RESOURCES
Practical guides on cyber certification, assurance, and supplier security requirements.
Written by practitioners. Mapped to the situations organisations actually face — not the situations certification bodies wish they faced.
My client has asked for Cyber Essentials. What do I do now?
A client or partner has asked for Cyber Essentials before contract renewal. Here is what it means, what is involved, and how to respond without getting it wrong.
Read the guide →Certification BasicsCyber Essentials vs Cyber Essentials Plus — what is the difference and which do you need?
Both certifications cover the same five controls. CE Plus adds independent technical verification. Which one you need depends on what your buyer has specified — and the difference in effort is significant.
Read the guide →Procurement & TendersCyber Essentials for government suppliers — what PPN 014 means for your contract.
Since 2014, suppliers bidding for certain types of public contracts have been required to hold Cyber Essentials or CE Plus. PPN 014 sets out the current requirements. Here is what it means in practice.
Read the guide →Procurement & TendersResponding to a tender that requires Cyber Essentials — a practical guide.
Certification takes time. If a tender specifies Cyber Essentials and you do not hold it, you need to act immediately. Here is a realistic timeline and what to prioritise.
Read the guide →NHS & HealthcareCyber Essentials for NHS suppliers — what NHS Supply Chain and PPN 014 require.
NHS Supply Chain is implementing PPN 014 across its supplier base, requiring CE Plus for in-scope suppliers. Here is what that means and how to prepare.
Read the guide →Failed AssessmentsWe failed our Cyber Essentials assessment. What happens now?
A failed Cyber Essentials assessment is not the end of the process — but it needs to be handled correctly. Here is what typically goes wrong and what to do next.
Read the guide →Scoping & ProcessHow to scope a Cyber Essentials assessment — and why getting it wrong is costly.
Scope is the most commonly misunderstood part of Cyber Essentials. Include too much and you create unnecessary complexity. Include too little and your certificate is worthless to the buyer asking for it.
Read the guide →IASME & Advanced AssuranceWhat is IASME Cyber Assurance — and how does it differ from Cyber Essentials?
IASME Cyber Assurance covers governance, risk, and technical controls — going significantly further than Cyber Essentials. Here is what it involves and who needs it.
Read the guide →Vulnerability & TechnicalWe received a vulnerability scan report. What should we do with it?
A vulnerability report without a remediation plan is a liability. Here is how to read one, prioritise the findings, and close the gaps that actually matter to your security posture and certification status.
Read the guide →Vulnerability & TechnicalPenetration testing — what it is, when you need it, and what to do with the results.
Penetration testing is not the same as a vulnerability scan. It is not always required for Cyber Essentials. Here is what it involves, when it is appropriate, and how to act on the findings.
Read the guide →Renewal & MaintenanceOur Cyber Essentials certificate is expiring. What do we need to do?
Cyber Essentials certificates expire after 12 months. Renewal is not just an administrative process — if your environment has changed, your controls may need to be reassessed and updated before you resubmit.
Read the guide →Defence & MODCyber Essentials for defence suppliers — DEFCON 658 and the MOD supply chain.
MOD contracts use DEFCON 658 to embed Cyber Essentials requirements across the supply chain. If you supply to a defence prime — at any tier — you may be in scope. Here is what that means.
Read the guide →NOT SURE WHERE TO START?
Talk to us before you read anything else.
If you have a deadline, a client requirement, or a failed assessment — a 30-minute call will tell you more than any guide. We will give you a straight answer about what is required and what it will cost.