Cyber Essentials Certification: Frequently Asked Questions
Common questions about getting Cyber Essentials certified with Fig Group.
Cyber Essentials certification validates five core security controls: firewalls and internet gateways, secure configuration, security update management, user access control, and malware protection. Version 3.3 (effective April 2026) also includes mandatory multi-factor authentication on all user accounts accessing organisational data.
Fig Group guarantees Cyber Essentials certification within 6 hours of submission for compliant orders placed before midday. This is the fastest published turnaround from any IASME-licensed certification body in the UK. Three rounds of structured feedback are included if corrections are needed.
Cyber Essentials certification from Fig Group starts at £314.99 + VAT for micro organisations (1-9 employees) and ranges up to £649 + VAT for large organisations (250+ employees). Cyber Essentials Plus starts at £1,499 + VAT. All pricing is fully inclusive with no hidden fees.
Cyber Essentials certification is required under PPN 014/21 for certain UK government contracts involving sensitive information. It is not universally mandatory, but many commercial clients, insurers, and supply chain partners now require it as a minimum security standard.
Yes. Every IASME-licensed certification body issues the same NCSC-backed Cyber Essentials certificate. The certificate appears on the same public register, is valid for the same 12 months, and is recognised identically by government, clients, and insurers. The difference between bodies is price, speed, and the experience of getting certified.
If your submission requires corrections, Fig Group provides structured feedback identifying exactly what needs to change. Up to three rounds of feedback are included at no extra cost, and resubmissions are reviewed promptly rather than re-queued behind other work.
Cyber Essentials is a UK government-backed certification scheme developed by IASME (the Information Security Accreditation Membership Body). It validates that your organisation has implemented essential cyber hygiene controls based on the NCSC (National Cyber Security Centre) guidelines. The certification demonstrates your commitment to cybersecurity best practices and helps protect against common cyber attacks.
Cyber Essentials is the self-assessed certification level covering 5 core control categories. CE Plus adds an independent, third-party verification layer: a qualified assessor conducts a technical audit of your systems, including vulnerability scanning and verification that controls are implemented correctly. CE Plus is more rigorous and carries greater credibility with customers, insurers, and partners.
Any organisation can benefit from CE certification. It's particularly valuable if you: are a contractor bidding for government contracts or critical infrastructure tenders, work with sensitive data, want to demonstrate cyber controls to customers or insurers, or need compliance evidence for frameworks like NIS2 or ISO 27001.
Cyber Essentials certification is valid for one year from the date of assessment. You'll need to re-certify annually.
Cyber Essentials starts from £314.99 + VAT for micro organisations (1-9 staff) and ranges up to £649 + VAT for large organisations (250+ staff). Cyber Essentials Plus starts from £1,499 + VAT and includes a third-party technical audit. All Fig Group pricing is fully transparent with no hidden fees.
Under Procurement Policy Note 014/21, UK central government contracts that involve handling sensitive or personal information may require Cyber Essentials certification. The specific requirement depends on the contract and the data involved. Many private-sector organisations also expect it from suppliers. If you need certification quickly to meet a tender deadline, Fig Group offers same-day certification for orders placed before midday.
Under the v3.3 update, multi-factor authentication (MFA) becomes mandatory for all user accounts that access organisational data or services. This applies to assessment accounts created from 28 April 2026 onwards. It covers cloud platforms, remote access, email, and administrative accounts. Existing certifications assessed before this date are not retrospectively affected.
If your assessment identifies gaps in your controls, you will receive clear feedback on exactly what needs to be remediated. Fig Group provides structured feedback up to three times on your submission. You can then make the necessary changes and resubmit without delay. Most organisations that prepare using our readiness checker pass on their first attempt.
Cyber Essentials covers five core control categories that map directly to a subset of ISO 27001 Annex A controls, including access control, patch management, secure configuration, and malware protection. Achieving Cyber Essentials gives you a head start on ISO 27001.