Cyber Essentials Certified: A Guide for Public Sector Suppliers

1. Cabinet Office policy has mandated CE since 2014: it applies to all central government contracts involving personal data, IT products or services, or remote access to government networks.
2. Certification covers the whole organisation (or defined scope). A certificate scoped to one subsidiary does not satisfy requirements for contracts delivered by another part of the organisation.
3. Renewal timing matters: a lapsed certificate during a live contract constitutes a compliance failure. Build renewal into contract management calendars at least 90 days in advance.
4. CE Plus assessment costs more and takes longer: base CE takes one to four weeks; CE Plus takes four to eight weeks on average. Do not attempt to obtain CE Plus at short notice for an imminent bid deadline.
5. The IASME public register is the authoritative source: certificate number, holder name, type (CE or CE Plus), and expiry date are all publicly verifiable at iasme.co.uk.

The UK government mandated Cyber Essentials for central government supply chains in 2014. The requirement, set by the Cabinet Office, applies to all contracts that involve handling personal data or providing certain IT products and services to government. Failure to hold a valid CE certificate at the point of contract award is grounds for disqualification from procurement, regardless of other technical or commercial strengths.

The policy rationale is straightforward: the UK government's supply chain is a significant attack surface. Threat actors targeting public sector data frequently do so through third-party suppliers rather than attacking departments directly. CE sets a baseline of five technical controls that protect against the most common commodity cyber attacks: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management.

Beyond the central government mandate, CE requirements have proliferated across the broader public sector. NHS England incorporates CE into its Data Security and Protection (DSP) Toolkit requirements for suppliers. MOD contracts involving government security classifications commonly require CE Plus rather than base CE.

Many local authorities and Crown Commercial Service frameworks include CE as a pass/fail evaluation criterion. Suppliers operating across multiple public sector clients may find themselves subject to several overlapping CE requirements simultaneously. See our Cyber Essentials hub for broader context on the scheme.

The requirement varies by contracting authority. The table below summarises the position for the major public sector procurement routes.

The central government mandate is the most clearly defined: the Cabinet Office requirement applies to all contracts involving handling personal data, providing IT products or services, or providing remote access to government networks. Suppliers shouldn't assume that a contract falls outside scope because it's primarily a professional services engagement. If the work involves any IT system access or personal data processing, CE is likely required.

How to Check Whether Your Contract Requires CE

The contract schedule or invitation to tender (ITT) documentation will specify whether CE is required and at what level. If the documentation is ambiguous, request clarification from the contracting authority before bid submission. Procurement officers at central government departments are accustomed to this question.

On a procurement portal, whether the Find a Tender Service (FTS), Contracts Finder, or a department-specific portal, 'cyber essentials certified' has a specific meaning: the supplier holds a current, valid CE certificate issued by an NCSC-approved certification body.

A CE certificate is issued for a twelve-month period and must be renewed annually. An expired certificate does not satisfy the requirement, even if the organisation previously held certification. Track renewal dates proactively: a lapsed certificate during a contract period can constitute a contract compliance failure.

The Certificate Number and How to Verify It

Every valid CE certificate carries a unique certificate number. Contracting authorities use the IASME public register to validate supplier claims. Certificate holders can verify their own status on the IASME register.

The register shows the certificate holder's name, certificate type (CE or CE Plus), and expiry date. Suppliers should be prepared to provide their certificate number in tender submissions.

Providing a certificate number that does not appear on the register, or that belongs to a different legal entity, is a material misrepresentation in a procurement context.

Self-Attestation vs Full Certification

Cyber Essentials assessment operates at two levels. Base CE certification involves a self-assessment questionnaire: the supplier attests to compliance against the five control themes, and an NCSC-approved assessor reviews and verifies the responses. The assessment is not a technical audit; it relies substantially on accurate self-reporting.

CE Plus involves independent technical verification: an assessor conducts hands-on testing of the organisation's systems, including vulnerability scanning and configuration inspection, to verify that the controls described in the self-assessment are actually implemented. CE Plus certificates carry considerably more weight as evidence of security posture. See our guide to Cyber Essentials Plus for the full assessment process.

Where a procurement requirement specifies 'Cyber Essentials' without qualification, base CE satisfies the requirement. Where 'Cyber Essentials Plus' or 'CE Plus' is specified, the more rigorous assessment is required. Supplying a base CE certificate against a CE Plus requirement is non-compliant.

Suppliers working across central government, NHS, and local government simultaneously face a straightforward but administratively significant challenge: a single CE certificate covers the entire organisation (or the defined scope of assessment), and a single valid certificate satisfies requirements across multiple contracting authorities.

The practical complications arise in three areas.

1. Scope alignment: the CE assessment scope must cover the systems and organisational components involved in the relevant contracts. A certificate scoped to one subsidiary or business unit does not satisfy requirements for contracts delivered by a different part of the organisation.
2. Timing of renewal: if annual renewal falls at a commercially sensitive time, such as during a major bid process, lapsed certification can disqualify a bid that is otherwise competitive. Build renewal into contract management and bid planning calendars well in advance.
3. CE vs CE Plus: some contracts require base CE, others require CE Plus. A CE Plus certificate satisfies both, so organisations subject to MOD requirements should consider CE Plus as their standard.

CE Plus is required in several specific public sector contexts:

1. MOD contracts: Contracts involving Government Security Classification (GSC) OFFICIAL-SENSITIVE or above, and contracts providing remote access to MOD systems, commonly require CE Plus. Check the contract security classification requirements in the Defence Conditions (DEFCONs) referenced in the contract schedule.
2. NHS England DSP Toolkit: NHS England DSP Toolkit requirements at higher assurance levels incorporate CE Plus as part of the technical evidence requirements for certain supplier categories.
3. CCS framework lots: Some CCS framework lots specify CE Plus in the framework terms, documented in the framework agreement and applying to all call-offs under that lot.
4. ITT-specific requirements: Individual contracting authorities may specify CE Plus in their ITT where no framework mandate exists, particularly for contracts involving sensitive personal data, critical national infrastructure systems, or financial data.

CE Plus assessment costs more and takes longer than base CE. The technical testing phase requires on-site or remote access to systems, and organisations should factor this into procurement timelines. See our guide to Cyber Essentials certification costs for budget planning detail.

Certificate holders can check their current certification status on the IASME public register. The register displays the certificate holder name, certificate number, certificate type, and expiry date. This is the same register used by contracting authorities and prime contractors to verify supplier claims.

To check status:

1. Go to the IASME Consortium website and navigate to the certificate search section.
2. Search by organisation name or certificate number.
3. Confirm the certificate type matches what your contracts require (CE or CE Plus).
4. Confirm the expiry date. A certificate expiring within 90 days warrants immediate renewal initiation.

If your certificate does not appear on the register, or appears with incorrect details, contact your certifying body in the first instance. Errors in the register are uncommon but do occur, particularly immediately following certificate issuance.