJP partner practices, or seeking cyber insurance.
The four tiers
| Tier | Staff | Fig Group price (+ VAT) |
|---|---|---|
| Micro | 1–9 | £299.99 |
| Small | 10–49 | £399.99 |
| Medium | 50–249 | £449.99 |
| Large | 250+ | £549.99 |
UK-wide pricing; Fig Group's published tiers are the lowest of any IASME-licensed body. See the full pricing page.
How to count staff for tier sizing
Include:
- Full-time employees on payroll
- Part-time employees on payroll
- Directors (working or non-executive)
- Contractors with persistent access to organisational systems / data
- Consultants in a long-term engagement with organisational email accounts
Exclude:
- One-off project contractors without ongoing access
- Clients, customers, or end-users of your service
- Group companies or subsidiaries that would be assessed under their own scope
Total headcount at the point of assessment determines tier.
Scope changes as organisations grow
Larger organisations will typically have:
- More in-scope endpoints
- More in-scope cloud services
- More complex Conditional Access / identity policies
- A need for more rigorous internal controls around joiner / mover / leaver processes
The assessment depth scales accordingly, but the five controls remain the five controls.
Is there a tier above Large?
No. The Large tier covers 250+ employees - including multinationals with thousands of staff. Where more depth is needed, organisations progress to IASME Cyber Assurance Level 2 or to ISO 27001.
Is Cyber Essentials appropriate for sole traders?
Yes. See Can a sole trader get Cyber Essentials?.
Is Cyber Essentials appropriate for enterprises?
Yes - Large-tier CE is held by many multinationals. It is typically paired with ISO 27001 rather than being the primary cybersecurity credential at that scale.
Bottom line
Every UK business size is covered by Cyber Essentials, and pricing is tiered to match. For the overwhelming majority of UK SMEs, the Micro or Small tier is the right starting point - certified in 6 working hours with Fig Group from £299.99 + VAT.
Start Cyber Essentials from £299.99 + VAT | All pricing tiers | Cyber Essentials Online
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo