Get certified. Win contracts.
Fix your insurer's requirements.
Fixed-price Cyber Essentials and CE+ certification for Yorkshire SMBs. Published prices — no "call for a quote". A named lead engineer throughout, readiness work included, and one resubmission at no extra charge. Serving York, East Riding, and North Yorkshire.
Cyber Essentials — and why Yorkshire businesses are pursuing it
Cyber Essentials is a UK Government-backed certification scheme covering five technical controls. It is mandatory for certain government contracts and increasingly required by insurers and larger clients across Yorkshire's supply chains.
Government contracts
Mandatory for any public sector contract involving sensitive personal data or certain technical products and services. Without it, you cannot bid.
Cyber insurance
Many underwriters now require CE as a condition of cover, or offer meaningful premium reductions for certified businesses. Getting certified before your renewal can offset the cost.
Supply-chain due diligence
Solicitors, accountants, dental and healthcare practices, and motor trade businesses are increasingly required to show CE certification by NHS commissioners, insurer panels, and larger clients in their supply chains.
GDPR and data protection
Certification provides documented evidence of active technical steps to protect personal data — directly relevant if the ICO investigates following a breach or incident.
Practical risk reduction
The five controls address the attack vectors behind the majority of commodity cyber incidents hitting UK SMBs. DSIT's Cyber Security Breaches Survey 2025/2026 found 43% of UK businesses experienced a breach or attack in the past year.
Current scheme version: Danzell (Requirements for IT Infrastructure v3.3). This became mandatory from 27 April 2026. Key changes include MFA now required for all cloud services, stricter auto-fail marking, and updated device management requirements. All Wolds Cyber engagements are assessed against the current Danzell v3.3 requirements.
Cyber Essentials & CE+ prices — York & Yorkshire
No "call for a quote". No separate readiness charge. Everything listed below is included in the fixed price. All prices ex-VAT; VAT added at 20% where applicable.
CE Gap Analysis
Standalone gap analysis against all five Cyber Essentials control areas. Plain-English report identifying what passes, what fails, and what needs fixing. Does NOT include certification submission. The right starting point if you are not yet ready to commit to the full certification process, or if you want an independent gap view before engaging your own IT team.
CE Readiness + Certification
Full end-to-end engagement for small organisations. Readiness assessment, remediation guidance, evidence preparation, submission handling, one resubmission if needed, and a 30-day post-cert retest window. Certificate issued via an IASME-accredited certification body and valid for 12 months.
CE Readiness + Certification
The default CE engagement for organisations of any size. All five control areas, full readiness work, remediation guidance, policy templates, evidence preparation, submission, one resubmission, named lead engineer, and 30-day post-cert retest window. Everything included at a flat price regardless of user count.
Cyber Essentials Plus (CE+)
CE+ involves hands-on technical verification by an assessor — not just a self-assessment questionnaire. More rigorous and more valued by insurers and clients with supply-chain assurance requirements.
| Product | Org size | Price (ex-VAT) | Notes |
|---|---|---|---|
| CE+ Micro — Readiness + Certification | 1–9 users | £2,495 | Remote delivery standard |
| CE+ Small — Readiness + Certification | 10–49 users | £2,995 | Remote delivery standard |
| On-site CE+ surcharge | Any | +£395 | Remote is standard; on-site by arrangement |
Annual renewal (year 2 onwards)
Annual renewal prices are lower than first-time certification because the baseline is already established.
| Service | Renewal price (ex-VAT) |
|---|---|
| CE Starter renewal (1–4 users) | £495 |
| CE standard renewal (any size) | £795 |
| CE+ Micro renewal (1–9 users) | £1,795 |
| CE+ Small renewal (10–49 users) | £2,095 |
All prices ex-VAT. VAT added at 20% where applicable. Prefer CE or CE+ as part of a continuous monitoring subscription? See Wolds Certify and Wolds Assure →
What every CE and CE+ engagement includes
No hidden extras. No separate charge for readiness work. Every item below is part of the fixed price.
Gap assessment
Methodology-driven review of your current posture against all five Cyber Essentials control areas. You receive a clear list of what passes, what fails, and what needs remediation before formal submission.
Remediation guidance
Plain-English remediation steps for every gap identified. You — or your existing IT provider — work through the list. We are available for questions throughout and provide policy templates for each control area.
Policy templates
Documented policies covering each of the five control areas, tailored to your organisation size. Required for evidence purposes and useful long-term for onboarding and audits.
Evidence preparation
We prepare the full evidence pack for submission, mapping your controls to the questionnaire requirements. No ambiguity about what the certifying body needs to see.
Submission and one resubmission
We handle submission to the IASME-accredited certification body. If a failed point requires resubmission, one resubmission is included in the price — no additional charge.
30-day post-cert retest window
After certification is issued, a 30-day window allows retesting of any borderline controls at no extra charge. Useful when a remediation was applied during the final stages of the process.
Named lead engineer throughout
One person, from scoping call to certificate. Not an account manager who hands off to a junior analyst. You know who is doing the work — and so do we.
Annual renewal reminder
Your CE certificate is valid for 12 months. We send a renewal reminder before expiry so you do not inadvertently lapse — particularly important if certification is required for an insurance renewal or contract.
Why readiness work before submission matters. The most expensive mistake is submitting for Cyber Essentials before you know whether you will pass. A failed first assessment costs the assessment fee and the remediation time and a retake fee. Starting with a gap assessment — which is included in every CE and CE+ engagement price — removes that risk entirely.
The five Cyber Essentials control areas
All five must be met to achieve certification. Each addresses a distinct category of attack vector. The Danzell v3.3 requirements (mandatory from 27 April 2026) introduced stricter requirements across several of these areas.
Firewalls
All internet-connected devices must be protected by a correctly configured firewall with unnecessary ports and services closed. Applies to both boundary firewalls and software firewalls on individual devices. One of the most commonly failed controls on initial assessment.
Secure configuration
Devices and software must be configured securely from the outset: default passwords changed, unnecessary accounts removed, auto-run features disabled, admin access restricted. Frequently failed by organisations that have never formally reviewed their baseline configuration.
Access control
User accounts managed properly — admin access limited to those who need it, accounts for leavers removed promptly, and multi-factor authentication now required for all cloud services under the Danzell v3.3 requirements. This MFA change is a significant auto-fail under the current scheme.
Malware protection
Devices protected against malware — antivirus, application allow-listing, or sandboxing as appropriate. Requirements differ by device type, operating system, and usage context. The gap assessment works through each category to confirm which controls apply.
Patch management
Operating systems and software kept current. High-risk vulnerabilities patched within 14 days. Software that is end-of-life and no longer receiving security updates must be removed from scope or isolated — it cannot be included in the certified estate.
How Cyber Essentials certification works — end to end
From first call to certificate in hand. Timescale depends primarily on how many gaps need remediation and how quickly they can be addressed.
Free scoping call (15 min)
We establish your organisation size, current posture, and the right certification level. You receive a confirmed engagement price and scope before any work starts. No commitment required.
Gap assessment
We assess your current configuration against all five control areas and produce a plain-English gap list. Nothing is submitted to the certifying body at this stage — you see exactly what needs work first.
Remediation
You or your IT team works through the gap list. We provide policy templates and are available for technical questions. For CE+, we recheck controls once remediations are applied before proceeding to submission.
Evidence preparation
We build the evidence pack, mapping your controls to the questionnaire requirements. This is where the paperwork gets done — accurately and completely, to avoid back-and-forth with the certifying body.
Submission and certification
We handle submission to our IASME-accredited certification body. Basic CE is typically certified within a few working days of submission. CE+ involves hands-on verification by the certifying body and takes longer.
Certificate issued
You receive your Cyber Essentials certificate, valid for 12 months. The 30-day retest window opens. We send a renewal reminder before the next annual cycle to keep you continuously certified.
Independent. Fixed price. Plain English.
Most providers either charge separately for readiness and certification, or price by "call us for a quote". Neither is useful if you are trying to budget or compare. These are the reasons Yorkshire SMBs choose Wolds Cyber for CE work.
Published prices — all-in
CE from £795. CE+ from £2,495. No hidden readiness charge, no discovery-call-required pricing. Published because you should be able to compare and budget without a sales call.
Independent — not your IT provider
When your IT provider assesses the network they built, there is a structural tension — even for diligent engineers. An independent assessment removes that tension. The certificate you receive is defensible to insurers, regulators, and clients doing due diligence.
Named lead engineer — no handoff
One person throughout. The engineer you brief is the engineer who does the work and handles the submission. No account managers, no junior analysts, no "I'll need to check with the team."
One resubmission included
If a control fails on first submission and requires resubmission, that is included in the price. The most expensive outcome is paying twice because a minor gap was missed — the readiness work and included resubmission protect against that.
Plain-English delivery
Gap reports, remediation steps, and policy templates written for someone running a business — not for a technical audience. You should be able to hand the gap list to your IT provider or office manager without needing a translator.
Yorkshire-based
Based in East Yorkshire, covering York, Hull, Harrogate, Scarborough, Beverley, and the wider East Riding and North Yorkshire area. Available for on-site if needed. No outsourced delivery.
Which Yorkshire businesses pursue Cyber Essentials
CE certification is increasingly requested across Yorkshire's professional and regulated sectors. The following business types are most commonly required to demonstrate certification — by clients, insurers, or commissioners.
If your organisation is not on this list but you handle personal data, hold sensitive client information, or have a contract that asks for evidence of cyber security controls — the CE scoping call will confirm whether certification is relevant for you.
Frequently asked questions
How much does Cyber Essentials cost in York and Yorkshire?
Wolds Cyber publishes fixed prices. CE Gap Analysis (standalone gap analysis, no certification) is £750 ex-VAT. CE Starter (readiness + certification, 1–4 users) is £795 ex-VAT. CE standard (readiness + certification, any size) is £1,250 ex-VAT. CE+ Micro (1–9 users) is £2,495; CE+ Small (10–49 users) is £2,995. All prices ex-VAT; VAT added at 20%.
What is the difference between the £750 CE Gap Analysis and the £795 CE Starter?
The £750 CE Gap Analysis is a standalone gap analysis only — it identifies what needs fixing but does NOT include submitting for certification. The £795 CE Starter includes both the readiness work and the full certification submission, and is available for organisations with 1–4 users. If you are not yet ready to commit to certification, or want an independent gap view before involving your IT team, the gap analysis is the right choice. If you are a small organisation ready to go all the way to a certificate, the Starter is better value.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Basic Cyber Essentials is a self-assessment questionnaire, independently verified by a certifying body. Cyber Essentials Plus involves hands-on technical testing by an assessor who verifies that your controls work in practice — not just on paper. CE+ carries significantly more weight with insurers and clients requiring supply-chain assurance. Both cover the same five control areas. CE+ starts at £2,495 for Micro (1–9 users).
Does Cyber Essentials cover the MFA requirements introduced in April 2026?
Yes. The current Danzell (v3.3) scheme, mandatory from 27 April 2026, requires MFA for all cloud services — not just remote access. This is a stricter requirement than the previous scheme version and is an auto-fail if not met. All Wolds Cyber engagements assess against the current Danzell requirements. If you were assessed under an older version, your renewal will need to meet the updated controls.
Do I need Cyber Essentials for my York or Yorkshire business?
It is mandatory for government contracts involving sensitive personal data. Beyond that, it is increasingly required by cyber insurers as a condition of cover and by larger clients — particularly in legal, healthcare, and public sector supply chains — as part of their vendor due diligence process. If you are tendering for local authority, NHS, or central government contracts, or your insurer has asked for evidence of cyber controls, certification is the most recognised route.
How long does Cyber Essentials certification take?
The scoping call and initial gap assessment typically takes one to two days. Remediation time depends on how many gaps are identified and how quickly they can be addressed — some organisations are ready to submit within days, others take a few weeks. Once the evidence pack is submitted, basic CE is typically certified within a few working days. CE+ involves hands-on verification and takes longer end-to-end. The most expensive mistake is submitting before gaps are closed — the readiness assessment prevents that.
Is CE+ done on-site or remotely?
Remote-first as standard. CE+ remote delivery has been available since the scheme was updated and covers the same controls as on-site. On-site CE+ is available where required and adds a £395 surcharge to cover travel and attendance. The majority of Yorkshire CE+ engagements are completed entirely remotely.
Can I get Cyber Essentials as part of a subscription?
Yes. The Wolds Certify and Wolds Assure subscriptions include CE or CE+ certification alongside continuous monitoring, patch management, and awareness training. See the Wolds Compliance page for full details. The standalone CE engagements on this page are for organisations that want certification as a discrete project rather than an ongoing subscription.
Our IT company says they can do CE certification. Why use an independent consultant?
When your IT provider assesses the network they built and maintain, there is a structural tension — even for diligent, well-intentioned engineers. An independent assessment removes that tension and produces a certificate and report you own outright, suitable for sharing with your insurer, a regulator, or a client doing due diligence. Most clients continue to use their IT provider for day-to-day management and use an independent consultant for the assessment. The two roles are complementary, not competing.
Ready to get Cyber Essentials certified?
The first step is a free 15-minute call. We confirm your organisation size, the right price band, and what the process involves — before any work starts. No commitment, no obligation.