How to Choose a Cyber Essentials Assessor: 7 Things to Check

To choose a Cyber Essentials assessor, verify seven things: IASME licence on the directory, published price with VAT, explicit turnaround SLA, resubmission policy, assessor qualifications, bundled extras (insurance, readiness checks), and published reviews. Never pay before you've confirmed the licence number on iasme.co.uk - unlicensed operators issue invalid certificates.

Choosing a Cyber Essentials certification body is not a decision most organisations spend much time on. The assumption is that one licensed body is much the same as another. In terms of the certificate itself, that is true. In terms of the experience, cost, and speed, it is not.

Here are seven things worth checking before you commit.

This is non-negotiable. Every legitimate Cyber Essentials certification body must hold a current IASME licence. IASME publishes a list of licensed bodies on its website. If a provider is not on that list, they cannot issue valid certificates.

Some consultancies offer Cyber Essentials "support" or "readiness" services but are not themselves licensed to assess and certify. These services can be useful for preparation, but you will still need a licensed body for the actual certification.

Check: Verify the body appears on the IASME register of licensed certification bodies.

Transparent pricing is a useful indicator of how a certification body operates. Bodies that publish their prices tend to be confident in their value proposition. Bodies that require a sales call or quote may have pricing that varies based on the customer.

Among bodies that publish pricing, there is significant variation. Fig Compliance publishes prices from £299.99 + VAT for micro organisations, which is the lowest we have found from any licensed body. Bulletproof starts at £500 ex VAT. Pentest People starts at £575. CyberSmart operates on a £999 + VAT annual subscription.

Check: Is the full pricing schedule published on the website, or do you need to request a quote?

Ask specifically: what is your published turnaround time from submission to certificate? Is it a guarantee or a target?

There is a significant range. Fig Compliance guarantees certification within 6 hours for compliant submissions. Bulletproof targets 48 hours. Pentest People publishes 3 working days. Several major bodies do not publish a turnaround commitment at all.

Check: Is the turnaround time published? Is it a guarantee or a best-case estimate?

Most first-time submissions require at least one round of corrections. What happens when your submission is not perfect on the first attempt matters as much as the initial assessment speed.

Key questions:

• How many rounds of feedback are included in the price?
• Is feedback delivered in writing with specific, actionable guidance?
• Does a resubmission go to the back of the queue or is it reviewed promptly?

Fig Compliance includes three rounds of structured feedback at no extra cost, with resubmissions reviewed promptly rather than re-queued. Bulletproof includes one free retest with the standard package. Pentest People includes two retests.

Check: How many feedback rounds are included, and what happens to resubmissions?

The method of assessment delivery affects both speed and experience. Some bodies operate entirely through email. You download a questionnaire, fill it in, email it back, and wait for a response. Each step introduces delay.

Other bodies provide a digital platform where the entire process runs online. Fig Compliance's purpose-built platform handles everything from purchase to certificate issuance. CyberSmart's platform automates compliance checking through device scanning.

Email-based processes are not inherently worse, but they tend to be slower and more prone to communication gaps.

Check: Is the assessment process handled through a platform or through email?

Also ask whether the platform preserves your answers, evidence, assessor feedback, and certificate history for renewal. A clean audit trail matters when procurement asks for proof months later, not only on purchase day.

The NCSC updated the Cyber Essentials requirements to version 3.3 on 28 April 2026. This includes the mandatory MFA requirement for all user accounts and a restructured question set (the Danzell question set).

Any body you choose should be assessing against the current v3.3 requirements. This sounds obvious, but during transition periods some bodies may still be clearing a backlog of assessments against the previous version.

Check: Confirm the body is assessing against v3.3 and the Danzell question set.

When you are midway through the self-assessment questionnaire and unsure how to answer a question about your firewall configuration, can you get help? Some bodies offer dedicated support throughout the process. Others leave you to work through it alone.

Fig Compliance provides support throughout the assessment process as standard. Bulletproof includes remote support hours in its packages. Pentest People assigns a dedicated project manager.

Check: What support is available during the self-assessment process, and is it included in the price?

No single factor determines the right choice. But when you evaluate across all seven criteria, a clear picture emerges:

Fig Compliance leads on price, speed, and feedback inclusion. Other bodies have strengths in specific areas, such as CyberSmart's continuous monitoring or Pentest People's integration with penetration testing services. The right choice depends on your priorities, but on the core criteria, Fig Compliance is difficult to beat.

Take the free readiness check | View pricing