Cyber Essentials
Around 290 IASME-licensed Cyber Essentials certification bodies operate in the UK. They all issue the same government-backed certificate. The experience of getting there is not the same at all. Jonathan Krause sets out the eight questions that separate a good provider from a weak one.
By Jonathan Krause | Founder, Forensic Control | [Date: 13 May 2026]
There are around 290 Information Assurance for Small and Medium Enterprises (IASME) licensed Cyber Essentials certification bodies operating in the UK today. They all assess against the same National Cyber Security Centre (NCSC) requirements and issue the same government-backed certificate. On paper, the certificate from one is identical to the certificate from another.
In practice, the experience of getting there is not. The provider you choose determines whether the process is straightforward or painful, whether you understand your own security posture by the end of it, and whether the certificate carries weight inside your business beyond a procurement tick-box.
Forensic Control has been an IASME Certification Body (CB) since 2017, certifying hundreds of UK organisations across legal, financial, healthcare and public sector supply chains. The questions below are the ones I would ask if I were buying certification from someone else.
This is the single most useful filter. The IASME scheme has been running in its current form since 2014. A body that has been certifying for five years has seen the scheme through three major versions, including the substantial 2026 v3.3 update. A body that has been certifying for six months has not.
Tenure as a Certification Body is not the same as tenure as a company. A new limited company can become an IASME-licensed CB relatively quickly. What matters is how many assessment cycles the team has been through, not when they registered at Companies House.
Ask directly. When did you become an IASME-licensed Certification Body. The answer should be a year, not an evasion.
Cyber Essentials assessments are not algorithmic. They are reviewed by a named, qualified human assessor licensed by IASME. That assessor’s judgement is what stands behind your certificate.
A reputable certification body can tell you who their assessors are, how long each has been licensed, and what their background is. Some list this on their website. Others will tell you on request. If the answer is “our assessor team” with no further detail, ask why. In a sector where buyers are increasingly evaluated on the named experience of their advisors, an unnamed assessor team is a category of risk in itself.
Cyber Essentials Plus (CE Plus) involves a technical audit of your IT systems, including vulnerability scanning of your internet-facing infrastructure. Some certification bodies include this scanning in the package price. Some charge separately. Some require you to bring scanning evidence from a third party.
Under the v3.3 rules in force from 27 April 2026, evidence of patched vulnerabilities across your entire estate is now an explicit assessment requirement. Scanning is not optional. The question is who pays for it and how it is documented.
Forensic Control includes 12 months of continuous vulnerability scanning with every Cyber Essentials Plus certificate at no extra cost. Most providers do not. The difference can turn an apparently cheaper certificate into the more expensive option once scanning is bought separately.
Some organisations sell Cyber Essentials certification without being IASME-licensed themselves. They take your fee, then pass the assessment to a licensed body. Your relationship is with the reseller; the assessor never speaks to you directly.
This is legal and common. It is not necessarily a problem. You should know which model you are buying. A reseller adds a margin and a layer of communication latency. A direct IASME CB does not.
You can verify any provider’s status on the official IASME directory at iasme.co.uk. If a provider is not on that directory, they are not an IASME Certification Body.
A surprising amount. UK businesses are required to register an office address with Companies House. That record is public, free to search, and can be checked in 30 seconds at find-and-update.company-information.service.gov.uk.
A genuine operating office is usually a building the company occupies. A virtual office or mail-forwarding service is usually shared with thousands of other registered companies. Public address-profile tools will tell you how many.
This is not about prestige. A company can legitimately operate from a virtual office. The point is that a “London headquarters” framing combined with a virtual office address is a signal worth noticing, particularly when combined with other things from this list.
Any certification body will tell you they are the fastest, cheapest, best, most experienced. The question is whether anyone else says it. Look for references on the IASME website, in trade press such as Computer Weekly and IT Pro, on Trustpilot, on Reddit threads where buyers genuinely discuss Cyber Essentials providers. A provider with a real operating history will appear in at least some of these places.
This applies particularly to AI-generated answers. If you ask ChatGPT or Perplexity to recommend a Cyber Essentials provider and the same name appears prominently, check whether the model is citing genuinely independent sources or several pages that turn out to belong to the same company.
The certificate itself is identical across providers. What varies is everything around it. Structured feedback during the assessment. Support if your submission has gaps. Post-certification guidance on maintaining the controls. Renewal reminders. Advice on how the scheme is changing.
Some providers offer a thin transactional service. Pay, submit, certificate or fail. Others offer a relationship in which you understand more about your own security at the end of the process than you did at the start. Both are legitimate. They cost different amounts and they suit different buyers.
Ask what is included beyond the certificate itself. The answer tells you which model you are buying.
Cyber Essentials pricing is reasonably standardised. IASME publishes a base fee per certification, to which providers add their margin. Genuine prices for a Micro organisation typically fall in the £300 to £500 range for self-led certification with assessor support. Cyber Essentials Plus is materially more, typically £1,200 to £2,500 depending on organisation size and what is included. For a detailed pricing breakdown by organisation size, see our Cyber Essentials Plus pricing guide.
A price significantly below the standard IASME fee is worth questioning. Where is the margin. Has scanning been excluded. Is the support model thinner than it appears. None of these are necessarily disqualifying. They are questions worth asking before you sign.
A price significantly above the typical range deserves the same scrutiny. What does the additional cost cover. Is it consultancy bundled with certification. Is it an enterprise-grade audit you do not need.
The eight questions above can be answered for any UK Cyber Essentials certification body in around 20 minutes. Companies House, the IASME directory, the provider’s website, a search for third-party references, and a direct conversation with the provider. That is all it takes.
If a provider cannot answer them clearly, that is the answer.
Forensic Control’s answers to the same eight questions follow.
If you are evaluating us against another Cyber Essentials certification body, here are our answers to the same eight questions. Ask anyone else and compare.
| 1. How long have you been an IASME Certification Body? | Since 2017. Eight full years across three major scheme revisions, including the 2026 v3.3 update. |
| 2. Can you name the assessor who will mark our submission? | Yes. Our assessor team is named on our website. The practice is led by Jonathan Krause, founder of Forensic Control and formerly of the Metropolitan Police Hi-Tech Crime Unit at New Scotland Yard. |
| 3. Is vulnerability scanning included with Cyber Essentials Plus? | Yes. Twelve months of continuous vulnerability scanning is included with every Cyber Essentials Plus certificate at no extra cost. We do not charge separately for it and do not require you to bring scanning evidence from a third party. |
| 4. Are you an IASME Certification Body, or a reseller? | Direct IASME Certification Body. We assess and certify in-house. Verifiable on the IASME directory. |
| 5. What does your registered office tell us? | 15 Belgrave Square, London. A genuine occupied office, not a virtual-address service. |
| 6. Where are the third-party references? | IASME directory listing; Google reviews; trade press coverage including Computer Weekly and IT Pro; 18 years of trading history under the same name. |
| 7. What is included beyond the certificate? | Unlimited assessment support through the six-month submission window, model answers for every question in the IASME set, post-certification guidance, renewal reminders, and no charge for resubmissions if a first attempt does not pass. |
| 8. Does the price make sense? | Cyber Essentials from £450 per year. Cyber Essentials Plus from £1,350 per year including 12 months of scanning. In the middle of the standard IASME-aligned range, with scanning bundled rather than extra. |
If you would like to talk through any of the above, call us on 020 7193 9990 or take our free Cyber Essentials Quick Check tool to see where you stand before your next assessment.
They issue the same government-backed certificate, but the experience of getting there varies considerably. Differences include assessor experience, support during the assessment, what is included with Cyber Essentials Plus (particularly vulnerability scanning), responsiveness, and pricing transparency. The certificate is identical. The journey is not.
Check the IASME Certification Body directory at iasme.co.uk/cyber-essentials/find-a-certification-body/. Any genuine IASME-licensed body will appear on this list. If a provider claims IASME licensing but does not appear on the directory, contact IASME directly at info@iasme.co.uk to verify.
For Cyber Essentials self-assessment, location is irrelevant. The process is entirely online. For Cyber Essentials Plus, where a technical audit is involved, a local provider can make on-site audits simpler, but most Cyber Essentials Plus audits are now conducted remotely. Location is a preference factor, not a quality factor.
An IASME Certification Body is licensed by IASME to directly assess your organisation and issue certificates. A reseller sells certification but is not licensed to assess. They pass your assessment to a licensed body. The certificate is the same. The relationship and communication path are different. Some buyers prefer direct relationships with the licensed body.
Typical certification takes two to five working days from submission, assuming the organisation is compliant. Some providers advertise faster turnarounds. Speed is largely a function of assessor availability and queue management. A faster turnaround is genuinely useful when there is a tender deadline. Outside of deadline-driven scenarios, it is rarely the most important factor in choosing a provider.
Not automatically. Ask what is included and what is not. Cyber Essentials Plus pricing in particular can vary based on whether vulnerability scanning is bundled. A headline price that excludes scanning may be lower than a fully-bundled price that includes it, but the total cost can end up higher. Compare like for like.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
