CERTIFICATION BASICS

My client has asked for Cyber Essentials. What do I do now?

A client or buyer has asked you to hold Cyber Essentials before they will sign, renew, or extend your contract. Here is what that means, what is actually involved, and how to respond — without overpromising or underestimating what is required.

What Cyber Essentials actually is

Cyber Essentials is a UK Government-backed certification scheme that requires your organisation to demonstrate baseline cyber security controls across five key areas: firewalls and routers, secure configuration, user access control, malware protection, and software patching.

Certification is valid for 12 months. It requires completing a self-assessment questionnaire (for Cyber Essentials) or undergoing independent technical verification (for Cyber Essentials Plus). Most organisations with a reasonably maintained IT environment can certify within four to eight weeks.

Why your client is asking for it

The most common reasons a client asks for Cyber Essentials are: they are required to under their own procurement policies (particularly in public sector and NHS supply chains), they have a cyber insurance policy that requires suppliers to be certified, they are implementing their own security improvement programme and cascading requirements to their supply chain, or they have experienced a breach involving a supplier and are tightening controls.

Understanding why they are asking matters — it tells you how hard the requirement is, whether Cyber Essentials alone will satisfy it or whether they actually need Cyber Essentials Plus, and whether there is any flexibility on timing.

What to do first

Before you respond to your client, establish the facts: Are they asking for Cyber Essentials or Cyber Essentials Plus? These are different certifications with different requirements. Do they need you to hold the certificate before you can continue work, or is a commitment to certify within a timeframe acceptable? Is the requirement coming from them directly, or is it being flowed down from their own client or a regulatory body?

Get the answers in writing. A verbal "just get Cyber Essentials" can easily turn into "we actually needed CE Plus" once contracts are being signed.

How to respond honestly

If you do not already hold Cyber Essentials, do not tell your client you can have it in two weeks unless you have already assessed your environment and know you are ready. A failed assessment wastes time and costs money — and your client will not be impressed if your promised timeline slips.

A reasonable response is: "We are beginning the Cyber Essentials certification process and expect to complete it within [realistic timeframe]. We will provide a copy of our certificate as soon as it is issued." If you are not sure whether your environment is ready, say so — and get a readiness assessment before you commit to a deadline.

Related guides

CLIENT ASKING FOR CERTIFICATION?

Start with a conversation.

Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.