According to the UK government’s Cyber Security Breaches Survey 2025, 43% of businesses experienced breaches or attacks in the past year and in around half of these cases, it resulted in cybercrimes being committed. A recognised cybersecurity certification can help protect your business against the disruption, cost and reputational damage that comes of being a victim of cybercrime. It also reassures clients that you take cybersecurity seriously and their sensitive data is safe in your hands. We look at the options available.

Cyber Essentials

Cyber Essentials is a government-backed certification scheme operated under the oversight of the National Cyber Security Centre (NCSC). It is the recommended minimum standard for all organisations and protects against the most common cyber-attacks by ensuring essential security measures are in place. These comprise firewalls and routers, secure configuration, access control, malware protection and security updates. Certification includes cyber liability insurance for any UK organisation that certifies their whole organisation and has less than £20m annual turnover. The certification is renewed annually.

Cyber Essentials is delivered by IASME and involves a combination of self-assessment and audit by an independent assessor. There are several free resources available to help you complete the scheme. The Readiness Tool helps you create an action plan geared to your organisation; the Knowledge Hub contains resources and sector-specific guidance; and SMEs can access a free 30-minute consultation with an NCSC-assured Cyber Advisor.

Cyber Essentials is now a requirement for businesses within UK government supply chains and is needed for many central and local government contracts, so it’s becoming more important for businesses to get this certification. The UK government also recently sent an open letter on cyber security to all FTSE100 and FTSE250 companies, and a number of leading UK firms, recommending that they require Cyber Essentials in their supply chains.

The cost ranges from £320 + VAT for businesses with up to nine employees, to £600 + VAT for businesses with 250+ employees. Some organisations choose to pay for additional support from a Cyber Advisor or engage an accredited cybersecurity provider to manage the whole process, which involves an additional cost.

Good for: Simple, unregulated businesses, or those after a starting point.

Cyber Essentials Plus

Cyber Essentials Plus builds on Cyber Essentials with an independent technical audit of your IT systems to ensure that defences are working effectively. “The Plus certification provides a higher level of assurance, demonstrating stronger proof to customers and insurers that the controls are not just claimed but are effective in practice,” explains Andrew Yearsley, Chief Technical Officer at Bishop Fleming Chartered Accountants. “We have clients who will not engage with us unless we have an active Cyber Essentials Plus certification, and we regularly get tenders that require it.”

The audit must be completed within three months of gaining Cyber Essentials certification and carried out by a Certification Body licensed and assured by IASME. To start the process, find a Certification Body in your area.

The cost varies according to the size and complexity of your IT network.

Good for: Businesses who work in regulated sectors with large amounts of customer/client data, and those interested in tendering for government contracts.

Cyber assurance

The IASME Cyber Assurance (ICA) standard maps to the Department of Science Innovation and Technology’s (DSIT) Cyber Governance Code of Practice and provides a route to a higher level of cyber resilience. It is not a government-affiliated scheme but has been developed by IASME to provide a much more affordable and flexible certification scheme for SMEs than ISO 27001(see below). 

It is divided into 14 themes, covering things such as identifying your information assets, managing access, staff training and threat monitoring. However, you only need to cover the requirements that are relevant to your organisation. “This tiered approach ensures that businesses of all sizes, from sole traders to large enterprises, can implement effective cyber security measures and achieve cyber resilience without being burdened by unnecessary complexity or cost,” says George Quigley, IASME’s head of ICA. “This doesn’t mean smaller organisations are exempt from critical aspects of cyber resilience. It simply acknowledges that some controls are not applicable to their size and structure.”

There are two levels: Level 1 involves a self-assessment verified by a Certification Body. This is renewed annually. Level 2 requires an audit of measures in place following a pass at Level 1 and is repeated on a three-year cycle. Some industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Cyber Essentials is a prerequisite for cyber assurance. 

IASME Cyber Assurance Level 1 costs between £320 and £600 + VAT, depending on the size of your organisation.

Good for: Businesses of any size that want to demonstrate comprehensive cyber protection.

ISO/IEC 27001

ISO/IEC 27001 is the most recognised standard for information security management systems globally. Although it is suitable for organisations of all sizes, it can be challenging for smaller businesses to achieve due to the amount of work and costs involved, which range from around £6,000 for micro businesses up to around £30,000 for large organisations.

Its framework for managing risks can be particularly valuable for businesses operating across multiple jurisdictions or handling complex supply chains. However, smaller accountancy businesses might consider completing the standard if they aim to work with larger clients or government bodies that require ISO 27001 certification as part of their supplier security standards.

Good for: particularly exposed businesses that want holistic cyber security protections.