How much does Cyber Essentials Plus Certification cost?
Payal Wadhwa
Apr 30, 2024
Considering the seriousness of cyber-attacks faced by UK companies, the Cyber Essentials and Cyber Essentials Plus certifications were launched in June 2014. By October 2014, it became an essential requirement for government suppliers to ensure data protection.
According to the National Cyber Security Centre (NCSC), the previous year, 9037 Cyber Essential Plus certificates were issued, an increase of 55%. Another interesting fact is that there has been an increase in demand for this certification by 17% for micro-organizations. So even very small businesses are seeing value.
While the basic accreditation focuses on baseline controls, the plus in the Cyber Essentials certification indicates more rigor and a higher level of scrutiny, not to mention an increased level of assurance. If you plan to acquire government contracts or enhance your business resilience and are looking for Cyber Essentials Plus Certification costs, this blog has just the thing.
What is Cyber Essentials Plus certification?
Cyber Essentials Plus is a UK government-backed certification scheme that enables businesses to demonstrate effective cybersecurity measures in place to protect against cyber threats and attacks. It builds upon the Cyber Essential certification, which requires control implementation and self-assessments, by adding a layer of technical verification.
Cyber Essentials plus is the highest level of certification under the scheme and involves a rigorous assessment of controls and external vulnerability scans to test the organization’s resilience.
- Once you implement basic security controls and measures such as firewalls and user access controls you must fill out the self-assessment questionnaire. This will help you achieve basic Cyber Essentials certification.
- You can then apply for the Cyber Essentials Plus certification process with a certification body accredited by the National Cyber Security Centre, UK.
- An external assessment involving an on-site visit and documentation review will then be scheduled. You will receive the Cyber Essentials Plus certification if the external scan and assessment are successful.
- The certification must be maintained by meeting annual renewal requirements.
How much does the Cyber Essentials Plus certification cost?
The cost of Cyber Essentials Plus depends on organizational size and control readiness. At a broad level, it usually ranges from £1499-£4250 not including the applicable taxes.
The certification services are only provided by bodies accredited by the National Cyber Security Centre. The license is issued by the IASME (Information Assurance for Small and Medium Enterprises) Consortium.
Most of these bodies charge based on the number of employees in the organization, and the costs vary for small and large businesses. This is because starting in 2022, NCSC mandated tiered pricing due to the rising complexities of businesses. Here is a rough estimate for these costs:
- Micro companies (0-9 employees): £1499–£1650+ VAT
- Small businesses (10-49 employees): £1999-£2250+ VAT
- Medium businesses (50-249 employees): £2499-£3250+ VAT
- Large enterprises (250+ employees): £2999-£4250+ VAT
Some of these service providers also charge £1000-£1500 extra for pre-assessment and guidance. However, these are the costs of applying and getting certified. There can be other additional costs that can vary depending on various factors. Let’s discuss them below.
What are the factors that can influence a Cyber Essentials Plus certification?
While the upfront costs are those of applying for the certification and undergoing the on-site audit, several factors influence the overall cost of certification. These factors include but are not limited to:
Company size
Since the introduction of a tiered pricing structure, the cost of getting certification-ready is based on the number of users and, therefore, the organization’s size. Implementation and training costs also increase with business size and complexity.
Security maturity
The certification requires the implementation of 5 foundational cyber security controls: firewalls, secure configuration, user access control, malware protection, and patch management. If the organization already has some of these measures, the costs are reduced and vice versa. For example, a firewall costs between £250-1000 and these costs can be saved if the organization already has one installed.
Consultancy fee
Organizations that opt for Cyber Essentials Plus require a higher level of assurance and in-depth validation, so they might hire a consultant for enhanced surety. In that case, the cost of consultancy can be a significant factor. The consultant costs can range from £50-£200 per hour.
Get compliant faster with automation
Training costs
Another cost factor is training and cyber security awareness. The certification requires organizations to implement and maintain airtight controls and to minimize human error, training is essential. The training costs are usually charged per employee and can range from £1-£3 per employee.
Cost of remediation
In case, any gaps are identified after the assessment or during vulnerability scans, the organization will have to begin with remediation efforts. These costs will add up to the total certification costs. Remediation costs can vary from a few hundred pounds to thousands of pounds.
Maintenance
The costs of maintenance is another factor to consider. You’ll have to set up continuous monitoring mechanisms for ongoing monitoring, review and make changes to policies if required and re-apply for certification renewals. This adds to the overall costs.
Costs of not having Cyber Essentials Plus certification
Forward-thinking organizations are now turning to compliance because they understand the ROI in the form of enhanced security and better opportunities.
Let’s look at some of the costs of not having a Cyber Essentials Plus certification:
Increased risks of breaches
Due to loopholes in the security fabric, data breaches are costing businesses millions of dollars. Some businesses shut down due to such costs. Compliance certifications such as Cyber Essentials Plus can minimize the risks of such breaches and other cybersecurity risks by ensuring the systematic implementation of controls and streamlined processes.
Loss of business opportunities
Businesses today want data protection assurance and often require compliance certifications before entering contracts. You may lose out on enterprise clients without tangible proof in the form of certification to demonstrate robust cybersecurity measures.
Weak cybersecurity posture
Compliance readiness ensures that you are always on track with cyber security measures. Proper awareness training, implementation of relevant controls, timely identification of vulnerabilities, and more result in long-term benefits such as a robust cybersecurity posture. Not ensuring adherence can lead to loopholes and a weak posture.
Increased costs
Not ensuring compliance can increase costs due to incidents and business disruptions. Additionally, there can be fines and penalties for non-adherence. Cyber Insurance premiums can also be higher due to non-compliance as businesses that complete the certification are eligible for free covers and discounts. All these costs add up to become a huge expenditure.
Get Cyber Essentials certified with Sprinto
If you want to display a higher-than-standard level of assurance to businesses that require airtight security, Cyber Essentials Plus certification is the one for you. It is also useful if your company wants to engage with the government or is largely public-facing.
Sprinto can be an enabler in your journey.
When you integrate your tech stack with the platform, Sprinto helps you build a pipeline of controls to align with frameworks like Cyber Essentials Plus. It has policy templates, in-built training modules, automated evidence collection, and much more to expand the scope of your compliance programs. With coverage of 20+ frameworks and security certifications, it can help you get audit-ready stage in record time.
Want to see Sprinto in action? Talk to our compliance experts today.
FAQs
Why does CE Plus cost much more than Cyber Essentials Certification?
CE Plus costs more than the basic Cyber Essentials certification (starting at £320 plus VAT) because it involves a more comprehensive assessment and requires an in-depth technical audit of controls.
How long does Cyber Essentials Plus Certification take?
The pre-assessment preparation can take about a week and the assessment and certification can take a few days to a few weeks.
What happens if you fail Cyber Essentials Plus?
If you fail Cyber Essentials Plus, you will be required to reapply within the stipulated period prescribed by the certification body which is often around 30 days. Remediation of any issues must be completed within the time frame. Additionally, there may be costs associated with re-scans and assessments.