SecurSentry
← All notes
Cyber Essentials

How to Choose a Cyber Essentials Certification Body

Cyber Essentials is awarded by IASME-licensed certification bodies. Here's how to pick one that fits how much help you actually need.

The short version

Cyber Essentials is the UK’s baseline security certification, and getting it is more straightforward than most small-business owners expect. But there’s one step that catches people out: you don’t get certified by the Government, or even directly by the people who run the scheme. You get certified by a certification body — and there are hundreds to pick from.

This guide explains how that model works, what your choices actually are, and the handful of questions worth asking before you hand anyone your card details. For the bigger picture of the scheme itself, see our Cyber Essentials pillar guide.

Who certifies you, and why it isn’t the Government

Cyber Essentials is run by IASME, the scheme’s official partner, but your certificate is issued by a separate company that IASME has licensed to do the assessing.

The structure has three layers. The National Cyber Security Centre owns the scheme. IASME runs it as the appointed Cyber Essentials Partner. And the actual marking — the bit where someone reads your answers and decides whether you pass — is done by a certification body. These are independent cyber security companies that IASME trains, licenses and keeps an eye on. There are more than 400 of them spread across the UK and the Crown Dependencies.

That layered setup is a feature, not red tape. It means the standard stays consistent, because every licensed body assesses against the exact same requirements, while you still get to choose a provider who suits how you like to work. The certificate you’d receive from one body is identical to the certificate from another. What changes is everything around it.

The certificate is the same. The experience isn't.

Because every certification body marks against identical IASME criteria, you're not shopping for a "better" certificate. You're shopping for the right level of help, a body that gets businesses like yours, and pricing you can actually understand.

The two routes: self-led or supported

You can either complete the self-assessment yourself and have an assessor mark it, or pay a certification body to guide you through the questions first.

On the self-led route, you register, complete the verified self-assessment questionnaire, get a board member or equivalent to sign it off, and then submit it. A qualified assessor reviews your answers and, if everything’s in order, issues the certificate. IASME publishes free resources, including a Readiness Tool and a Knowledge Hub, so you can prepare without paying for hand-holding. This route suits people who are comfortable with the questions and have a reasonable handle on their own IT.

On the supported route, a certification body works alongside you before you submit. They help you understand what each question is really asking and how it maps onto your particular setup: which servers you run, which laptops your team uses, how people log in. The questions are written in plain-ish English, but “plain-ish” still trips people up when they’re not sure whether their cloud accounts count, or what “secure configuration” means for their specific kit.

Neither route is the “correct” one. The self-led route rewards confidence and a tidy setup; the supported route buys you a guide for the bits where the wording and your real-world systems don’t obviously line up.

Most certification bodies bundle support and assessment into a package, and IASME itself advises comparing a few before you commit, because those packages vary a lot. One body’s “support” might be a single phone call. Another’s might be someone reviewing a draft of your answers. Always read what’s included.

What to look for in a certification body

Three things separate a good fit from a frustrating one: the support level, sector understanding, and pricing you can read without a decoder ring.

Support level. Be honest about how much help you need. If your “IT department” is you and a contractor you call when the printer dies, a body that only marks submissions will leave you guessing. If you’ve got a capable in-house person, paying for heavy support is money you didn’t need to spend. Match the package to your reality, not to your nerves.

Sector experience. A certification body that regularly works with businesses your size and shape will spot the things that catch out a dental practice, a small architecture firm or a 12-person agency. They’ve seen your edge cases before. You don’t need a sector specialist, but a body that draws a blank when you describe your setup is a small warning sign.

Price transparency. This is where the differences bite. A clear quote tells you exactly what you’re paying for: the assessment, any support, what happens if you fail a question and need to resubmit, and whether Cyber Essentials Plus is priced separately. A vague “from £X” with no detail about resubmissions or support hours is the kind of thing you only understand once the invoice lands. For a fuller breakdown of the numbers involved, see our guide to Cyber Essentials cost.

The questions to ask before you commit

A few specific questions will tell you more about a certification body than any amount of marketing copy.

Before you pay anyone, ask:

A quick sanity check

If a certification body can't give you a straight answer on resubmission costs and what's in their support package, that's useful information in itself. The bodies worth your money tend to be the ones happy to spell out exactly what you're buying.

Where this fits in getting certified

Choosing a certification body is one decision inside the wider job of getting ready, completing the self-assessment, and submitting it.

It’s worth doing the prep work before you pick a body, not after. Once you’ve looked honestly at your firewalls, your access controls, your software updates and the rest, you’ll have a far clearer sense of whether you need the supported route or can manage self-led. That, in turn, tells you which kind of body to approach. Our walkthrough on how to get Cyber Essentials certified covers that preparation step by step.

At SecurSentry we’re building tools to help UK small businesses get the underlying controls in place and stay on top of them year-round, the work that makes the certification itself the easy part. The scheme is deliberately designed so that a well-prepared small business can get certified without a security background. The certification body you choose should make that feel even more achievable, not less. Take your time, compare a few, and pick the one that answers your questions plainly.

Frequently asked questions

Who actually issues a Cyber Essentials certificate?

A certification body issues it: a cyber security company licensed by IASME, the organisation that runs Cyber Essentials on behalf of the National Cyber Security Centre. The certification body employs trained, licensed assessors who review your answers and award the certificate if you meet the requirements. There are more than 400 of these bodies across the UK and Crown Dependencies, so you have plenty of choice.

What's the difference between a self-led and a supported route?

On the self-led route you complete the verified self-assessment yourself using free resources, then submit it for an assessor to mark. On the supported route, a certification body works alongside you, helping you understand what each question means for your business before you submit. The supported route usually costs more but reduces the chance of a surprise during marking.

Does it matter which certification body I choose?

The certificate itself is the same wherever you get it. Every licensed body assesses against the identical IASME requirements. What differs is the support package wrapped around the assessment, how well they understand your sector, and how clearly they price the work. So choose on fit and clarity rather than the certificate, because the standard doesn't change between providers.

Can the same certification body do Cyber Essentials Plus?

Sometimes, but not always. Cyber Essentials Plus adds a hands-on technical audit, and only some assessors hold the extra qualification to carry it out. If you think you'll want Plus down the line, it's worth asking up front whether the body can take you all the way, so you don't have to switch providers partway through.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min
Cyber Essentials

ISO 27001 for SMEs: Is It Worth It, And Can You Actually Afford It?

28 Jun 2026 · 6 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.