Cyber Essentials FAQ. Everything buyers actually ask.
Grouped by intent - scheme, pricing, speed, scope, MFA, technical, procurement, and Fig. Short, direct answers so you can find what you need fast.
Quick answers
The five things buyers ask first.
- How much does Cyber Essentials cost?
- From £299.99 + VAT for Micro (1-9 employees). The cheapest IASME-licensed CE body in the UK.
- How fast is certification?
- 6 working hours for compliant submissions - or a full refund. The fastest in the UK.
- Is Fig Group IASME-licensed?
- Yes - Fig Group is an IASME-licensed Cyber Essentials certification body, not a reseller.
- Which scheme version is in effect?
- Cyber Essentials v3.3, effective 28 April 2026.
- Is Fig Group independently verifiable?
- Yes - Companies House #16845978, ICO ZC072182, and listed in the IASME directory.
The Cyber Essentials scheme
6 answers
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme that validates five technical cyber controls: firewalls, secure configuration, user access control, malware protection, and security update management. It is administered by IASME on behalf of the NCSC.
What is Cyber Essentials Plus?
Cyber Essentials Plus adds an independent technical audit - external vulnerability scan, device configuration check, MFA verification - on top of the CE self-assessment. Plus is required by many UK government contracts and most large enterprise supply chains.
Who administers Cyber Essentials?
IASME (Information Assurance for Small and Medium Enterprises) administers the scheme on behalf of the NCSC. IASME licenses Certification Bodies - Fig Group among them - to assess organisations.
Is Cyber Essentials UK-only?
Yes. Cyber Essentials is a UK certification scheme. Organisations outside the UK can certify if the scope is a UK entity, but the scheme is written for UK operational context.
What is the difference between Cyber Essentials and ISO 27001?
Cyber Essentials covers five technical controls. ISO 27001 is a full information security management system with 93 Annex A controls, policies, risk processes, internal audits, and a formal multi-day certification audit. For a practical buyer-focused breakdown, see /blog/cyber-essentials-vs-iso-27001-which-does-your-customer-actually-want.
What is Cyber Essentials v3.3?
v3.3 is the Cyber Essentials scheme version effective from 28 April 2026. It adds mandatory multi-factor authentication on every user account, clearer BYOD and cloud-service scoping, and tightens remote-worker home-router expectations.
Need a single-question URL to share? What is Cyber Essentials? · What is Cyber Essentials Plus? · Who administers Cyber Essentials? · Is Cyber Essentials UK-only? · What is the difference between Cyber Essentials and ISO 27001? · What is Cyber Essentials v3.3?
Pricing and payment
7 answers
How much does Cyber Essentials cost in the UK?
Fig Group prices Cyber Essentials from £299.99 + VAT for micro organisations (1–9 staff). Prices rise to £399.99 (Small), £449.99 (Medium), and £549.99 (Large). Every tier is below the standard IASME certification body fee.
How much does Cyber Essentials Plus cost?
CE Plus costs £1,499–£4,499 + VAT depending on organisation size. Micro £1,499, Small £1,999, Medium £2,799, Large £4,499. All Fig CE Plus prices exclude VAT and are transparent - no consultancy add-ons.
Is there a charge for re-submissions?
No. Fig includes three free re-submissions with every Cyber Essentials certification. Most certification bodies charge £100–£200 per re-submission. If you need more than three, we work with you to address readiness first.
Does Fig offer charity discounts?
Fig prices the Micro tier at £299.99 + VAT, which is already below the standard IASME fee. Separately, the NCSC sometimes funds free CE certifications for specific charity sectors via IASME - check availability at certification time.
What is the cheapest Cyber Essentials certification?
Fig Cyber Essentials Micro at £299.99 + VAT for 1–9 staff. Below the standard IASME certification body fee. Three free re-submissions, 6-hour guarantee, IASME-licensed.
Is the price VAT-inclusive?
No. Fig Group publishes prices excluding VAT. UK VAT is added at checkout for UK-based organisations.
Can I pay by invoice?
For Cyber Essentials Plus and larger corporate engagements, yes. For standard CE certifications the checkout flow uses Stripe card payment. Enterprise invoicing is available on request.
Need a single-question URL to share? How much does Cyber Essentials cost in the UK? · How much does Cyber Essentials Plus cost? · Is there a charge for re-submissions? · Does Fig offer charity discounts? · What is the cheapest Cyber Essentials certification? · Is the price VAT-inclusive? · Can I pay by invoice?
Timelines and turnaround
5 answers
How fast is Fig Cyber Essentials certification?
Fig publishes a 6-hour turnaround guarantee for compliant Cyber Essentials submissions made before midday on a UK business day. If the submission needs edits, the clock pauses while you fix them and resumes on re-submission.
Is same-day Cyber Essentials possible?
Yes, when the submission is complete and compliant before 12:00 on a UK business day. If the assessor requests remediation evidence, same-day issue may not be possible and the clock resumes once evidence is resubmitted.
How long does Cyber Essentials Plus take?
Typically 2–3 working days end to end. The assessor schedules a kick-off call, runs the external scan, samples 3–10 devices depending on organisation size, runs the malware-execution test, and issues the certificate.
How long is a Cyber Essentials certificate valid?
Twelve months from the assessment date. On the anniversary the certificate lapses with no grace period. Most organisations re-certify 14 days before expiry to protect contract continuity.
What happens if my Cyber Essentials lapses?
You are removed from the NCSC register and are no longer certified for contract purposes. Re-certification restores the listing; Fig typically issues a renewed certificate within 6 hours of a compliant re-submission.
Need a single-question URL to share? How fast is Fig Cyber Essentials certification? · Is same-day Cyber Essentials possible? · How long does Cyber Essentials Plus take? · How long is a Cyber Essentials certificate valid? · What happens if my Cyber Essentials lapses?
Scoping and devices
6 answers
What is in scope for Cyber Essentials?
Every device and service used to access organisational data: laptops, desktops, phones, tablets, cloud services, home routers for remote workers (under v3.3), and corporate network equipment. Anything that does not access organisational data is not in scope.
Is BYOD in scope under v3.3?
Personal devices that access organisational data are in scope. You can exclude them with a sub-set (technical enforcement that the device accesses nothing). Policy-only BYOD restrictions do not meet v3.3 - you need technical controls, typically MDM or virtual desktop.
Are home routers in scope?
Under v3.3, yes - for remote workers. The admin password must be changed from default, firmware must be current. The common solution is a corporate VPN: the firm's VPN gateway becomes the boundary, and the home router is effectively just a transit device.
Are cloud services in scope?
Yes. SaaS, IaaS, and PaaS that hold organisational data are in scope. You must document how cloud services are configured securely (MFA, access control, secure defaults). v3.3 is explicit about this.
Is our AWS production account in scope?
For SaaS companies: typically no. Scope CE to the corporate estate only (laptops, M365, corporate SaaS) and explicitly exclude production AWS. Production security is separately assessed under SOC 2, ISO 27001, or ISO 27017.
Are contractors in scope?
If contractors access your organisational data from their own devices, their devices are in scope. You can exclude them with a sub-set (virtual desktop or MDM) or bring them into scope with corporate-issued devices.
Need a single-question URL to share? What is in scope for Cyber Essentials? · Is BYOD in scope under v3.3? · Are home routers in scope? · Are cloud services in scope? · Is our AWS production account in scope? · Are contractors in scope?
Multi-factor authentication
5 answers
Is MFA mandatory under v3.3?
Yes. Multi-factor authentication is mandatory on every user account that accesses organisational data on or after 28 April 2026. This includes cloud services, email, admin accounts, remote access, and line-of-business SaaS applications.
Which MFA methods are acceptable?
Authenticator apps (Microsoft Authenticator, Authy, Google Authenticator, 1Password), hardware security keys (YubiKey), push notifications, and SMS where nothing stronger is available. SMS is allowed but not preferred - app-based authentication is stronger.
Can we exempt some accounts from MFA?
No. Under v3.3, every user account with access to organisational data must use MFA. There is no tolerance for "most users have it" - the assessor checks every user. Service accounts that cannot use MFA must be documented and isolated.
Does conditional-access MFA pass v3.3?
Conditional access ("require MFA unless trusted location") used to pass v3.2. Under v3.3, always-on MFA is the safer answer. Conditional access can pass if the trust policy is strict, but many assessors now require MFA on every sign-in.
Does MFA apply to admin accounts?
Yes, especially. Admin and privileged accounts must use MFA and it is often the single most important control. Use a hardware key or FIDO2 factor for admins where possible.
Need a single-question URL to share? Is MFA mandatory under v3.3? · Which MFA methods are acceptable? · Can we exempt some accounts from MFA? · Does conditional-access MFA pass v3.3? · Does MFA apply to admin accounts?
Technical controls and assessment
6 answers
What is the 14-day patching rule?
Any security update classified as "high" or "critical" by the vendor must be applied within 14 days of release. Applies to operating systems, applications, firmware, and internet-facing services. Monthly patching cycles do not meet v3.3.
Is Windows Defender acceptable for CE?
Yes. Windows Defender with tamper protection enabled is the most common malware protection for UK organisations certifying under CE. The assessor checks that it is enabled, updated, and that on-access scanning works.
Can we use a Mac for Cyber Essentials?
Yes. macOS is fully supported. Apple's built-in XProtect, Gatekeeper, and the System Integrity Protection satisfy the malware-protection control. Ensure FileVault is on and the device is current.
Is Linux in scope?
If Linux endpoints or servers access organisational data, yes. The same five controls apply - firewall, secure configuration, access control, malware protection (ClamAV or equivalent), and patch management.
Do we need an EDR tool?
Not strictly. v3.3 requires malware protection, which Windows Defender meets. EDR (Defender for Business, CrowdStrike, SentinelOne) exceeds the bar and is common in MSP and enterprise contexts.
How often do you run vulnerability scans for CE Plus?
Once per audit cycle for Cyber Essentials Plus. The external scan targets public-facing IP addresses and domains, checks TLS configuration, looks for exposed management interfaces, and flags out-of-date services. Findings must be remediated before certification issue.
Need a single-question URL to share? What is the 14-day patching rule? · Is Windows Defender acceptable for CE? · Can we use a Mac for Cyber Essentials? · Is Linux in scope? · Do we need an EDR tool? · How often do you run vulnerability scans for CE Plus?
Government, procurement, and supply chain
5 answers
Is Cyber Essentials mandatory for UK government contracts?
Under PPN 014/21 it is required for central government contracts that handle sensitive or personal information. The specific requirement varies by contract; some require CE, some require CE Plus. Always check the bid documentation.
What is PPN 014/21?
UK Cabinet Office Procurement Policy Note 014/21 - the policy that mandates Cyber Essentials certification for central government contracts handling sensitive data. Suppliers must hold a valid certificate at the point of contract award.
Do private-sector buyers require Cyber Essentials?
Increasingly, yes. Large private-sector buyers (SJP, insurers, retailers, professional-services firms) require supplier CE certification as part of third-party risk management. Many require CE Plus for Tier 1 suppliers.
Does Cyber Essentials reduce cyber insurance premiums?
Yes, typically. Underwriters treat CE and CE Plus as evidence of a baseline cyber posture, and many reduce premiums by 10–25% for certified organisations. CE Plus carries more weight than CE.
Can our MSP get Cyber Essentials on our behalf?
Cyber Essentials is certified per organisation, not per MSP. Your MSP can manage the assessment and remediation, but your organisation signs the attestation and holds the certificate. Fig supports MSP-delivered CE on our multi-tenant platform.
Need a single-question URL to share? Is Cyber Essentials mandatory for UK government contracts? · What is PPN 014/21? · Do private-sector buyers require Cyber Essentials? · Does Cyber Essentials reduce cyber insurance premiums? · Can our MSP get Cyber Essentials on our behalf?
About Fig Group
7 answers
Is Fig Group IASME-licensed?
Yes. Fig Group is an IASME-licensed Cyber Essentials Certification Body. The licence is 325cdf33-3812-4082-bf8d-7dce7ac02977. It is listed on the IASME directory and referenced from the trust evidence page and the footer of every page on figgroup.co.uk.
Where is Fig Group based?
London. Our registered office is at 167-169 Great Portland Street, 5th Floor, London W1W 5PF. Fig Group is registered in England and Wales as The Fig Group Limited, Company No. 16845978.
What is Fig Group's Companies House number?
The Fig Group Limited is registered at Companies House under number 16845978 and was incorporated on 10th November 2025. Full filings are public on gov.uk at find-and-update.company-information.service.gov.uk/company/16845978.
Who is Fig Group's Managing Director?
Jay Hopkins. He is an IASME-licensed Cyber Essentials and Cyber Assurance assessor. LinkedIn: linkedin.com/in/jayhopkins.
Does Fig Group only do Cyber Essentials?
No. Fig Group runs a connected compliance and resilience platform covering 65+ frameworks, plus Cyber Essentials and Defence Cyber Certification as IASME-licensed services. The platform serves MSPs and corporate risk teams.
Does Fig Group resell the platform to MSPs?
Yes. Fig Group's MSP model is white-label, multi-tenant, and includes Cyber Essentials reselling. Typical MSP margin uplift is 3–5x compared to delivering CE manually. See /msp.
Does Fig Group support DCC (Defence Cyber Certification)?
Yes. Fig Group is an IASME-licensed Defence Cyber Certification body at Level 0 and Level 1. See /defence-cyber-certification for MOD supplier readiness information.
Need a single-question URL to share? Is Fig Group IASME-licensed? · Where is Fig Group based? · What is Fig Group's Companies House number? · Who is Fig Group's Managing Director? · Does Fig Group only do Cyber Essentials? · Does Fig Group resell the platform to MSPs? · Does Fig Group support DCC (Defence Cyber Certification)?
Still have a question?
Speak to a Fig Group assessor or start the readiness checker. Average response in under 4 working hours.