How to Choose a Cyber Essentials Certification Body
Cyber Essentials is awarded by IASME-licensed certification bodies. Here's how to pick one that fits how much help you actually need.
The short version
- Who certifies you: Cyber Essentials is awarded by certification bodies licensed by IASME, the scheme's official partner, not by the Government directly. IASME's network spans more than 400 bodies across the UK and Crown Dependencies.
- Two routes: a self-led route, where you complete the self-assessment yourself and an assessor marks it, or a supported route, where a certification body helps you through the questions first.
- What to weigh up: the level of support, whether they understand businesses like yours, and clear pricing that says exactly what is and isn't included.
- Before you commit: ask what happens if you fail a question, whether the same body can do Cyber Essentials Plus later, and how long their support lasts.
Cyber Essentials is the UK’s baseline security certification, and getting it is more straightforward than most small-business owners expect. But there’s one step that catches people out: you don’t get certified by the Government, or even directly by the people who run the scheme. You get certified by a certification body — and there are hundreds to pick from.
This guide explains how that model works, what your choices actually are, and the handful of questions worth asking before you hand anyone your card details. For the bigger picture of the scheme itself, see our Cyber Essentials pillar guide.
Who certifies you, and why it isn’t the Government
Cyber Essentials is run by IASME, the scheme’s official partner, but your certificate is issued by a separate company that IASME has licensed to do the assessing.
The structure has three layers. The National Cyber Security Centre owns the scheme. IASME runs it as the appointed Cyber Essentials Partner. And the actual marking — the bit where someone reads your answers and decides whether you pass — is done by a certification body. These are independent cyber security companies that IASME trains, licenses and keeps an eye on. There are more than 400 of them spread across the UK and the Crown Dependencies.
That layered setup is a feature, not red tape. It means the standard stays consistent, because every licensed body assesses against the exact same requirements, while you still get to choose a provider who suits how you like to work. The certificate you’d receive from one body is identical to the certificate from another. What changes is everything around it.
The certificate is the same. The experience isn't.
Because every certification body marks against identical IASME criteria, you're not shopping for a "better" certificate. You're shopping for the right level of help, a body that gets businesses like yours, and pricing you can actually understand.
The two routes: self-led or supported
You can either complete the self-assessment yourself and have an assessor mark it, or pay a certification body to guide you through the questions first.
On the self-led route, you register, complete the verified self-assessment questionnaire, get a board member or equivalent to sign it off, and then submit it. A qualified assessor reviews your answers and, if everything’s in order, issues the certificate. IASME publishes free resources, including a Readiness Tool and a Knowledge Hub, so you can prepare without paying for hand-holding. This route suits people who are comfortable with the questions and have a reasonable handle on their own IT.
On the supported route, a certification body works alongside you before you submit. They help you understand what each question is really asking and how it maps onto your particular setup: which servers you run, which laptops your team uses, how people log in. The questions are written in plain-ish English, but “plain-ish” still trips people up when they’re not sure whether their cloud accounts count, or what “secure configuration” means for their specific kit.
Neither route is the “correct” one. The self-led route rewards confidence and a tidy setup; the supported route buys you a guide for the bits where the wording and your real-world systems don’t obviously line up.
Most certification bodies bundle support and assessment into a package, and IASME itself advises comparing a few before you commit, because those packages vary a lot. One body’s “support” might be a single phone call. Another’s might be someone reviewing a draft of your answers. Always read what’s included.
What to look for in a certification body
Three things separate a good fit from a frustrating one: the support level, sector understanding, and pricing you can read without a decoder ring.
Support level. Be honest about how much help you need. If your “IT department” is you and a contractor you call when the printer dies, a body that only marks submissions will leave you guessing. If you’ve got a capable in-house person, paying for heavy support is money you didn’t need to spend. Match the package to your reality, not to your nerves.
Sector experience. A certification body that regularly works with businesses your size and shape will spot the things that catch out a dental practice, a small architecture firm or a 12-person agency. They’ve seen your edge cases before. You don’t need a sector specialist, but a body that draws a blank when you describe your setup is a small warning sign.
Price transparency. This is where the differences bite. A clear quote tells you exactly what you’re paying for: the assessment, any support, what happens if you fail a question and need to resubmit, and whether Cyber Essentials Plus is priced separately. A vague “from £X” with no detail about resubmissions or support hours is the kind of thing you only understand once the invoice lands. For a fuller breakdown of the numbers involved, see our guide to Cyber Essentials cost.
The questions to ask before you commit
A few specific questions will tell you more about a certification body than any amount of marketing copy.
Before you pay anyone, ask:
- What happens if I fail a question? Some bodies give you a window to fix the issue and resubmit at no extra cost. Others charge for a fresh attempt. This matters more than almost anything else, because first-time passes aren’t guaranteed.
- What exactly is in the support package? Get it in writing. “Support” can mean a self-serve portal or a named person who reviews your draft. The gap between those two is enormous.
- Can you do Cyber Essentials Plus as well? Plus adds a technical audit, and only some assessors are qualified to run it. If Plus is on your horizon, knowing now saves you switching providers later.
- How long does your support last? Certification lasts a year before you need to renew. A body that helps you this time and is still there next time is worth more than a one-off transaction.
- How quickly do you typically mark a submission? If you’ve got a contract or tender deadline, turnaround time is part of the decision, not an afterthought.
A quick sanity check
If a certification body can't give you a straight answer on resubmission costs and what's in their support package, that's useful information in itself. The bodies worth your money tend to be the ones happy to spell out exactly what you're buying.
Where this fits in getting certified
Choosing a certification body is one decision inside the wider job of getting ready, completing the self-assessment, and submitting it.
It’s worth doing the prep work before you pick a body, not after. Once you’ve looked honestly at your firewalls, your access controls, your software updates and the rest, you’ll have a far clearer sense of whether you need the supported route or can manage self-led. That, in turn, tells you which kind of body to approach. Our walkthrough on how to get Cyber Essentials certified covers that preparation step by step.
At SecurSentry we’re building tools to help UK small businesses get the underlying controls in place and stay on top of them year-round, the work that makes the certification itself the easy part. The scheme is deliberately designed so that a well-prepared small business can get certified without a security background. The certification body you choose should make that feel even more achievable, not less. Take your time, compare a few, and pick the one that answers your questions plainly.