UK Cyber Essentials Certification Bodies Compared (2026)

There are around 250 IASME-licensed Cyber Essentials certification bodies operating in the UK at any time. They all issue the same certificate, against the same question set, under the same licence terms. What separates them is price, turnaround time, the tooling they expect you to use, the depth of their assessor bench, and whether they specialise in any particular sector.

This guide explains the structure of the certification body market, the seven dimensions worth comparing, and how to evaluate a shortlist. It does not name competitors directly - that is not a useful or fair exercise to publish - but it gives you the framework to do the comparison yourself.

Cyber Essentials is owned by the National Cyber Security Centre (NCSC), part of GCHQ. Day-to-day delivery - assessor training, the question set, the Willow assessment portal, and the certification body licensing scheme - is operated by the Information Assurance for Small and Medium Enterprises consortium (IASME) under licence from NCSC.

Certification bodies sit one layer below IASME. They are independent commercial firms that have passed IASME's assessor training, signed the licence agreement, and operate within the Cyber Essentials certification-body scheme. They are the entity you actually contract with, the entity that does the assessor work, and the entity that issues your certificate. Anyone telling you they are an "IASME-accredited assessor" without naming a specific certification body is either themselves a certification body (and just not using the term) or working as a sub-contractor to one.

The IASME directory at iasme.co.uk lists every current certification body. Always cross-check a body against that list before contracting.

These are the dimensions that actually matter when you are choosing between certification bodies.

Price. The standard IASME certification-body fee baseline gives buyers a public benchmark: Micro £320, Small £440, Medium £555, Large £730. Many bodies price at or above that baseline once service margin, consultancy, and re-submission policies are included. Fig publishes below that baseline at every tier because the assessment workflow is software-first and remote.

Turnaround SLA. The IASME licence allows up to 14 working days for assessor review. Good bodies commit to materially less. Fast bodies commit to single working days; the fastest commit to single-digit hours. If turnaround matters (because you have a procurement deadline), get the SLA in writing with a contractual remedy if missed.

Free re-submission policy. IASME allows two re-submissions inside 30 days of original submission. Some bodies pass that allowance straight through; some include three; some include only one and charge for the others. The policy is rarely on the body's website - ask before contracting.

Tooling. Some bodies issue you a PDF question set and expect you to fill it in. Others operate a guided web application that walks you through the questions, validates as you go, and captures evidence inline. The guided model dramatically reduces the time you spend on submission and the rate of clarification questions afterwards.

Assessor bench depth. A body with five assessors will struggle if two go on leave the same week. A body with thirty assessors will not. For routine engagements this rarely matters; for tight deadlines or busy seasonal periods (calendar year-end, fiscal year-end, network compliance deadlines), it matters a lot.

Sector specialism. Some bodies specialise in defence supply chain, some in financial services, some in MSP partner channels, some in education. A specialist body will be quicker on the scoping conversation because they have seen your estate type a hundred times before.

Geographic reach for Plus. For Cyber Essentials Plus engagements, the body has to deliver an external technical audit. Most bodies operate Plus remotely; a few still prefer on-site visits. For multi-site or international estates, ask about coverage explicitly.

When you have a shortlist of three to five bodies, the cleanest way to compare them is to ask each the same six questions and compare the answers.

1. What is the all-in price for our size band, including the Plus audit if we choose to add it later?

2. What is the SLA from clean submission to certificate issuance, in writing?

3. How many free re-submissions do we get, and within what window?

4. Do you operate a guided submission tool, or do we fill in a PDF question set?

5. How many qualified assessors are on your bench, and what is the typical wait for an assessor to be assigned to a new engagement?

6. Do you have prior experience with our specific scenario - sector, estate size, scope complexity?

Compare the answers side-by-side. The differentiation will become obvious quickly.

A few things consume disproportionate decision-making time without actually mattering much.

The certificate itself. Every certification body issues the same certificate, signed by IASME, recognised by the NCSC. The certificate from a small consultancy and the certificate from a large national body are formally identical. The differentiator is what happens around the certificate, not the certificate itself.

The body's marketing tone. Some bodies adopt a stern enterprise tone, some are visibly small-business-focused, some lean into MSP partner language. Pick whichever you find legible to read; the underlying scheme is the same.

ISO 27001 stack credentials. Some bodies are also ISO 27001 certification bodies. This is a separate accreditation (UKAS) and does not improve their Cyber Essentials work. It only matters if you are also planning to certify against ISO 27001 with the same provider.

For full transparency, here is where Fig Group sits on each of the seven dimensions.

• Price: Below the standard IASME certification-body fee baseline in every size band (Micro £299.99, Small £399.99, Medium £449.99, Large £549.99). Plus from £1,499.
• Turnaround SLA: Six hours from clean submission to certificate, contractually committed.
• Free re-submissions: Three within the 30-day window, included by default.
• Tooling: Vertically-integrated guided submission tool with inline evidence capture and section-by-section validation.
• Assessor bench: Multiple qualified assessors with continuous IASME oversight; a single dedicated assessor is assigned per engagement.
• Sector specialism: Strong in MSP partner channels, financial services (including SJP partner network), and small-to-mid market technology firms.
• Geographic reach for Plus: Fully remote across the UK, with two scoped remote-audit methodologies for distributed estates.

The published prices, the turnaround SLA, and the re-submission policy are on the pricing page and the underlying terms.

If you are evaluating certification bodies, the IASME directory is the right starting point and the six-question framework above is the cleanest way to compare. If you would like to add Fig to the shortlist, pricing is published here and an assessor is available for a 20-minute scoping call.

See Fig's published pricing → | Talk to an assessor → | Start the free readiness check →