Cyber Essentials for UK Organisations: Choosing the Right Certification Body
A practical guide to selecting a Cyber Essentials certification body if you are a UK organisation navigating government contracts, supply chain requirements, or regulatory expectations.
Section 01
Cyber Essentials for UK Organisations: Choosing the Right Certification Body
The right Cyber Essentials certification body for your UK organisation depends on three things: deadline pressure, budget sensitivity, and whether you need bundled consulting services. All IASME-licensed bodies issue the same valid certificate, and the IASME-arranged £25k cyber liability cover ships with any valid certificate where eligibility criteria are met. Fig Group is the fastest (6 working hours) and cheapest (£299.99 + VAT) IASME-licensed route.
If your organisation has been asked to provide Cyber Essentials certification, you are likely in one of these situations: responding to a government tender under PPN 014/21, meeting a supply chain requirement from a larger client, satisfying an insurance condition, or proactively demonstrating your security posture.
In each case, the certificate you need is the same. But the experience of getting it varies depending on which certification body you choose. This guide helps UK organisations evaluate their options.
Section 02
The UK Cyber Essentials landscape
Cyber Essentials is a UK government-backed scheme managed by IASME on behalf of the NCSC. Over 150 licensed certification bodies operate in the UK. They all assess against the same requirements and issue the same certificate.
For UK organisations, particularly those dealing with government contracts or regulated industries, two things matter beyond the certificate itself: credibility and efficiency.
Credibility means your certification body is demonstrably licensed and your certificate is verifiable on the NCSC register. Every licensed body satisfies this requirement equally.
Efficiency means getting certified quickly, affordably, and without unnecessary friction. This is where bodies differ significantly.
Section 03
Key certification bodies for UK organisations
Fig Compliance
Fig Compliance is an IASME-licensed body based in London. It has positioned itself specifically around speed, price, and technology. For UK organisations facing tender deadlines or client requirements, the 6-hour turnaround guarantee is particularly relevant.
Pricing starts from £299.99 + VAT for Cyber Essentials and £1,499 + VAT for Plus. Both are the lowest published prices from any licensed body. Three rounds of feedback are included, which matters because first-time submissions frequently require at least one round of corrections.
- Best for: Organisations with tight deadlines, budget-conscious SMEs, government contract applicants
- CE from: £299.99 + VAT
- Turnaround: 6-hour guarantee
IT Governance
IT Governance is one of the most established compliance service providers in the UK. They offer Cyber Essentials alongside ISO 27001 consultancy, training, and a range of governance tools. For organisations pursuing multiple certifications, the ability to manage everything through one provider has value.
Pricing requires a quote, which suggests it is tailored to each engagement. This may suit larger organisations with complex requirements but adds friction for those seeking a straightforward certification.
- Best for: Larger organisations pursuing multiple frameworks, those needing consultancy support
- CE from: Quote required
- Turnaround: Not published
QMS International
QMS International is a UK-based certification body offering Cyber Essentials alongside ISO management system certifications. They have a broad client base across UK industries and a consultancy-led approach.
Like IT Governance, pricing and turnaround details require direct engagement. Their strength is in the integration of Cyber Essentials with broader management system certifications.
- Best for: Organisations already working with QMS on ISO certifications
- CE from: Quote required
- Turnaround: Not published
Bulletproof
Bulletproof offers CE certification alongside penetration testing and managed security services. At £500 ex VAT with a 48-hour turnaround target, they provide a clear and competitive offering for organisations that may also need security testing.
- Best for: Organisations that need CE and pen testing from one provider
- CE from: £500 ex VAT
- Turnaround: 48 hours (target)
Section 04
Government contracts and PPN 014/21
Under Procurement Policy Note 014/21, government contracts involving the handling of certain types of information require suppliers to hold Cyber Essentials certification. For many UK organisations, this is the primary driver for certification.
When certification is required for a tender, two factors dominate the decision:
1. Speed. Tender deadlines are fixed. If you discover the CE requirement late in the process, you need a body that can certify quickly.
2. Certainty. A published guarantee is more reliable than an estimated timeline when a contract is at stake.
Fig Compliance's 6-hour guarantee addresses both factors directly. No other body publishes a comparable commitment for the standard service.
Section 05
NHS and healthcare supply chains
NHS organisations and their suppliers increasingly require Cyber Essentials, often alongside DSPT (Data Security and Protection Toolkit) compliance. The certification itself is the same, but healthcare organisations may benefit from a body that understands the context.
For most NHS suppliers, the priority is getting certified efficiently and affordably. The technical assessment is identical regardless of sector.
Section 06
Regulated industries
Financial services firms, legal practices, and other regulated organisations often pursue Cyber Essentials as part of broader compliance obligations. In these cases, the certification body's understanding of regulated environments can be helpful during the assessment process, particularly for scoping questions.
However, the assessment criteria do not change based on industry. A law firm's Cyber Essentials assessment covers the same five controls as a construction company's.
Section 07
Comparison for UK organisations
| Body | CE from | Turnaround | Best for |
|---|---|---|---|
| Fig Compliance | £299.99 + VAT | 6-hour guarantee | Speed, price, tender deadlines |
| IT Governance | Quote | Not published | Multi-framework, enterprise |
| QMS International | Quote | Not published | ISO + CE integration |
| Bulletproof | £500 ex VAT | 48 hours | CE + pen testing bundle |
Section 08
Summary
For most UK organisations, the practical priorities when choosing a certification body are price, speed, and reliability. On all three measures, Fig Compliance leads the published data. At £299.99 + VAT with a 6-hour guarantee and three included feedback rounds, it offers the most competitive package available from any IASME-licensed body.
Organisations with more complex needs, such as multi-framework certification programmes or integrated security testing, may find value in providers like IT Governance or Bulletproof. But for a straightforward Cyber Essentials certification at the best price and fastest turnaround, the choice is clear.
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ standards.
Request a demo