Cyber Essentials

Cyber Essentials cost in the UK - what actually drives the price.

Search for "Cyber Essentials cost" and the first thing you'll notice is that nobody wants to give you a number. "It depends." "Contact us." "From £X plus VAT, plus assessor fees, plus remediation." Here's an honest, no-sales-pitch breakdown of what actually moves the price - and what to ask any provider who quotes you.

Why nobody quotes you a number online

There are two reasons every Cyber Essentials provider hedges on price when you Google it.

The first is honest: the cost genuinely varies by organisation. A 12-person firm running everything out of Microsoft 365 with company laptops is a different job from a 60-person business with on-premise file servers, mixed BYOD and three regional offices. Quoting a single number on a public webpage would be wrong for both.

The second is less honest: publishing a price commits the provider to a number they then can’t inflate later when they discover "scope creep". Vague pricing protects margin. So the standard playbook is "from £1,495" on the landing page, then a discovery call, then a real number that has grown by 40-120%.

The fix isn’t to publish a misleading number. It’s to do the discovery call first and quote a real, fixed, all-in figure that doesn’t move - which is what we do at Bluewater, but more on that at the end.

What you’re actually paying for

Before the four cost drivers make sense, it helps to know what a Cyber Essentials engagement actually delivers. A proper CE certification process covers:

• Scoping: defining what’s in (and out of) the certification boundary - users, devices, cloud services, network.
• Gap analysis: mapping your current state against the five CE controls (firewalls, secure configuration, user access, malware protection, security updates).
• Remediation: closing the gaps. This is usually the biggest chunk of work - M365 hardening, MFA rollouts, device baselines, password policies, conditional access.
• Policy templates: the written documents IASME wants to see - AUP, BYOD, incident response, password policy, leaver process.
• Evidence collation: screenshots, configuration exports, asset inventories, all packaged for submission.
• The IASME assessment submission and any rework needed if the assessor pushes back.
• The certificate itself - an IASME fee that the assessor pays to the certification body.

A real fixed-price quote covers all seven items. A "from £X" quote often covers items 1, 5 and 7 - and bills you separately for the remediation work that actually got you through.

The four things that actually drive cost

From this side of the desk, after dozens of engagements, the cost of Cyber Essentials for a UK SMB lands somewhere on a curve shaped by four factors. Here they are in order of how much they move the number.

1. Size of estate (users + devices + cloud tenants)

The biggest single driver. A 10-person Microsoft 365 shop with company-issued laptops is roughly an order of magnitude less work than a 75-person business with mixed Windows/Mac fleet, BYOD policy, multiple Azure tenants, and a couple of on-premise servers. The scope is wider, the configuration surface is wider, the evidence pack is fatter, and the assessor questions multiply.

2. Configuration starting state

This is the wildcard. Two businesses of identical headcount can be at completely different starting points. One has already enabled MFA on every account, has conditional access configured, has device compliance policies in place, and has written a half-decent acceptable-use policy. The other has shared admin passwords on sticky notes, no MFA, no device management, and no documented anything.

The first business needs us for a week. The second needs us for the full 30 days. Same headcount, very different cost.

3. Cyber Essentials or Cyber Essentials Plus

CE Plus adds an external technical audit performed by a qualified IASME assessor - vulnerability scans, phishing test, hands-on configuration verification on a sample of devices. It’s a more rigorous certification that the bigger procurement teams and prime contractors are starting to demand.

Expect CE Plus to be roughly 2-3× the cost of basic CE for the same organisation. Most clients land CE first, stabilise, and move to Plus 60-90 days later when the environment is bedded in. Some need to go straight to Plus because a tender deadline demands it.

4. Time pressure

An honest one: if your tender deadline is three weeks away, that’s a different conversation from "we’d like CE in the next quarter". Compression has a cost - not because the work changes, but because we have to bump assessor scheduling, dedicate continuous bandwidth, and resequence other client work. Plan in advance, pay normal rates. Wait until procurement is asking, pay urgency rates.

Why “from £X” pricing is a trap

You’ll see "from £1,495" or "from £1,200" plastered across the cyber consultancy sector. Three reasons it's almost never the number you'll actually pay:

• It’s priced for an unrealistic best case - usually a 5-person, fully-cloud, perfect-configuration scenario that almost no real SMB matches.
• It often excludes the IASME certification fee - charged separately as a pass-through, adding a few hundred pounds.
• It excludes remediation - the actual configuration work that gets you through. That’s billed hourly or as separate "add-ons" once discovery is done.

By the time you’ve added the realistic scope, the IASME fee, and the remediation hours, the “from £1,495” quote is often £2,800-£4,500 in practice. None of that is illegal or even unusual. It’s just the pricing model the industry settled on because publishing a misleadingly low anchor wins the click.

The honest version of "from £1,495" is "we don’t know what it costs until we've done a discovery call." The dishonest version is published on a homepage.

What fixed price should actually mean

A real fixed-price Cyber Essentials engagement should:

1. Be quoted after a discovery call, not before. The number reflects your actual size, starting state, and timeline - not a marketing anchor.
2. Include the IASME certification fee. No pass-through surprises.
3. Include remediation. Whatever configuration and policy work the gap analysis surfaces is in scope.
4. Include re-submission if you fail. If the assessor pushes back, you don’t pay extra for the rework. Fixed price means fixed outcome.
5. Not move. The number on the proposal is the number on the invoice.

When you’re comparing quotes, ask each provider whether all five items are in their fixed price. Most aren’t. The ones that are tend to be the ones you actually want to work with.

How to get a real number in 48 hours

If you’ve read this far, you don’t want another generic "contact us" form. Here’s the most efficient path to a real number:

1. Take 3 minutes to run our free Cyber Essentials readiness check. 13 plain-English questions covering the five CE controls. You’ll get a percentage score and a plain-English breakdown of where you stand. No email required to see the score.
2. Book a 15-minute discovery call. We’ll talk through your headcount, devices, cloud setup, and any deadline driving the timeline. No pitch, no slides.
3. Get a fixed quote in your inbox within 48 hours. Single number, all-in, valid for 30 days. Includes IASME fee, all remediation, and re-submission cover.

That’s it. If the number works, we kick off with 50% upfront and you have your certificate inside 30 days. If it doesn’t, no obligation - you walk away with a useful readiness score and a clearer view of what CE actually costs for an organisation your shape.