Cyber essentials quotes: what UK businesses (10–200 staff) should expect

If you’re running a UK business with between 10 and 200 people, chances are someone in finance has asked for a Cyber Essentials quote — or worse, you’ve been told it’s a box to tick for a new contract. Quotes can look wildly different. One comes in at a few hundred pounds, another at several thousand. You don’t need the tech manual; you need to know what drives price, what matters to your board, and how to avoid a costly surprise.

Why Cyber Essentials matters (for accounts, customers and calm)

Cyber Essentials is a government-backed baseline. For many suppliers and insurers it’s now the minimum evidence they want to see. That’s the business impact: faster procurement, lower argument risk when things go wrong, and often cheaper cyber insurance. In plain terms, it helps stop obvious attacks and gives you a credible badge to show customers and partners.

Why quotes vary so much

Quotes differ because providers price different things. Think of it like getting two builders’ quotes: one quotes for scaffolding, materials and finish; the other just says “£500”. The main variables are:

  • Scope: Are you covering just on-premises desktops and servers, or cloud services and VPNs too? More scope = more work.
  • Size and complexity: Ten users on a single site is different from 150 spread across three locations with hybrid home working.
  • Evidence gathering: Some assessments include detailed documentation review and remediation help; others just tick boxes for the certification submission.
  • Certification level: Cyber Essentials (self-assessed) costs less than Cyber Essentials Plus (external tests and checks).
  • Pre-existing hygiene: If patching, backups and basic endpoint controls are already in place, the cost falls. If not, expect remediation quotes on top.
  • Local work vs remote: An on-site visit in, say, Manchester or Bristol will add time and travel — and cost — compared with a remote assessment.

What a useful quote looks like

A good quote is clear. It should break out:

  • Assessment fee (what the assessor does)
  • Remediation estimate (work needed to meet the standard)
  • Retest or follow-up fees (often annual)
  • Timescales and responsibilities (what you must provide)
  • Whether the quote covers Cyber Essentials or Plus

If the quote is a single figure with no explanation, ask for a breakdown. Cheap can be cheap because it skips the bits that make the certificate meaningful.

How to get an accurate and comparable quote

Make the assessor’s job easy so their quote reflects reality. Save time (and money) with these practical steps:

  • Create a simple inventory: number of users, devices, servers, cloud apps in use. It doesn’t need to be perfect, but it should be honest.
  • List who looks after IT and where the administrative access sits. If IT is a mix of an internal team and freelancers, say so.
  • Note any recent incidents or audits and whether you already have basic policies (password policy, backup policy, device patching).
  • Decide whether you want the assessor to handle remediation, or whether you’ll use your IT team or a third party. That changes the quote dramatically.

Preparing this information usually halves the back-and-forth and helps you compare quotes on like-for-like terms. If you’d like a clear starting point for what to expect from suppliers, our Cyber Essentials guide explains the common packages and what they include.

Common pitfalls (and how to avoid them)

  • Ignoring remediation costs: Many firms assume the quote covers everything. Often it doesn’t. Ask for a separate remediation estimate.
  • Mismatched scope: A quote for 10 devices won’t cover 100. Be explicit about numbers and locations.
  • Thinking certification equals security: Cyber Essentials reduces risk but doesn’t eliminate it. Treat it as a floor, not a ceiling.
  • Forgetting recurrent costs: Certification is not a one-off — policies change, devices are replaced, people leave. Budget for reviews and renewals.

Comparing quotes — a quick checklist

When you have a few quotes, run them through this checklist:

  1. Is scope identical? (sites, devices, cloud)
  2. Does it include remediation or just assessment?
  3. Is there a clear timeline and who does what?
  4. Does it state Cyber Essentials or Cyber Essentials Plus?
  5. Are there ongoing support or retest fees?

Ask for references or examples of similar work in your region — you want a supplier who knows UK procurement habits and has worked with businesses of your size. Over the years I’ve seen everything from tidy remote-only assessments that flew through, to months-long projects where basic patching was overlooked until late in the process. The better the initial information you give, the fewer surprises you’ll see on the final invoice.

Practical next steps for busy leaders

If you’re short on time, delegate the initial information gathering to an operations manager or IT lead and ask suppliers to quote on two levels: assessment-only and assessment-plus-remediation. That gives you a realistic range to present at the next board meeting — and saves you being blindsided by hidden costs.

FAQ

How long does Cyber Essentials certification take?

For straightforward setups it can be a matter of days to a couple of weeks. If you need remediation work (patching, policy writing, device upgrades) it stretches to months. The timescale really depends on how tidy your current IT housekeeping is.

Will Cyber Essentials reduce my insurance premium?

Sometimes. Many insurers view Cyber Essentials as evidence of basic risk management and may offer better terms, but it depends on the insurer and the specifics of your policy. Always check with your broker.

Why should I consider Cyber Essentials Plus?

Plus includes independent tests rather than self-attestation. It’s more credible for larger customers or contracts that explicitly ask for it. It costs more, but for some tenders it’s necessary.

What if I don’t pass the assessment?

Failing a first assessment is not the end of the world. You’ll get a list of issues to fix and can be re-assessed. The risk is mainly time and the effort of remediation — which is why obtaining a realistic, itemised quote up front matters.

Final thought

Cyber Essentials quotes are not a mystery if you know what to ask for. Focus on scope, remediation, and realistic timelines. Get the basics documented, compare like-for-like quotes, and budget for ongoing checks — not just a certificate. Do that and you’ll save time, reduce unexpected spend, and get the credibility and calm that makes procurement and insurers less of a headache.

If you want help turning a rough idea into a sensible budget and timeline, a clear quote will pay for itself in fewer surprises and less downtime.