Cyber Essentials Plus Cost UK 2026 - Full Pricing Breakdown

Cyber Essentials Plus adds an external technical audit to the self-assessed Cyber Essentials base level. The audit is what the procurement teams, insurers, and institutional clients actually want; the base level on its own is increasingly treated as the table-stakes prerequisite. So when an executive asks "what does Cyber Essentials cost?" they almost always mean Plus.

This guide gives the full UK 2026 pricing breakdown, explains what the technical audit covers and why it costs materially more than the base level, and walks through the things that move the price up or down within each size band.

Fig's published 2026 prices for Cyber Essentials Plus, all ex-VAT and inclusive of the base-level certificate that Plus sits on top of:

• Micro (1-9 staff): £1,499
• Small (10-49 staff): £1,999
• Medium (50-249 staff): £2,999
• Large (250+ staff): £4,499

The market range across IASME-licensed bodies for the same size bands is roughly £1,500 to £3,500 (Micro), £2,000 to £4,500 (Small), £3,000 to £6,500 (Medium), and £4,500 to £9,500 (Large). The wide spread reflects the auditor's billable time more than any difference in rigour - IASME audit methodology is standardised across all licensed bodies.

The price always includes the base-level Cyber Essentials certificate. You do not pay for the base level separately if you are going for Plus; the £1,499 Micro figure is the all-in number.

The Plus audit is a structured, methodology-led check that the controls you self-assessed at the base level actually work. It has four components.

External vulnerability scan. The auditor scans your internet-facing IP ranges and authenticated cloud services for known vulnerabilities. The scan uses a CVSS-scored vulnerability scanner (typically Nessus, Qualys, or an equivalent), and any high-severity finding requires remediation before the certificate issues. The objective is to confirm that your perimeter does not expose anything that could be exploited.

Authenticated device scan. A sample of in-scope devices - typically 10% of the estate, with a minimum of one device per platform (Windows desktop, Windows server, macOS, mobile) and one device per location for distributed estates - is scanned with the scanner running as an authenticated user. This catches missing patches, unsupported software, and configuration drift on individual machines.

Phishing simulation. A controlled simulated phishing email is sent to a sample of users to verify that the email security gateway and the user awareness controls hold up.

Configuration review. The auditor reviews your firewall ruleset, your MFA enforcement evidence, and your account separation evidence (administrator versus standard user accounts). This is largely a desk exercise but verifies the claims you made in the base-level submission.

The remediation window is typically 30 days. High-severity findings must be fixed and re-tested before the certificate issues; low-severity findings can be accepted with risk acknowledgement.

The base-level certificate is a self-assessment with assessor review of the answers. Plus adds materially more work.

Qualified assessor time. The audit requires a qualified assessor, with assessor training and ongoing IASME oversight, allocated to your engagement for the duration of the audit. For a Micro estate, this is typically half a day to a full day of senior time; for a Large estate, several days.

Scan tooling and licences. Vulnerability scanner licences, phishing simulation tooling, and the supporting infrastructure cost the certification body real money per audit. These costs are amortised across the engagements.

Remediation cycles. Most engagements require at least one round of remediation. The auditor's time across remediation cycles is included in the published price, but the time is non-trivial.

Evidence package production. The Plus audit produces a formal evidence package that you can hand to clients, insurers, and the regulator. Producing that package - with scan reports, configuration evidence, and the auditor's attestation - takes assessor time.

The five-fold multiplier from base level to Plus is consistent across the market. Bodies pricing Plus at less than three times the base level should be questioned about scope.

Three things move the price up within a band, regardless of the headcount.

Estate diversity. A Micro estate of nine identical Windows laptops scans much faster than a Micro estate of three Windows machines, two Macs, and four Linux servers. Several platforms means several scan profiles and a longer audit.

Geographic distribution. A multi-site estate generally requires a sample device per location for the authenticated scan. More locations means more devices and more time.

Out-of-scope ambiguity. If the scope of "in" versus "out" is genuinely ambiguous - for example, a development environment that may or may not contain organisational data - the auditor will spend time scoping before scanning. Clean scoping in advance keeps the price down.

The two compressors are evidence-readiness and a clean scope.

A clean asset register, MFA already enforced everywhere, patch cadence already documented, and a tightly scoped certificate boundary all reduce the auditor's time. Fig's MSP partners typically have these in place via a continuous evidence platform, which is why Plus engagements through that channel run at the lower end of the published range.

If you are considering whether to go straight to Plus or do the base level first and add Plus later, the pricing is structured so that the Plus price always includes the base-level certificate. There is no double-paying. If you are likely to need Plus inside 12 months - for a contract, an insurance policy, or a procurement process - going straight to Plus is the cheaper path because you avoid two separate engagements.

If you have a procurement deadline driving Plus, published pricing is here and an assessor is one form away. If you want to scope first, the free 15-minute readiness check gives you a Plus-readiness gap list and a confidence-weighted timeline before you commit.

See full Plus pricing → | Talk to a Plus assessor → | Start the readiness check →