IASME-Licensed Cyber Essentials Bodies: What to Look For in 2026
What does IASME licensing actually mean, and why does it matter when choosing a Cyber Essentials certification body? A guide to navigating the market.
Section 01
IASME-Licensed Cyber Essentials Bodies: What to Look For in 2026
IASME-licensed Cyber Essentials bodies are the only organisations authorised to assess and issue valid UK Cyber Essentials certificates. Verify the licence number on the public IASME directory before paying. Published price, turnaround SLA, resubmission policy, and bundled extras (insurance, readiness checks) are the commercial differentiators worth checking.
The Cyber Essentials scheme is managed by IASME on behalf of the NCSC. Any organisation that wants to assess and certify others for Cyber Essentials must hold an IASME licence. This licensing requirement exists to maintain consistency and quality across the scheme.
But what does IASME licensing actually mean in practice, and how should it inform your choice of certification body?
Section 02
What IASME licensing guarantees
When a certification body holds an IASME licence, it means:
- They are authorised to assess. Only licensed bodies can conduct Cyber Essentials assessments and issue certificates.
- Their assessors are trained. Assessors at licensed bodies must complete IASME-approved training and follow standardised assessment criteria.
- The certificate is legitimate. Certificates issued by licensed bodies appear on the official NCSC register and carry the NCSC badge.
- They are audited. IASME conducts oversight of licensed bodies to ensure assessment quality.
What IASME licensing does not guarantee is the price, speed, or quality of customer experience. These vary significantly between bodies.
Section 03
The market in 2026
There are around 290 IASME-licensed Cyber Essentials certification bodies in the UK. They range from large global certification companies to small specialist consultancies. Some focus exclusively on Cyber Essentials. Others offer it as one service among many.
This breadth of choice is good for the market but can make selection difficult. Here is how to navigate it.
Section 04
Three categories of certification body
Technology-led bodies
These bodies invest in platforms and automation to streamline the assessment process. The result is typically faster turnaround and lower pricing, because technology reduces the manual effort per assessment.
Example: Fig Compliance. Fig built a purpose-built assessment platform that handles the entire process digitally. This approach enables a 6-hour turnaround guarantee and pricing from £299.99 + VAT, the lowest published price from any licensed body. Three feedback rounds are included.
Example: CyberSmart. CyberSmart automates compliance checking by scanning devices and systems. Their subscription model (£999 + VAT/year) includes ongoing monitoring alongside certification.
Traditional certification bodies
These bodies operate through established workflows, often email-based, with assessors reviewing submissions manually. Turnaround times tend to be longer (48 hours to 5 working days) and pricing is typically higher.
Example: Bulletproof. A well-established body with a 48-hour assessment target, pricing from £500 ex VAT, and a broader portfolio of security services.
Example: Pentest People. Primarily a penetration testing firm, offering CE certification with a 3-day turnaround from £575.
Enterprise and consultancy bodies
These bodies target larger organisations and often bundle Cyber Essentials with broader consultancy services. Pricing is typically quote-based and the sales process involves account managers and discovery calls.
Example: LRQA. A global certification body offering CE alongside ISO management system certifications. Pricing and turnaround are not published.
Example: IT Governance. Offers CE as part of a wide compliance services portfolio. Pricing requires a quote.
Section 05
What to prioritise
For most UK organisations, particularly SMEs, the priorities should be:
1. Confirm IASME licensing. This is the baseline requirement.
2. Check published pricing. If a body does not publish prices, ask why.
3. Check turnaround commitments. If speed matters, choose a body that commits to a specific timeline.
4. Check feedback policy. First-time submissions often need corrections. Bodies that include multiple feedback rounds save you time and money.
5. Check v3.3 readiness. The requirements changed on 28 April 2026. Ensure your body is current.
Section 06
The numbers
| Criteria | Fig Compliance | CyberSmart | Bulletproof | Pentest People |
|---|---|---|---|---|
| Licensed | Yes | Yes | Yes | Yes |
| CE from | £299.99 + VAT | £999 + VAT/yr | £500 ex VAT | £575 |
| Turnaround | 6-hour guarantee | 24 hrs (best case) | 48 hrs (target) | 3 working days |
| Feedback | 3 rounds | Unlimited | 1 retest | 2 retests |
| Approach | Platform-led | Automated scanning | Traditional + tools | Traditional + pen testing |
Section 07
Summary
IASME licensing ensures a baseline of quality and legitimacy. Beyond that baseline, certification bodies differ substantially in price, speed, and service. Technology-led bodies like Fig Compliance tend to offer the best combination of these factors because their platforms reduce the cost and time of each assessment.
For organisations evaluating options, the published data suggests that Fig Compliance offers the lowest price, fastest guarantee, and most included feedback of any licensed body currently operating in the UK.
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ standards.
Request a demoMore from Compliance