Fig Group

Cyber Essentials Certification City of London 6-Hour Guarantee · From £299.99 + VAT

Fig Group is an IASME-licensed Cyber Essentials and Cyber Essentials Plus certification body serving organisations across City of London. We deliver certification on a published flat fee - never quoted on revenue - with Cyber Essentials issued within six hours of a compliant self-assessment submission and Plus typically completed in 1-3 working days.

View City of London pricing Speak to the team

London assessor note

City of London organisations usually need Cyber Essentials for practical buyer-side reasons: public-sector DDQs, supplier onboarding, insurance renewal, or regulated-client procurement. The scoping conversation normally starts with banking and capital markets, the devices used to access organisational data, and the cloud services that require MFA under v3.3.

City of London Cyber Essentials pricing

Fig Group publishes a flat fee for every organisation size, applied identically whether your business is in Bank or elsewhere in City of London. Cyber Essentials starts at £299.99 + VAT for micro organisations (1-9 employees). Cyber Essentials Plus starts at £1,499 + VAT. Both products include the latest Cyber Essentials v3.3 requirements, including the mandatory MFA control.

Cyber Essentials

Organisation	Price
Micro1-9 employees	£299.99+ VAT	Get certified
Small10-49 employees	£399.99+ VAT	Get certified
Medium50-249 employees	£449.99+ VAT	Get certified
Large250+ employees	£549.99+ VAT	Get certified

Self-assessed certification. Includes assessment, up to three feedback rounds, certificate issuance, and IASME registration.

Cyber Essentials Plus

Organisation	Price
Micro1-9 employees	£1,499+ VAT	Get certified
Small10-49 employees	£1,999+ VAT	Get certified
Medium50-249 employees	£2,799+ VAT	Get certified
Large250+ employees	£4,499+ VAT	Get certified

Third-party verified with external vulnerability scan. 1-3 working days.

Why City of London businesses choose Fig Group

The City of London is the most commercially demanding jurisdiction in the UK for supplier cyber compliance. Lloyd's syndicates, London Market insurers, Magic Circle law firms, commodities clearing members at the LME and ICE Futures Europe, and the asset-management firms concentrated across the Square Mile almost universally require Cyber Essentials - and frequently Cyber Essentials Plus - from their suppliers. The FCA and PRA both expect operational resilience evidence that typically includes Cyber Essentials at minimum. Commercial barristers' chambers around the Temple, criminal chambers near the Old Bailey, and SJP Partner Practices operating from Mayfair and the Square Mile face the same pressure from instructing solicitors, lay clients, and insurance underwriters. Fig Group certifies City of London organisations within six hours of a compliant submission, on a published flat fee, and our office at 167-169 Great Portland Street is a short walk or a single Central line stop from the Square Mile for in-person scoping sessions.

Areas covered

Bank, Moorgate, Liverpool Street, Aldgate, Barbican, Fleet Street, Farringdon, Cannon Street, Blackfriars, Monument

Postcode coverage

EC1, EC2, EC3, EC4

Notable sectors in City of London

Banking and capital markets, insurance (Lloyd's syndicates and London Market), legal services (Magic Circle and commercial barristers' chambers), commodities clearing (LME, ICE), asset management, professional services.

Top three compliance triggers for City of London businesses

1. Local-authority and public-sector procurement in City of London

Tenders published by City of London Council (and by the NHS trusts whose catchment covers the borough) routinely name Cyber Essentials as a baseline supplier requirement under PPN 014/21 and the corresponding council standing orders. Any business in City of London bidding on council framework agreements, social-value-weighted contracts, or health-and-care services via the local ICB will see Cyber Essentials listed on the cover page of the DDQ. Fig Group certifies City of London suppliers within six hours of a compliant submission, which matters when a council mini-competition window is short.

2. Enterprise and regulated-customer pressure in City of London

Beyond the public sector, the private-sector customers of City of London businesses increasingly treat Cyber Essentials as a baseline on supplier onboarding. In City of London the concentrations are in banking and capital markets, insurance (Lloyd's syndicates and London Market), legal services (Magic Circle and commercial barristers' chambers), each of which carries its own supplier cyber expectation set (FCA operational resilience for financial counterparties, SRA data-handling requirements for legal work, NHS DSPT alignment for health, ICO reasonableness for any processor of personal data). A self-assessed Cyber Essentials certificate typically clears stage-one of the DDQ; Cyber Essentials Plus is what wins the stage-two competition.

3. Professional indemnity and cyber insurance in City of London

Professional-indemnity and cyber insurance underwriters now apply higher retention loadings (or decline altogether) to City of London businesses that cannot demonstrate baseline cyber hygiene. Cyber Essentials is the lowest-friction evidence that most brokers accept at renewal. Some underwriters now treat Cyber Essentials Plus as a precondition for writing certain cyber sub-limits at all. Fig Group's Plus certification includes the external vulnerability scan and sampled endpoint audit as standard - no separate scanning fee, no mandatory consultancy day.

What we certify for City of London organisations

Scope on a City of London Cyber Essentials engagement typically covers every device used for business purposes - laptops, desktops, mobile phones, tablets - that can access organisational data or cloud services. It covers the network perimeter (router, firewall, WiFi access points) that the devices sit behind. It covers the identity platform (Microsoft 365, Google Workspace, Okta, or the Active Directory forest) that authenticates each user. It covers the security-relevant SaaS applications in use - email, file storage, collaboration, CRM, any line-of-business application with authentication.

For a typical City of London organisation in banking and capital markets, the five NCSC control categories translate as follows. Firewalls and internet gateways: the border router and any WiFi access points must have non-default admin credentials and published patches applied within fourteen days. Secure configuration: all in-scope devices must have an MDM baseline applied, unused accounts disabled, and auto-lock enforced. Security update management: operating-system and application patches must land within fourteen days of release. User access control: multi-factor authentication is mandatory under v3.3 for every user account accessing organisational data. Malware protection: endpoint protection (Defender, CrowdStrike, SentinelOne or equivalent) must be active on every in-scope endpoint.

The Cyber Essentials Plus assessment adds an external vulnerability scan of internet-facing assets and a sampled technical audit of end-user devices - for a City of London organisation that is typically a short set of video calls plus a remote screen-share of a sample laptop, spread across one to three working days.

Getting to Fig Group's office from City of London

Our office at 167-169 Great Portland Street, W1W 5PF, is the closest IASME-licensed certification body to City of London for any scoping session you would prefer to run in person. The nearest Underground stations are Great Portland Street (Circle, Hammersmith & City, Metropolitan - two minutes' walk) and Regent's Park (Bakerloo - five minutes' walk). Warren Street (Victoria, Northern) is ten minutes' walk via Fitzrovia. For most City of London organisations the straightforward route is a single Central, Northern or Circle line change onto the short Fitzrovia / Marylebone corridor. The vast majority of our engagements run remotely - we mention the office only because several City of London clients have asked for in-person scoping calls for Plus assessments where the head of IT and the CRO both want to be in the room.

Map centred on City of London (51.516, -0.092)Open in OpenStreetMap

6-hour guarantee

Guaranteed within six hours of a compliant submission.

From £299.99 + VAT

Published flat fee - never quoted on revenue.

IASME licensed

Authorised certification body for CE and CE Plus.

3 free reviews

Structured feedback if remediation is needed.

How certification works for City of London businesses

The process is the same for every City of London organisation, regardless of sector or size. We have refined it across hundreds of London certifications to keep elapsed time as short as possible.

Step 1
Scope your assessment
Tell us which devices, accounts, and locations are in scope. We confirm pricing on the published flat fee - no revenue-based quotes.
Step 2
Submit your evidence
Use our portal to provide answers against the five NCSC controls. Our readiness checker pre-flags anything that needs work.
Step 3
Receive feedback (if needed)
If anything needs adjusting, we send structured, plain-English feedback within hours. Three review rounds are included free.
Step 4
Get certified
Once compliant, your certificate is issued within six hours. Cyber Essentials Plus adds a remote technical audit (1-3 working days).

Frequently asked questions - Cyber Essentials in City of London

Can Fig Group certify businesses in City of London?

Yes. Fig Group is an IASME-licensed Cyber Essentials and Cyber Essentials Plus certification body and works with organisations across the whole of City of London and the wider London region. Our central-London office at 167-169 Great Portland Street is a short journey from every part of Inner London, and most engagements run remotely so location is rarely a factor. We apply our published flat fee (from £299.99 + VAT for Cyber Essentials, from £1,499 + VAT for Cyber Essentials Plus) regardless of where in City of London your organisation is based.

How long does Cyber Essentials take for a City of London business?

For self-assessed Cyber Essentials, Fig Group guarantees certification within six hours of a compliant submission landing in our portal. If anything needs adjusting we include three free review rounds. Cyber Essentials Plus takes one to three working days because it includes an external technical audit and vulnerability scan. The same SLAs apply whether your business is in Bank or anywhere else in City of London.

How do I get Cyber Essentials in City of London?

Start by scoping the devices, cloud services, and user accounts in use across your City of London organisation. Purchase the self-assessed Cyber Essentials package on the published flat fee (from £299.99 + VAT), complete the NCSC five-control questionnaire through our portal, and an IASME-licensed Fig Group assessor reviews it the same working day. Compliant submissions are certified within six hours. If anything needs adjusting you receive up to three free feedback rounds. No travel to City of London is required - the entire process runs remotely, which is how we keep the six-hour turnaround consistent across every London borough.

What is the difference between Cyber Essentials and Cyber Essentials Plus for City of London businesses?

Cyber Essentials is a self-assessed control questionnaire reviewed by an IASME-licensed assessor, from £299.99 + VAT. Cyber Essentials Plus adds an external vulnerability scan and a hands-on technical audit of a sample of end-user devices, from £1,499 + VAT. For many City of London organisations (supplier frameworks, enterprise procurement, insurance) the self-assessed level is enough. For regulated sectors represented in City of London - banking and capital markets, insurance (Lloyd's syndicates and London Market) - the Plus certification is increasingly the requested tier. Fig Group offers both on a published flat fee with no revenue-based pricing.

Do City of London-based NHS, council, or banking and capital markets suppliers need Cyber Essentials Plus specifically?

It depends on what they handle. Cyber Essentials (self-assessed) is enough to pass most City of London council framework DDQs and the opening stage of most enterprise procurement gates. Cyber Essentials Plus is increasingly the expectation for suppliers touching patient data, legal privilege material, bound-business insurance records, or any central-government contract handling sensitive or personal information under PPN 014/21. When in doubt, ask the procurement team for the exact wording on the DDQ - if "Plus" or "externally verified" appears, you need Plus. Fig Group's Plus engagement includes the external vulnerability scan and sampled endpoint audit at the published flat fee.

How quickly can I get Cyber Essentials certified?

Fig Group guarantees Cyber Essentials certification within 6 hours of self-assessment submission for orders placed before midday, provided the submission is compliant. If corrections are needed, up to three rounds of structured feedback are included at no extra cost. Cyber Essentials Plus takes 1-3 working days due to the external technical verification requirement.

How much does Cyber Essentials cost?

Cyber Essentials costs from £299.99 + VAT (micro, 1-9 employees) to £549.99 + VAT (large, 250+ employees). Cyber Essentials Plus costs from £1,499 + VAT to £4,499 + VAT. Fig Group pricing is fully inclusive - no hidden fees, no assessment surprises, no mandatory add-ons.

Is Cyber Essentials mandatory?

Cyber Essentials is required under PPN 014/21 for certain UK central-government contracts that handle sensitive or personal data. It is also increasingly required by NHS supplier frameworks, local authorities, and private-sector enterprise procurement teams as evidence of foundational cybersecurity.

What are the five Cyber Essentials controls?

The five controls are: firewalls and internet gateways, secure configuration, security update management (patching within 14 days), user access control, and malware protection. Under v3.3, multi-factor authentication (MFA) becomes mandatory for all user accounts in scope. This applies to assessment accounts created from 28 April 2026 onwards.

Ready to get certified in City of London?

Book your Cyber Essentials assessment today. Six-hour guarantee for compliant submissions, three free review rounds, and a published flat fee from £299.99 + VAT.

See pricing Ask a question

Nearby London boroughs

Fig Group also certifies organisations in the boroughs that neighbour City of London. Each page lists sector-specific context and local postcode coverage.

WestminsterWestminster certification →CamdenGet certified in Camden →IslingtonIslington Cyber Essentials guide →HackneyCyber Essentials for Hackney →Tower HamletsTower Hamlets certification →SouthwarkGet certified in Southwark →

Speak to the team

Tell us about your City of London business and we will come back with a fixed price and a target certification date.