Short answer
L0 is a documentation-led review of a constrained requirement set; the work is predictable. L1 involves scoping, evidence preparation, consultant engagement, platform gap analysis, formal assessment, and remediation support - and the last four scale materially with organisation complexity. We publish the ranges and name the drivers openly rather than quoting bespoke numbers.
Why this matters
This question affects how buyers compare Cyber Essentials with broader assurance schemes. Cyber Essentials is a baseline technical certification, so the useful answer is not only what the scheme is called, but what it proves, who administers it, and when a buyer should ask for Cyber Essentials Plus or a wider framework such as ISO 27001.
For procurement teams, the practical test is whether the certificate covers the organisation and scope named in the contract. For applicants, the practical test is whether the five technical controls are implemented across the devices, users, networks, and cloud services that access organisational data.
What to check next
- Confirm the certificate holder and scope match the buyer requirement.
- Check whether the contract asks for Cyber Essentials or Cyber Essentials Plus.
- Use the NCSC register to verify a certificate before relying on it.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.