Search for Cyber Essentials cost and you will find a reassuring answer. Certification starts from £320 plus VAT for micro-organisations, or £440 plus VAT for small businesses with 10 to 49 employees. The IASME website presents a clean, tiered pricing structure. It is accurate. It is also deeply misleading.
The certification fee covers the self-assessment platform, an assessor's review, one resubmission opportunity, a digital certificate valid for 12 months, and a listing on the NCSC Cyber Essentials directory. What it does not cover is the work required to actually pass.
For a business that has never formally addressed its cyber security posture, the certification fee is typically less than 5% of the total first-year cost. The other 95% is remediation, hardware, licensing, documentation, consultancy, and time. This post is the line-by-line read of what that journey actually involves under the new v3.3 Danzell question set, which came into force on 27 April 2026.
The numbers below are not theoretical. They are the figures we have observed across audits of around forty UK small businesses pursuing certification in the past nine months.
Meet Acme Services Ltd
To make this practical, I am going to walk a fictional but entirely typical 10-person UK business through the entire process. Acme Services is a generic professional services firm. The starting picture will be recognisable to thousands of UK businesses: ten staff in one office with occasional home working; a mix of Windows PCs aged 2 to 6 years, some still on Windows 10; printers on factory default credentials; cloud-hosted VoIP phones; Microsoft 365 Business Standard; an outsourced IT firm on a basic managed service; the ISP router acting as the office firewall; no formal IT policies, no MFA, no documented procedures; staff using personal phones for work email and Teams.
Acme has been told by a potential client that they need Cyber Essentials to be considered for a contract. The MD searches online, sees from £320, and assumes it is a quick form and a badge. What follows is rather different.
What changed in v3.3
Three things in the Danzell update materially raise the bar for an unprepared firm.
MFA is now an automatic fail. If a cloud service supports multi-factor authentication and it is not enabled for all users, the assessment fails immediately. This applies whether MFA is free, bundled, or only on the paid plan. Microsoft 365 supports MFA on every tier — so for an M365 customer there is no path to certification that does not include enabling it for every user.
All cloud services are in scope. A formal definition of cloud services has been introduced for the first time. Any service that stores or processes organisational data must be included. There is no path to exclude them — and that includes the accounting software, the CRM nobody told you about, and the WhatsApp group the sales team uses for client communication.
14-day patching is an automatic fail. Critical and high-risk patches must be applied within 14 days of release across operating systems, applications, router and firewall firmware, and browser extensions. We were going to patch it next month is no longer an answer.
There is also a stricter scoping discipline — scope descriptions must be detailed, exclusions justified with documented evidence of segregation, and all legal entities covered must be declared on the certificate. The three above are the ones that catch unprepared firms.
Phase one: the gap analysis
Before any remediation can begin, someone needs to assess the current state of the business against all five controls. For Acme, the gap analysis typically finds: the ISP router admin password is the factory default; PCs were set up with users as local administrators; default accounts are still active on printers and VoIP handsets; everyone logs in with the same privilege level; MFA is not enabled on M365; Windows Defender is running but never verified; several machines are still running Windows 10, which reached end of life on 14 October 2025 and constitutes an automatic fail; the router firmware has never been updated.
The gap analysis itself takes one to two weeks. Cost: £750 to £2,500 depending on whether the existing IT provider has the capability or external consultancy is needed.
Phase two: remediation
This is where the real money goes.
Windows 10 to Windows 11. For a 10-person office with PCs bought over the past 5 to 6 years, a realistic scenario is that 7 machines are Windows 11-compatible and 3 are not. The compatible machines need backing up, upgrading, verifying — 1.5 to 2 hours each at £100 to £150 per hour, around £1,050 to £2,100. The three incompatible machines need replacing entirely: £500 to £800 each plus setup, around £2,100 to £3,300.
Firewall replacement. The ISP router is unlikely to meet CE requirements. A proper business-grade firewall appliance with documented, configurable rules and supported firmware updates is needed. Hardware plus configuration: £600 to £1,500.
MFA on Microsoft 365. Security Defaults can enable basic MFA at no additional licensing cost. For granular Conditional Access and full device management, the business needs M365 Business Premium at roughly £17.00 per user per month versus £9.40 for Business Standard — an uplift of approximately £760 per year for 10 users.
Secure configuration and hardening. Across all in-scope devices: remove local admin rights, create separate admin accounts for IT support, set screen lock timeouts, disable auto-run, configure Defender with tamper protection, change default passwords on printers, VoIP handsets, switches, and review M365 tenant settings. £1,200 to £2,400 depending on how much falls to the external IT firm.
VoIP and website. The VoIP admin portal needs MFA. Handset firmware current. The website CMS, domain registrar, and DNS management are all cloud services that may fall in scope, with MFA on each, and SPF, DKIM, DMARC reviewed. £400 to £900.
Just on Phase 2 hardware and configuration, before BYOD, before documentation, before assessment fees: £6,110 to £10,960.
The BYOD problem
BYOD is the cost almost nobody anticipates, and it is the one v3.3 has made significantly more painful.
The critical distinction. Under CE, a personal phone used exclusively for MFA (running the Authenticator app) and native voice or SMS is out of scope. The moment that same phone has Outlook installed, or Teams, or OneDrive, or someone has accessed webmail through the phone's browser, that device is fully in scope. It must meet all five technical controls — exactly the same as a company-owned PC.
In a 10-person firm, the realistic picture is that most staff have personal smartphones with work email and Teams installed. Under v3.3, every one of those phones is an in-scope device.
There is a cruel irony at the heart of this. The business is requiring staff to use their personal phones for MFA to secure the firm. The moment those phones touch any business data beyond the authenticator app, they become in-scope devices that need managing. Many firms accidentally drag phones into scope by enabling MFA and then thinking while we are at it, let us put Outlook on there too.
It gets harder. In a 10-person firm, two or three staff will be carrying phones 4 to 5 years old that can no longer receive OS updates. Devices on unsupported OSes cannot be in scope. The business cannot compel an employee to buy a new personal phone.
Three options. Mobile Application Management via Microsoft Intune on M365 Business Premium manages only business apps and the data within them, without touching the employee's personal content. £1,500 to £3,500 first year including the licence uplift, deployment, and communication. Issue company phones — £150 to £350 per handset plus monthly contracts, setup, ongoing management, around £3,700 to £8,500 for 10 staff. Ban BYOD entirely — near zero direct spend, severe operational impact, and the realistic risk that some staff quietly reinstall the apps and create a hidden compliance gap.
Whichever route the firm picks, there is a human conversation to be had. MAM on personal phones raises privacy questions even when it only touches business apps. Banning BYOD removes convenience people have relied on for years. Both scenarios need a written BYOD policy and a signed acknowledgement from each staff member.
Shadow IT
Under v3.3, all cloud services that store or process organisational data are in scope. The official line is we use Microsoft 365. The reality, in most small firms I see, is: accounting software (Xero, QuickBooks, FreeAgent); a CRM informally adopted by one team member; WeTransfer or personal Dropbox for file sending; WhatsApp groups for business discussion; HR and payroll platforms; social media accounts often without MFA; online business banking; and a shared spreadsheet of passwords in someone's personal OneDrive.
Every one of these has to be identified, declared in scope, and confirmed to have MFA enabled where available. This requires honest conversations with every member of staff about what tools they are actually using. The IT firm cannot do this for you. The staff member who introduced the shadow tool may not even have told their colleagues.
Hidden scope cost, including a password manager rollout and untangling shared accounts: £800 to £2,000.
The documentation burden
This is the work the IT firm cannot do on the business's behalf. They can configure the firewall but they cannot write the acceptable use policy. The documentation sits at the intersection of business operations and IT, which means the owner and the IT firm have to collaborate, and that takes time.
The Danzell question set asks for specific documented evidence, not vague assurances. The list runs to: scope definition and asset inventory; firewall rule documentation with business justification for every inbound rule; a user access control policy covering the full account lifecycle; a patch management policy with the 14-day commitment evidenced; a BYOD policy with staff acknowledgement; an acceptable use policy; a backup procedure with restoration testing records; a cloud service register with MFA status for each; MSP relationship documentation dividing responsibilities clearly; and a basic incident response procedure.
For a business starting from zero documented policies, that is roughly 22 to 43 hours of work — three to six days of someone's time. That someone is usually the owner. Cost: £1,500 to £3,500 at consultancy rates, or £1,000 to £3,800 of unpaid owner time at opportunity cost.
Backups
Backups are not one of the five assessed controls, but v3.3 has deliberately elevated the guidance. Achieving Cyber Essentials without backups is like fitting smoke alarms in every room and removing all the fire extinguishers.
For a 10-person business the sensible posture is two tiers. USB rotation for critical local data — five encrypted USB drives, rotated, kept in a locked cupboard when not in use. Ransomware cannot encrypt a drive that is not connected. £300 to £500 one-off. And cloud backup for Microsoft 365 with immutable storage (Veeam, Acronis, Datto), at £400 to £600 per year.
Microsoft's retention policies are not backups. Accidental deletion, malicious deletion by a leaver, ransomware encrypting synced files, or a compromised admin account can all result in data loss Microsoft will not recover. The Microsoft Shared Responsibility Model is explicit on this.
The bedding-in phase nobody budgets for
The business cannot implement all the changes and submit the assessment the next day. Controls need time to demonstrate they are functioning in practice, not just configured on paper. MFA friction generates a spike in support calls in the first week. Patches occasionally break things. Removing local admin rights generates complaints — that is exactly the point. New firewall rules block legitimate traffic that needs whitelisting. Ten people each losing 30 to 60 minutes in the first week to MFA and password resets is a real but manageable cost.
Two to four weeks minimum. Rushing this is how businesses fail the assessment.
The director's declaration
A board member or equivalent must sign a declaration confirming all answers in the questionnaire are accurate and truthful. This is not a formality. If the business claims all devices are patched within 14 days and an incident later reveals they were not, the declaration could become relevant in legal proceedings, insurance claims, or regulatory investigations. The UK's Cyber Security and Resilience Bill, working its way through Parliament, is expected to introduce greater personal accountability for directors regarding cyber security. Signing the declaration should prompt a serious question: is the business confident that everything stated is actually true?
The full picture
The line-by-line totals, low and high. Gap analysis: £750 to £2,500. Windows 10 to 11 work: £3,150 to £5,400. Firewall: £600 to £1,500. MFA and M365 uplift: £760. Secure configuration and hardening: £1,200 to £2,400. VoIP and website: £400 to £900. BYOD via MAM: £1,500 to £3,500. Shadow IT untangling: £800 to £2,000. Documentation: £1,500 to £3,500. Backups: £700 to £1,100. Bedding-in (staff productivity loss): £600 to £1,500. Certification fee: £528. Owner's time (opportunity cost): £1,000 to £3,800.
First-year total: £13,488 to £29,388. Ongoing annual costs from year two — M365 uplift, MAM, cloud backup, annual review, recertification fee — approximately £2,400 to £3,600 per year. Against a headline certification fee of £440 plus VAT.
The timeline, end to end, is 10 to 14 weeks from decision to certificate for a typical unprepared firm. The few days that some providers claim is, in my experience, the timeline only for the small minority of firms that were already substantially compliant before they started.
Why it is still worth it
After the preceding numbers, it would be easy to conclude that Cyber Essentials is not worth the effort. That would be the wrong conclusion.
The risk reduction is measurable. Organisations certified to Cyber Essentials are statistically far less likely to make a cyber insurance claim. The controls address the most common attack vectors: phishing, unpatched software, weak authentication, misconfigured systems.
The financial protection is real. The £25,000 of cyber liability insurance bundled with certification, for firms under £20m turnover, is valuable for a small business that may not otherwise have standalone cover. It includes 24/7 incident response.
The commercial benefit is tangible. Cyber Essentials is required for most UK government contracts involving personal data. Increasing numbers of private-sector buyers now mandate it in their supply chains. The NCSC has written to all FTSE 350 companies encouraging them to embed it into supplier requirements.
The regulatory direction is clear. The Cyber Security and Resilience Bill will expand baseline security requirements across a broader range of organisations. Cyber Essentials is deliberately aligned with the Bill's core requirements, which makes certification now an investment in future compliance.
The alternative is more expensive. The average cyber incident costs UK small businesses £1,600 to £3,550 per incident according to the Cyber Security Breaches Survey. Serious incidents can cost far more. A single ransomware attack can exceed the entire cost of certification and remediation combined.
What to do this week
If you are a small business considering Cyber Essentials, the cheapest mistake you can avoid is the one most firms make: signing up to the assessment first and discovering the cost after. The correct order is: download the self-assessment questions from IASME and read them before engaging any supplier; have an honest conversation with your IT support firm about their v3.3 experience; commission a gap analysis before committing to any remediation spend; budget using the figures above, not the headline £440; allow 10 to 14 weeks; sign the director's declaration only if the firm is genuinely confident the answers are true.
Cyber Essentials is not cheap, it is not quick, and it is not painless. It is one of the most practical and proportionate steps a UK small business can take to protect itself, its clients, and its reputation. Go in with your eyes open, budget honestly, allow enough time, and the investment will pay for itself. The firms that approach it that way get the certificate. The firms that approach it as a tick-box exercise discover the true cost the hard way.