THE SHORT ANSWER

Cyber Essentials Plus costs from £1,399 + VAT for micro organisations (0–9 employees), from £1,699 + VAT for small organisations (10–49 employees), from £2,399 + VAT for medium organisations (50–249 employees), and from £3,499 + VAT for large organisations (250+ employees). These are fixed, transparent prices from Vincent Cyber Defence as an IASME Approved Certification Body — the IASME certification fee is included, and there are no hidden charges.

These are fixed, transparent prices with the IASME certification fee included and no hidden charges.

WHY DOES CE PLUS COST MORE THAN STANDARD CE?

Standard Cyber Essentials is a self-assessment — you complete a questionnaire, your Certification Body reviews it, and your certificate is issued. Cyber Essentials Plus requires an independent technical audit on top of that. An IASME-approved assessor remotely connects to your environment, runs external and internal vulnerability scans, tests email and browser configurations, and actively verifies that your five security controls are working — not just documented.

That hands-on work takes more time and expertise, which is why CE Plus costs more. The difference is real: Plus provides a significantly higher level of assurance, which is why some contracts specifically require it.

WHAT AFFECTS CE PLUS PRICING?

  • Organisation size: Pricing is based on your total number of employees using UK Government size criteria
  • Network complexity: More devices, sites, cloud services, and in-scope systems mean a more complex audit
  • Readiness: If controls need significant work before the audit can take place, that affects timelines but not the certification fee itself
  • Certification body: Different IASME Approved Bodies set their own service fees on top of the fixed IASME body fee

CYBER ESSENTIALS PLUS PRICING BY ORGANISATION SIZE

The table below shows Vincent Cyber Defence's 2026 fixed prices for Cyber Essentials Plus. All prices exclude VAT and include the IASME certification fee.

Organisation Size Employees CE Plus Price
Micro0–9From £1,399 + VAT
Small10–49From £1,699 + VAT
Medium50–249From £2,399 + VAT
Large250+From £3,499 + VAT

Large organisation pricing depends on the scope and complexity of the audit. Contact us for a fixed-price quote specific to your environment.

WHAT IS INCLUDED IN THE PRICE?

A good CE Plus certification fee should cover the entire end-to-end process. At Vincent Cyber Defence, our price includes all of the following — with no optional extras bolted on:

  • Cyber Essentials self-assessment — we explain each requirement and review your draft responses; you complete and sign the declaration yourself
  • Audit readiness checklist — we confirm what the audit will test so you know exactly what needs to be in place before the assessment date
  • Independent technical audit — conducted remotely by our IASME-approved assessors
  • External vulnerability scanning — of your internet-facing systems and boundary controls
  • Internal vulnerability scanning — of a sample of in-scope devices
  • Email and web browser configuration checks — verifying controls are correctly applied
  • CE Plus certificate and digital badge — valid for 12 months from date of certification
  • NCSC public register listing — confirming your certified status publicly
  • Full technical assessment report — documenting findings and confirming compliance
  • UK-based support throughout — plain-English guidance at every stage

ARE THERE ANY EXTRA COSTS?

This is where some providers catch organisations out. Here is what to watch for — and how our approach differs.

Remediation costs

If issues are found during the audit, you will need to fix them. The IT support required to remediate your systems (patching, reconfiguring devices, updating software) costs what it costs — that is outside the scope of your certification fee and depends on your internal resource or IT provider. However, the re-check of the audit itself — verifying that your fixes are in place — should not come with an additional certification charge within the same assessment window.

Two time limits apply simultaneously if issues are found: you have 30 days from the date the CE Plus assessment started to remediate and have checks revisited, and this must also fall within your 90-day window from CE basic certification. Whichever expires first is the binding deadline. Going into the audit with all controls already in place is the most effective way to protect both windows.

Resubmission fees

Check any certification body's policy on resubmission carefully. At VCD, if issues are identified and you remediate them, we work with you to reach certification without surprise additional invoices.

The key test: Ask any provider what happens if the audit identifies an issue. Do you pay again? Is re-checking included? These questions reveal the true cost of certification.

THE 90-DAY CE PLUS WINDOW — AND WHY IT MATTERS

Once you pass Cyber Essentials basic, you have 90 days (3 months) from your CE certification date to complete and pass CE Plus. This window is set by IASME and is strictly enforced. If you do not pass CE Plus within 90 days, your Plus application closes and you will need to re-certify at Cyber Essentials basic level before restarting the Plus process — incurring an additional certification cost.

This makes preparation essential. Working through the audit readiness checklist before the assessment begins ensures that when you enter the 90-day window, your controls are already in the right position to pass first time. The earlier any gaps are addressed, the more runway you have for the audit and any follow-up checks within the window.

Your CE Plus certificate validity (12 months) runs from the date you pass the Plus audit — not from when the CE basic was certified.

Important: Do not start the CE Plus process until your environment is ready. The 90-day clock starts when CE basic is certified — not when you decide to begin Plus. If controls are not in place, you risk the window expiring before you pass, requiring you to recertify CE basic again at additional cost.

DOES CE PLUS INCLUDE FREE CYBER INSURANCE?

Yes — UK-registered organisations with an annual turnover under £20 million that achieve Cyber Essentials certification covering their whole organisation are automatically entitled to free cyber insurance up to £25,000, provided through IASME. This applies at the basic CE level and carries through to CE Plus. It is included at no additional cost with your certification and requires no separate application.

Many commercial cyber insurers also offer reduced premiums or improved policy terms to CE-certified organisations. It is worth informing your broker of your certification status once you are certified.

IS CE PLUS MANDATORY?

Cyber Essentials Plus is not universally mandatory — but it is required in specific situations. Standard Cyber Essentials is mandatory for all UK Government contracts involving personal data or the supply of certain ICT products and services. CE Plus is required by some MOD supply chain contracts involving sensitive or classified data, certain NHS and public sector frameworks, and enterprise clients who want independent technical verification rather than self-assessment.

If your contract tender or supplier requirements document specifies CE Plus, or references an "independent technical audit", standard CE will not be sufficient. If you are unsure what your contract requires, our team can review the wording and advise.

Current pricing: For our latest CE Plus pricing broken down by organisation size, with no hidden fees, visit our quote builder →

Also considering DCC Level 0? If you supply to the MOD, Cyber Essentials is a mandatory prerequisite for Defence Cyber Certification (DCC) Level 0, assessed against Def Stan 05-138. CE Plus is not required for DCC Level 0, but achieving it first puts you in a strong position. Learn about DCC Level 0 →

CE PLUS AUDIT READINESS CHECKLIST

The CE Plus technical audit tests seven key control areas live against your systems. Before your assessment date, confirm all seven are in place — once the assessment starts, the 30-day remediation clock is running. We have built a free interactive checklist covering all 30 sub-items across the seven areas, with a live progress score and print option.

  • Antivirus / endpoint protection — active and up to date on all in-scope devices
  • Account separation — admin and standard user accounts properly separated; no shared credentials between roles
  • Patching — all security updates applied within 14 days of release across operating systems, firmware, and applications
  • Mobile devices — not jailbroken or rooted; apps installed only from authorised application stores; managed and controlled appropriately
  • Malicious content blocking — executable downloads and malicious test emails blocked at the network boundary
  • External vulnerabilities — no known exploitable vulnerabilities present on internet-facing systems
  • MFA — multi-factor authentication enabled on all cloud services for all users, not just administrators

→ Open the full interactive CE Plus readiness checklist (30 items, progress tracker, print-friendly)

Important: If any of these items are not in place before the audit date, issues will be found during the assessment. With only 30 days from the assessment start to remediate — and 90 days from your CE basic certification — there is very little margin for last-minute fixes. Prepare your environment before the assessment begins.