If you run a 5-person MSP in the UK and you are not offering Cyber Essentials certification to your clients, you are leaving money on the table and handing a compliance conversation to someone else. The demand is structural — government contracts require it, insurance underwriters ask for it, and larger customers are pushing it down their supply chains. You do not need to become a full IASME certification body to start. You can partner with an existing one, use an automated platform like CyberSmart, or build towards full certification body status over time. The revenue per assessment ranges from £500 for a guided self-assessment to £2,000 or more for a full Cyber Essentials Plus engagement with remediation support. For a 5-person MSP completing 8 to 12 assessments per quarter, that is £16,000 to £96,000 in annual revenue from a service line that reinforces your core managed services relationship.
Two Routes to Market: Certification Body or Partner
The first decision is whether to become an IASME-appointed certification body yourself or to partner with an existing one and deliver the client-facing work under their licence.
Becoming a certification body requires your organisation to hold IASME Cyber Assurance Level 1 and Level 2 certifications. You also need a quality management credential — either UKAS-accredited ISO 9001, IASME Cyber Assurance Quality Principles, or QG Quality Fundamentals+. Your organisation must be domiciled in the UK or Crown Dependencies, and at least 70 per cent of the certifications you issue must be for UK-based organisations. You need at least one qualified assessor on staff, which means someone with three years of IT or cyber security experience in the preceding five years who has completed the one-day IASME assessor training course and passed the exam.
The alternative is to partner with a platform like CyberSmart, which holds its own certification body status and lets you deliver Cyber Essentials under their accreditation. CyberSmart's partner programme has four tiers — Registered, Growth, Advanced, and Strategic — based on the monthly recurring revenue you generate through their products. All new partners start at the Growth tier for six months. Partner margins can reach up to 65 per cent, and higher tiers include free Cyber Essentials certifications, marketing development funds, and training.
For a 5-person MSP, the partner route is the faster path to revenue. You can be delivering Cyber Essentials assessments within weeks rather than months. The trade-off is margin — you keep less per assessment than you would as a full certification body. The certification body route takes longer to establish but gives you higher margins, full control of the client relationship, and the ability to build a brand around your own accreditation.
What Each Assessment Tier Looks Like
Cyber Essentials Assessment Revenue Per Tier
Average revenue per assessment at each service tier, showing the price range a 5-person UK MSP can charge.
Source: CTC editorial assessment based on UK MSP pricing and IASME fee structures, February 2026
There are three distinct service levels you can offer, each with different pricing and effort.
Guided Cyber Essentials self-assessment is the entry-level service. The client completes the IASME self-assessment questionnaire with your guidance. You review their answers, identify gaps, advise on remediation, and help them submit for certification. The IASME certification fee sits between £320 and £600 plus VAT depending on organisation size. Your service fee on top sits at £300 to £600, giving a total client cost of £500 to £1,200. Your time investment per assessment is roughly 4 to 8 hours across initial scoping, questionnaire review, gap remediation advice, and submission support.
Managed Cyber Essentials is the mid-tier offering. You handle the entire process — scoping the IT estate, completing the questionnaire on the client's behalf after auditing their environment, remediating gaps before submission, and managing the certification process end to end. This is where the value add for the client is clearest — they hand you the problem and get back a certificate. Pricing sits at £800 to £1,400 depending on complexity, and your time investment is 8 to 14 hours per engagement.
Cyber Essentials Plus with remediation is the premium tier. This requires a qualified assessor to conduct hands-on technical testing of the client's systems — verifying patch levels, testing firewall configurations, checking malware protection, and confirming access controls. If you are operating as a certification body, your assessor does this directly. If you are partnering, the certification body provides the assessor and you deliver the remediation work. Pricing runs from £1,400 to £2,500 or more depending on scope. Your time investment is 12 to 20 hours, including the testing day and any remediation work.
The Assessor Qualification Path
If you take the certification body route, you need at least one qualified assessor. The requirements are specific.
The assessor needs at least three years of experience in an IT or cyber security role within the five years before their application. They must complete the one-day IASME Cyber Essentials Assessor course and pass the exam. The course fee is £500 plus VAT. If the assessor holds a CISSP, CISM, or equivalent qualification, they can skip the IASME skills assessment exam — but they still need to complete the assessor training course.
For a 5-person MSP, the straightest path is to put your senior technical lead through the assessor training. This gives you one qualified assessor who can conduct Cyber Essentials and Cyber Essentials Plus assessments. The investment is modest — £500 for the course plus a day out of the business. The return is that you can now sign off certifications under your own accreditation rather than relying on a third party.
The IASME assessor training is delivered in person at locations across the UK and runs regularly throughout the year. Plan for your assessor to attend within the first quarter of building the practice so you are not waiting on a training slot to start generating revenue.
Once qualified, your assessor will need to maintain their competence through continued professional development and periodic revalidation. IASME monitors the quality of assessments through sampling and can revoke assessor status if standards are not met. This is worth understanding upfront — your assessor's reputation is your certification body's reputation. Build time into the delivery model for the assessor to stay current with scheme updates, attend IASME briefings, and review peer assessments. A poorly conducted assessment that leads to a client suffering a breach despite holding a certificate is a reputational risk that can undermine the entire practice.
Building the Revenue Model
Quarterly Revenue Model: 9 Assessments Per Quarter
Projected quarterly revenue from a mix of guided, managed, and CE Plus assessments at conservative volumes.
Source: CTC editorial model based on UK MSP pricing data, February 2026
The numbers work even at conservative volumes. Assume a 5-person MSP completes 2 to 3 assessments per month across the three tiers. A realistic quarterly mix might look like this: 4 guided self-assessments at £700 average, 3 managed assessments at £1,100 average, and 2 Cyber Essentials Plus engagements at £1,800 average. That is £2,800 plus £3,300 plus £3,600 — a total of £9,700 per quarter, or roughly £39,000 per year.
If your cost base for delivering those 9 assessments is approximately 80 to 100 hours of staff time per quarter at a fully loaded cost of £35 to £45 per hour, your delivery cost is £2,800 to £4,500 per quarter. That leaves a gross margin of £5,200 to £6,900 per quarter — comfortably above 50 per cent.
The real value comes from the follow-on work. Every Cyber Essentials assessment surfaces gaps — unpatched machines, misconfigured firewalls, weak access controls, missing malware protection. If the client is already your managed services customer, you remediate those gaps as part of the service. If they are not, the assessment is a door-opener to a managed services conversation. A client who has just seen a list of 15 security gaps in their environment is far more receptive to a monthly support contract than one you cold-called.
Certification renewal is annual. Every client you certify this year needs recertification next year. After 24 months of building the practice, your renewal pipeline alone could be generating £20,000 to £30,000 per year with minimal new business development effort.
The April 2026 Scheme Changes
IASME has announced updates to the Cyber Essentials requirements taking effect from 27 April 2026. The updated Requirements for IT Infrastructure v3.3 will apply to all assessment accounts created after that date. If you are building a practice now, you need to ensure your assessors are trained on the current scheme and are prepared for the updated requirements when they come into force.
The scheme updates are an opportunity, not a problem. Clients who are already certified will need guidance on what the changes mean for their next renewal. Clients who have been putting off certification may be motivated to get certified under the current requirements before the bar shifts. Either way, the changes give you a reason to contact every prospect and every existing client with a timely, relevant message.
Tactically, run a briefing session for your existing managed services clients in March or April 2026 explaining the v3.3 changes. Position it as a free 30-minute webinar or a one-to-one call. This achieves two things — it demonstrates your technical currency and it opens a natural conversation about certification for clients who have not yet pursued it. For clients who are already certified, offer a gap analysis against the updated requirements as part of their renewal preparation. You can charge £200 to £400 for a pre-renewal gap analysis, and it gives the client confidence that their recertification will go smoothly under the new rules.
Packaging Certification with Ongoing Compliance
The mistake that first-time MSPs make with Cyber Essentials is treating it as a one-off project. Certification is a point-in-time assessment — the client meets the five controls on the day of assessment. What happens in the 364 days between certifications is what determines whether they are actually secure.
The commercial opportunity is to package Cyber Essentials certification with ongoing compliance monitoring. Offer a monthly retainer — £150 to £300 per month for a small business — that includes quarterly patch compliance checks, annual Cyber Essentials renewal preparation, configuration baseline monitoring, and a pre-renewal assessment to catch gaps before the formal recertification. This turns a £700 one-off engagement into a £2,500 to £4,300 annual relationship. It also means your client is genuinely maintaining the controls between assessments, which protects them and protects your reputation as the certifying body.
Platforms like CyberSmart make this easier by providing continuous monitoring dashboards that track whether the client's devices remain compliant with the Cyber Essentials controls throughout the year. If a device falls out of compliance — a missed patch, a disabled firewall — the dashboard flags it. You can include this monitoring as part of your monthly retainer and use it to demonstrate ongoing value beyond the annual certificate.
Getting Started This Quarter
The path from decision to first assessment is shorter than you think. Week one: decide on the certification body or partner route and submit your application to IASME or CyberSmart. Week two to four: book your assessor onto the next available IASME training course if going the certification body route. Week two onwards: identify your first five prospects from your existing client base — start with clients who supply to government, clients whose insurance requires it, and clients in regulated sectors. Week four to six: deliver your first guided self-assessment as a pilot, refine your process, and document your delivery playbook.
By the end of 90 days, you should have your first certification issued, your process documented, and your pricing validated against real client feedback. From there, it is a matter of volume — adding 2 to 3 assessments per month until the practice is self-sustaining and feeding your managed services pipeline.
Do not underestimate the cross-selling opportunity. Every Cyber Essentials engagement puts you inside a client's IT environment with permission to audit their controls. That is a conversation that naturally extends to managed endpoint protection, backup and disaster recovery, and ongoing IT provider evaluation work. Track your conversion rate from certification clients to managed services clients from the outset — if the practice is working well, you should see 20 to 30 per cent of certification-only clients converting to a broader support contract within 12 months.
