How quickly can I get Cyber Essentials certified?

Fig Group guarantees Cyber Essentials certification within 6 hours of self-assessment submission for orders placed before midday, provided the submission is compliant. If corrections are needed, up to three rounds of structured feedback are included at no extra cost. Cyber Essentials Plus takes 1-3 working days due to the external technical verification requirement.

How much does Cyber Essentials cost?

Cyber Essentials costs from £299.99 + VAT (micro, 1-9 employees) to £549.99 + VAT (large, 250+ employees). Cyber Essentials Plus costs from £1,499 + VAT to £4,499 + VAT. Fig Group pricing is fully inclusive - no hidden fees, no revenue-based quoting, no mandatory add-ons.

Is Cyber Essentials mandatory?

Cyber Essentials is required under PPN 014/21 for certain UK central-government contracts handling sensitive or personal data. It is also increasingly required by NHS supplier frameworks, local authorities, regulated financial-services counterparties and private-sector enterprise procurement teams as the baseline evidence of foundational cybersecurity.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessed questionnaire reviewed by an IASME-licensed assessor. Cyber Essentials Plus adds an external vulnerability scan and a sampled technical audit of end-user devices, independently verifying that the five controls are operating in practice. Both certifications are valid for 12 months and carry the same NCSC badge.

Cyber Essentials for MSPs & Supply Chain

MSPs sit in a distinctive scoping position: the infrastructure they run is often shared with their customers' infrastructure, so drawing the Cyber Essentials boundary requires care. On the commercial side, Cyber Essentials and Cyber Essentials Plus are now a de-facto gate for any MSP selling into enterprise, NHS or central-government accounts - particularly under PPN 014/21 for central-government contracts handling sensitive or personal information.

Why MSPs need Cyber Essentials differently

An MSP's Cyber Essentials scope is genuinely harder to draw than a typical end-customer's. Much of the infrastructure an MSP touches belongs to or is shared with its customers. The MSP's own corporate estate (the laptops the engineers use, the MSP's own email, the ticketing system, the RMM tooling, the monitoring stack) is unambiguously in scope. But what about the customer estates the MSP administers? If an engineer's credentials can access a customer domain controller, does the customer's domain controller need to pass Cyber Essentials?

Our approach is that the MSP's own estate is in scope; customer estates are out of scope for the MSP's own certificate unless the MSP owns the customer's devices outright. The MSP's administrative-access controls into customer environments (privileged access management, MFA on admin accounts, just-in-time access controls, tiered engineer access) are absolutely in scope because those controls sit on the MSP's own devices and accounts.

Enterprise, NHS and central-government procurement

For MSPs and other suppliers bidding on enterprise contracts, Cyber Essentials is the quickest line item to clear on a DDQ. Enterprise procurement teams across UK-listed organisations, NHS trusts and central-government departments now almost universally list Cyber Essentials (and increasingly Cyber Essentials Plus) as an explicit requirement. PPN 014/21 makes this explicit for central-government contracts that handle sensitive or personal information. The NHS Data Security and Protection Toolkit (DSPT) does not require Cyber Essentials directly but maps many of its evidence requirements to it.

The commercial implication is that an MSP that cannot evidence Cyber Essentials on the DDQ cover sheet is typically disqualified at stage one of the bid, before any technical response is read. Cyber Essentials Plus is the upgrade that wins - not just passes - the stage-two competition, because it demonstrates external verification rather than a self-assessment.

Working with Fig Group as an MSP

Fig Group has certified MSPs of every size - from two-person managed-service shops in north London to larger MSPs with multi-site operations. We apply the same published flat fee irrespective of the MSP's revenue or customer count. The six-hour turnaround for compliant Cyber Essentials submissions is especially valuable for MSPs under deadline pressure on a customer tender.

For MSPs considering Cyber Essentials Plus, the external vulnerability scan covers internet-facing infrastructure, and the sampled endpoint audit confirms that the five controls are enforced in practice on a representative sample of engineer workstations. Plus certificates complete in 1-3 working days. Partnership arrangements for MSPs wanting to offer Cyber Essentials as part of their own customer offering are also available - reach out via the contact form.

6-hour guarantee

Issued within six hours of a compliant submission.

From £299.99 + VAT

Published flat fee. Never quoted on revenue.

IASME licensed

Authorised certification body for CE and CE Plus.

3 free reviews

Included if remediation is needed.

Where MSPs & Supply Chain concentrate in London

Fig Group certifies organisations across every London borough. These boroughs are the main clusters for msps & supply chain:

Tower Hamlets City of London Southwark

MSPs & Supply Chain: Frequently asked questions

Ready to certify your msps & supply chain organisation?

Six-hour guarantee for compliant submissions. Three free review rounds. Published flat fee from £299.99 + VAT.

View pricing Ask a question

Speak to the team

Tell us about your msps & supply chain organisation and we will come back with a fixed price and a target certification date.

Cyber Essentials for MSPs and the Supply Chain Enterprise, NHS and Central-Government Procurement