SecurSentry
← All notes
Cyber Essentials

What Cyber Essentials Plus Actually Costs

A plain-English breakdown of what Cyber Essentials Plus costs a UK small business, and what makes one quote higher than another.

The short version

If you’ve started pricing up Cyber Essentials Plus, you’ve probably noticed the numbers jump around a lot. One quote says £1,400, another says £4,500, and most pages won’t tell you why. The honest answer is that “what it costs” depends on what you’re asking someone to test.

This page walks through the realistic all-in cost of Cyber Essentials Plus for a UK small business: the typical range, why it sits well above basic Cyber Essentials, and the handful of things that actually move your number up or down.

What’s the typical cost of Cyber Essentials Plus?

Most UK SMEs pay roughly £1,500 to £3,000 plus VAT for Cyber Essentials Plus, with larger or more complex setups going higher.

That range covers the bulk of small and medium businesses. A micro business of a handful of staff, all on similar laptops, tends to sit near the bottom. A 50-person firm spread across two offices with a mix of Windows and Mac machines sits nearer the top, and sometimes above it.

It helps to see where the money goes. There are two fees stacked on top of each other:

Plus always includes basic Cyber Essentials. You don’t pay for one instead of the other. You pay for the foundation, then for someone to come and check you’ve actually built it.

Where the published figures come from

The £1,500–£3,000 range reflects what UK certification bodies typically charge SMEs, and prices rise with the number of devices and the complexity of your network. The basic Cyber Essentials fee bands are set by IASME. Always get a written quote against your real scope before you budget — published "from" prices are a starting point, not your final number.

Why does Plus cost so much more than basic CE?

The jump in price buys you an independent human audit instead of a self-declaration.

Basic Cyber Essentials is a questionnaire. You answer how your security is set up, an assessor reviews your answers, and if it all stacks up, you’re certified. It’s a genuinely useful exercise, and it’s the right starting point for most businesses. But it rests on trust: nobody comes and checks the machines.

Cyber Essentials Plus removes that trust gap. A qualified, independent assessor takes a sample of your actual devices and tests them. They run vulnerability scans, check that security updates are genuinely applied, and confirm that protections like multi-factor authentication really work the way your self-assessment claims. Under the current v3.3 requirements, that sample is chosen to be representative of your whole estate, covering every operating system and device type, so you can’t just polish a couple of showpiece laptops and hope.

That hands-on testing takes assessor time, and skilled assessor time is the single biggest cost in Plus. You’re not paying for a bigger form. You’re paying for someone qualified to verify, with their own eyes, that the thing works.

Basic CE asks whether you’ve locked the doors. Plus sends someone round to try the handles.

For a fuller side-by-side of what each level involves, see our guide on Cyber Essentials vs Cyber Essentials Plus. If you only need the entry-level figure, our Cyber Essentials cost breakdown covers the basic certification on its own.

What actually moves the price up or down?

Four things drive most of the variation in a Plus quote: how many devices you have, how many locations, your operating-system mix, and how much you run in the cloud.

A certification body builds your quote around how much there is to test. The more varied and spread out your setup, the bigger the sample and the longer the audit.

There’s a quieter cost that doesn’t appear on the quote: remediation. If the assessor finds a device missing an update or a service without multi-factor authentication, you have to fix it before you pass. For a business that’s never tackled this before, getting the controls in place is often where most of the first-year effort actually lands.

The first year is the expensive one

Most of the work in Cyber Essentials Plus is one-off: tightening up devices, switching on multi-factor authentication, sorting your update routine. Once those controls are in place and holding, re-certifying the following year is far less effort. Treat year one as the build, and later years as upkeep.

How to keep the cost sensible

The cheapest route through Plus is a tidy, well-understood environment, not the lowest “from” price you can find.

A low headline quote means little if your devices aren’t ready, because every gap the assessor finds turns into remediation work and, sometimes, a re-test. A few practical moves keep the total down:

The businesses that find Plus painful are usually the ones that treat it as a single purchase. The ones that find it manageable treat it as a short project: get the controls in place, then book the audit once you’re genuinely ready.

At SecurSentry we’re building a compliance platform to take some of the guesswork out of exactly that — understanding what your frameworks ask of you, and getting the controls in place without the spreadsheet sprawl. For now, the most useful thing you can do is map your scope honestly and tackle the basics early. Get those right, and the Cyber Essentials Plus quote stops being a mystery and starts being a number you can plan for.

To understand the full scheme and where Plus fits, our Cyber Essentials pillar guide is the place to start.

Frequently asked questions

How much does Cyber Essentials Plus cost in the UK?

For most small UK businesses, Cyber Essentials Plus lands somewhere between £1,500 and £3,000 plus VAT. The figure depends on how many devices you have, how many sites and operating systems are in scope, and which certification body you use. Larger or more complex organisations can pay considerably more, because the assessor has more to test.

Why is Cyber Essentials Plus so much more expensive than basic Cyber Essentials?

Basic Cyber Essentials is a self-assessment that an assessor reviews, with the IASME fee starting at around £320 to £330 plus VAT depending on your size. Plus keeps all of that and adds an independent, hands-on technical audit. A qualified assessor actually tests a sample of your devices and runs vulnerability scans, which takes real assessor time. That human verification is what you're paying the extra for.

Is the Cyber Essentials Plus price a one-off or yearly?

Certification lasts twelve months, so the cost recurs each year if you want to stay certified. The good news is that the hardest work usually happens the first time round. Once your controls are in place and holding, later years are mostly about keeping them maintained and passing the audit again.

What hidden costs come with Cyber Essentials Plus?

The certification fee rarely tells the whole story. The common extras are remediation (fixing anything the assessor flags before you pass), any tooling you need to buy such as multi-factor authentication or device management, and the staff time to prepare your devices. Building these into your budget from the start avoids a nasty surprise mid-assessment.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min
Cyber Essentials

ISO 27001 for SMEs: Is It Worth It, And Can You Actually Afford It?

28 Jun 2026 · 6 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.