Cyber Essentials FAQ. Everything buyers actually ask.

Fig Group is the cheapest IASME-licensed Cyber Essentials body in the UK. Pricing starts at £299.99 + VAT for Micro (1-9 staff) and £549.99 for Large (250+ staff). Every tier is below the standard IASME body fee. Three free re-submissions, 6-hour certification turnaround, and £25k cyber liability insurance bundled.

CE Plus costs £1,499-£4,499 + VAT depending on organisation size. Micro £1,499, Small £1,999, Medium £2,799, Large £4,499. All Fig CE Plus prices exclude VAT and are transparent - no consultancy add-ons.

No. Fig includes three free re-submissions with every Cyber Essentials certification. Most certification bodies charge £100-£200 per re-submission. If you need more than three, we work with you to address readiness first.

Fig prices the Micro tier at £299.99 + VAT, which is already below the standard IASME fee. Separately, the NCSC sometimes funds free CE certifications for specific charity sectors via IASME - check availability at certification time.

Fig Cyber Essentials Micro at £299.99 + VAT for 1-9 staff. Below the standard IASME certification body fee. Three free re-submissions, 6-hour guarantee, IASME-licensed.

No. Fig Group publishes prices excluding VAT. UK VAT is added at checkout for UK-based organisations.

For Cyber Essentials Plus and larger corporate engagements, yes. For standard CE certifications the checkout flow uses Stripe card payment. Enterprise invoicing is available on request.

Every device and service that accesses organisational data: laptops, desktops, phones, tablets, cloud services, and corporate network equipment. The boundary follows the device that touches organisational data, not the network it sits on. A device that has no access to organisational data is excluded from scope.

A BYOD device with direct access to organisational data is in scope. A BYOD device whose only access is mediated through a virtual desktop or VM in the cloud (Citrix, AWS WorkSpaces, Azure Virtual Desktop) can be excluded via sub-set declaration; the VM/VDI is then the in-scope device and the BYOD acts as a thin client. Sub-set boundaries must be enforced by technical control - MDM Conditional Access, VDI thin-client mode, or network segregation. Per Danzell A2.5.1, operating-system software firewalls alone cannot define a sub-set boundary. Policy-only restrictions do not satisfy v3.3.

No. Normal home routers used by remote workers are explicitly excluded from scope under the v3.3 Danzell guide. The certification boundary follows the device that touches organisational data, not the home network or its router. The in-scope device's software firewall takes responsibility for boundary enforcement against the home network, which is treated as untrusted.

Yes. SaaS, IaaS, and PaaS that hold organisational data are in scope. You must document how cloud services are configured securely (MFA, access control, secure defaults). v3.3 is explicit about this.

For SaaS companies: typically no. Scope CE to the corporate estate only (laptops, M365, corporate SaaS) and explicitly exclude production AWS. Production security is separately assessed under SOC 2, ISO 27001, or ISO 27017.

If contractors access your organisational data from their own devices, their devices are in scope. You can exclude them with a sub-set (virtual desktop or MDM) or bring them into scope with corporate-issued devices.

Any security update classified as "high" or "critical" by the vendor must be applied within 14 days of release. Applies to operating systems, applications, firmware, and internet-facing services. Monthly patching cycles do not meet v3.3.

Yes. Windows Defender with tamper protection enabled is the most common malware protection for UK organisations certifying under CE. The assessor checks that it is enabled, updated, and that on-access scanning works.

Yes. macOS is fully supported. Apple's built-in XProtect, Gatekeeper, and the System Integrity Protection satisfy the malware-protection control. Ensure FileVault is on and the device is current.

If Linux endpoints or servers access organisational data, yes. The same five controls apply - firewall, secure configuration, access control, malware protection (ClamAV or equivalent), and patch management.

Not strictly. v3.3 requires malware protection, which Windows Defender meets. EDR (Defender for Business, CrowdStrike, SentinelOne) exceeds the bar and is common in MSP and enterprise contexts.

Once per audit cycle for Cyber Essentials Plus. The external scan targets public-facing IP addresses and domains, checks TLS configuration, looks for exposed management interfaces, and flags out-of-date services. Findings must be remediated before certification issue.

DCC is the UK Ministry of Defence's independent cybersecurity certification framework for its supply chain, administered by IASME and delivered through a network of IASME-licensed Certification Bodies. Four levels - L0, L1, L2, L3 - cover the four Cyber Risk Profile tiers that MOD contracts are assessed against. It replaces the self-assessed Supplier Assurance Questionnaire (SAQ) approach under DCPP.

Effectively yes. Under DCPP the SAQ was self-assessed. DCC replaces that self-declaration with formal independent certification. DCC uses Def Stan 05-138 issue 4 as its underlying specification.

If you want to bid on MOD contracts, yes - at the level matched to the contract's Cyber Risk Profile. Transition arrangements remain for existing contracts with prior SAQ attestation, but the direction of travel is that all MOD supplier contracts will require DCC certification.

The MOD (or the prime contractor in a subcontract scenario) specifies the required level based on the contract's Cyber Risk Profile. Suppliers do not choose their level arbitrarily. If your pipeline includes contracts with varying CRPs, certify at the highest level required. See /defence-cyber-certification/cyber-risk-profile for the CRP-to-level mapping.

Fig is accredited at Level 0 and Level 1. For L2 and L3 engagements we refer suppliers to IASME-licensed certification bodies licensed for those higher levels - verifiable on the IASME directory at iasme.co.uk. We are honest about this rather than trying to take engagements we are not accredited to deliver.

Yes. L0 and L1 require a valid Cyber Essentials certificate. L2 and L3 require Cyber Essentials Plus. Fig includes the Cyber Essentials prerequisite within the DCC engagement if you do not already hold it - no separate invoice.

Level 0 is flat-priced from £999.99 + VAT (micro) to £4,999.99 + VAT (large). Level 1 is priced as ranges from £9,999 - £14,999 + VAT (micro) up to £25,000 - £49,999 + VAT (large). Both include the Cyber Essentials prerequisite, three years of certificate validity, and annual attestation support.

L0 is a documentation-led review of a constrained requirement set; the work is predictable. L1 involves scoping, evidence preparation, consultant engagement, platform gap analysis, formal assessment, and remediation support - and the last four scale materially with organisation complexity. We publish the ranges and name the drivers openly rather than quoting bespoke numbers.

Yes. Every L1 engagement includes a dedicated consultant throughout scoping, evidence preparation, remediation, and formal assessment. Consultancy is not a separate line item after engagement begins.

No. Platform access is included in L1 pricing. The platform also remains active across the three-year certificate period so annual attestations are faster and re-certification at three years is substantially quicker than the initial engagement.

Two to three weeks end-to-end for a prepared organisation (already holds Cyber Essentials, governance documentation in place, clear scope). Four to eight weeks for organisations starting from a lower baseline.

Six to ten weeks end-to-end for a prepared organisation. Twelve to twenty weeks for organisations starting from a lower baseline. Most of the variance is driven by supplier preparation, not by the Certification Body.

Annual attestation is included within the original engagement fee. We do not charge separately for each year's attestation.

Somewhat. Having a dedicated internal lead, engaging a consultant early, already holding Cyber Essentials, and being able to provide evidence quickly all compress the timeline. Tell us about your tender deadline at quote stage and we will prioritise engagement sequencing where possible, though DCC is not a same-day product like Cyber Essentials.

Automated gap analysis across your in-scope systems. It identifies unpatched CVEs, cloud misconfigurations, identity gaps (MFA coverage, dormant privileged accounts), endpoint posture issues, public-facing attack surface, and credential exposure. You fix issues before the assessor arrives rather than during audit.

Much of it, yes. Documentation you produced for SAQ attestation is reusable for DCC - governance policies, access control evidence, technical attestations. A Fig consultant can work through your existing pack with you and identify what maps across versus what needs updating.

Yes. Fig Group is an IASME-licensed Certification Body accredited to assess Defence Cyber Certification at Level 0 and Level 1, and to assess Cyber Essentials and Cyber Essentials Plus as prerequisites. Our assessors hold the relevant IASME and defence-sector credentials.

Fig Group is the IASME-licensed UK body for Defence Cyber Certification at Level 0 and Level 1. The Cyber Essentials prerequisite is available from Fig Group as a separate purchase if you do not already hold it. For L2 and L3 we refer MOD suppliers to specialist providers on the IASME directory.