Cyber Essentials Cost by UK Region - Ayrshire to Zetland

A search for "Cyber Essentials cost Ayrshire" or "Cyber Essentials cost Manchester" suggests there should be a regional answer. There almost is not. Cyber Essentials is a national scheme operated by IASME under licence from the National Cyber Security Centre. IASME's standard certification-body fee baseline is national, not regional. What varies is the customer price each certification body chooses to publish - and even that varies less than the regional Google searches imply.

This guide explains the actual structure of Cyber Essentials pricing in 2026, where genuine regional differences exist, and when picking a "local" provider adds value (mostly: Cyber Essentials Plus device audits in remote locations) versus when it does not (basically: everything else).

The standard IASME certification-body fee baseline for Cyber Essentials in 2026 is structured by organisation size. The size bands and public baseline figures are:

• Micro (1-9 staff): £320
• Small (10-49 staff): £440
• Medium (50-249 staff): £555
• Large (250+ staff): £730

Certification bodies set their own customer prices around that baseline. Many price at or above it; a smaller number publish below it where their operating model can support the lower headline price.

Fig's published pricing - Micro £299.99, Small £399.99, Medium £449.99, Large £549.99 - sits below the standard IASME certification-body fee baseline. The point here is not the marketing; it is that the benchmark is national and the regional variation in headline price is much smaller than the regional Google results would suggest.

Across the UK certification body market in early 2026, here is the pattern we see for a Micro (1-9 staff) certificate:

• London-based bodies: £350-£550 (median around £450).
• Manchester / North West: £325-£500 (median around £400).
• Birmingham / Midlands: £325-£475 (median around £400).
• Glasgow / Edinburgh: £325-£475 (median around £390).
• Cardiff / South Wales: £325-£450 (median around £385).
• Belfast / Northern Ireland: £350-£500 (median around £425).
• Ayrshire and other rural locations: typically served by national providers; pricing matches whichever national body the local consultant has chosen to partner with.

The pattern: London bodies trade at a small premium for marketing reasons; everywhere else lands within a tight band. The largest single price predictor is not geography but whether the body is a small regional consultancy adding margin on top of a partner certification body, or a vertically-integrated national body issuing certificates directly.

For the base-level Cyber Essentials self-assessment, location does not matter at all. The submission is filled in via the IASME Willow web portal, the assessor reviews it remotely, and the certificate is delivered as a PDF. There is no in-person component.

For Cyber Essentials Plus - which adds an external technical audit - location matters in two narrow scenarios:

Device collection. The Plus audit requires sample devices to be tested. Most certification bodies now do this remotely: the auditor sends a tested vulnerability scanner agent that the device user installs, runs a controlled session, and uploads the results. A minority still prefer to collect physical devices. If you are working with one of the latter, geography matters.

On-premise infrastructure. If your scope includes on-premise servers or a physical network, the auditor will need access. Remote access via the auditor's dial-in or screen-share covers most cases; a small number of legacy estates require an in-person visit.

For both Plus scenarios, you can simply ask the certification body in advance whether they work remotely. The major national bodies (Fig included) operate Plus audits remotely in 95% of engagements.

The other thing the regional searches surface is local consultancy firms that will help you prepare for Cyber Essentials but do not issue the certificate themselves. The pattern is: the consultant does the prep work, then submits to a national IASME-licensed body, and bills you for both their time and the certification body fee.

This is a legitimate model - particularly useful if you need significant remediation hand-holding - but it is materially more expensive than going direct to a vertically-integrated body. Expect to pay two to three times the headline certificate cost when you factor in the consultant's day rate.

If your estate is in good shape and you mainly need the certificate, going direct to a national body is dramatically cheaper. If your estate is a mess and you need someone to manage the remediation, the consultant model can be worth it - but check that the consultant is itself Cyber Essentials certified and ask which national body they will submit to.

Fig publishes its pricing nationally - the same in Ayrshire, Cardiff, London, and Belfast - and operates entirely remotely. The published prices are below the standard IASME certification-body fee baseline for the corresponding size bands, with three free re-submissions inside the 30-day window included as standard.

See Fig's transparent national pricing → | Talk to an assessor about your scope →