What Cyber Essentials Plus Actually Costs
A plain-English breakdown of what Cyber Essentials Plus costs a UK small business, and what makes one quote higher than another.
The short version
- Typical range: Most UK SMEs pay around £1,500 to £3,000 plus VAT for Cyber Essentials Plus, with bigger or more complex setups going higher.
- Why it costs more than basic CE: Plus adds a hands-on audit where an independent assessor tests a sample of your real devices, rather than trusting your self-assessment alone.
- What moves the price: Your number of devices, separate locations, mix of operating systems, and how much you run in the cloud all push the figure up or down.
- Mind the extras: The certification fee is only part of it. Budget for fixing whatever the assessor finds, plus any tooling and staff time.
If you’ve started pricing up Cyber Essentials Plus, you’ve probably noticed the numbers jump around a lot. One quote says £1,400, another says £4,500, and most pages won’t tell you why. The honest answer is that “what it costs” depends on what you’re asking someone to test.
This page walks through the realistic all-in cost of Cyber Essentials Plus for a UK small business: the typical range, why it sits well above basic Cyber Essentials, and the handful of things that actually move your number up or down.
What’s the typical cost of Cyber Essentials Plus?
Most UK SMEs pay roughly £1,500 to £3,000 plus VAT for Cyber Essentials Plus, with larger or more complex setups going higher.
That range covers the bulk of small and medium businesses. A micro business of a handful of staff, all on similar laptops, tends to sit near the bottom. A 50-person firm spread across two offices with a mix of Windows and Mac machines sits nearer the top, and sometimes above it.
It helps to see where the money goes. There are two fees stacked on top of each other:
- The basic Cyber Essentials fee, paid to IASME (the body that runs the scheme for the NCSC), priced by your size. It starts at around £320 to £330 plus VAT for the smallest organisations and rises in bands from there.
- The Plus audit fee, paid to a certification body for the hands-on testing. This is the larger of the two, and it’s the part that varies most.
Plus always includes basic Cyber Essentials. You don’t pay for one instead of the other. You pay for the foundation, then for someone to come and check you’ve actually built it.
Where the published figures come from
The £1,500–£3,000 range reflects what UK certification bodies typically charge SMEs, and prices rise with the number of devices and the complexity of your network. The basic Cyber Essentials fee bands are set by IASME. Always get a written quote against your real scope before you budget — published "from" prices are a starting point, not your final number.
Why does Plus cost so much more than basic CE?
The jump in price buys you an independent human audit instead of a self-declaration.
Basic Cyber Essentials is a questionnaire. You answer how your security is set up, an assessor reviews your answers, and if it all stacks up, you’re certified. It’s a genuinely useful exercise, and it’s the right starting point for most businesses. But it rests on trust: nobody comes and checks the machines.
Cyber Essentials Plus removes that trust gap. A qualified, independent assessor takes a sample of your actual devices and tests them. They run vulnerability scans, check that security updates are genuinely applied, and confirm that protections like multi-factor authentication really work the way your self-assessment claims. Under the current v3.3 requirements, that sample is chosen to be representative of your whole estate, covering every operating system and device type, so you can’t just polish a couple of showpiece laptops and hope.
That hands-on testing takes assessor time, and skilled assessor time is the single biggest cost in Plus. You’re not paying for a bigger form. You’re paying for someone qualified to verify, with their own eyes, that the thing works.
Basic CE asks whether you’ve locked the doors. Plus sends someone round to try the handles.
For a fuller side-by-side of what each level involves, see our guide on Cyber Essentials vs Cyber Essentials Plus. If you only need the entry-level figure, our Cyber Essentials cost breakdown covers the basic certification on its own.
What actually moves the price up or down?
Four things drive most of the variation in a Plus quote: how many devices you have, how many locations, your operating-system mix, and how much you run in the cloud.
A certification body builds your quote around how much there is to test. The more varied and spread out your setup, the bigger the sample and the longer the audit.
- Number of devices. More laptops, desktops, and servers in scope means a larger sample and more testing time. This is usually the biggest single lever.
- Separate locations. A business on one site is simpler than the same headcount split across three offices, especially if assessors need to reach machines in each.
- Operating-system mix. An all-Windows estate is quicker to test than a blend of Windows, macOS, and Linux, because the assessor checks each platform’s controls separately.
- Cloud complexity. Plenty of cloud services, multiple identity setups, or a sprawl of admin accounts all add checks. A clean, well-organised cloud setup keeps the audit tighter.
There’s a quieter cost that doesn’t appear on the quote: remediation. If the assessor finds a device missing an update or a service without multi-factor authentication, you have to fix it before you pass. For a business that’s never tackled this before, getting the controls in place is often where most of the first-year effort actually lands.
The first year is the expensive one
Most of the work in Cyber Essentials Plus is one-off: tightening up devices, switching on multi-factor authentication, sorting your update routine. Once those controls are in place and holding, re-certifying the following year is far less effort. Treat year one as the build, and later years as upkeep.
How to keep the cost sensible
The cheapest route through Plus is a tidy, well-understood environment, not the lowest “from” price you can find.
A low headline quote means little if your devices aren’t ready, because every gap the assessor finds turns into remediation work and, sometimes, a re-test. A few practical moves keep the total down:
- Know your scope before you ask for quotes. Count your devices, list your locations, and note your operating systems. A clear scope gets you accurate quotes instead of optimistic ones.
- Do the basics first. Get updates flowing, multi-factor authentication switched on, and old accounts removed before the audit. Fixing these on your own schedule is cheaper than fixing them against the assessor’s clock.
- Pick a certification body that explains its pricing. A quote that shows what’s driving the figure is easier to trust, and easier to plan around, than a flat number with no working.
- Budget for the extras. Set aside something for remediation and any tooling. A first-year total well above the bare certification fee is normal, not a sign you’re being overcharged.
The businesses that find Plus painful are usually the ones that treat it as a single purchase. The ones that find it manageable treat it as a short project: get the controls in place, then book the audit once you’re genuinely ready.
At SecurSentry we’re building a compliance platform to take some of the guesswork out of exactly that — understanding what your frameworks ask of you, and getting the controls in place without the spreadsheet sprawl. For now, the most useful thing you can do is map your scope honestly and tackle the basics early. Get those right, and the Cyber Essentials Plus quote stops being a mystery and starts being a number you can plan for.
To understand the full scheme and where Plus fits, our Cyber Essentials pillar guide is the place to start.