Cyber Essentials certification – Guidance for small and medium-sized enterprises – Supplier Specifics

Why are cyber security controls essential in public sector procurement?

Procurement Policy Notes (PPNs) are used to communicate new policies, which must be applied to public procurement activities. Under the UK government’s PPN 014, Cyber Essentials (CE) certification is now mandatory for certain public sector contracts. Contract examples which meet the characteristics for inclusion of CE requirements can be found in PPN 014 Annex A.

PPN 014  aims to ensure effective and proportionate cyber security controls are applied to public sector contracts to mitigate cyber security risks in the Government supply chain. The note, which replaces PPN 09/23 and PPN 09/14, reflects new terminology introduced by the Procurement Act 2023 and the Procurement Regulations 2024. However, it does not constitute a change in policy.   

Buying organisations that are in scope of PPN 014 must ensure all suppliers demonstrate that they meet certain technical requirements for contracts or services considered to be at a higher risk of cyber security threats. The quickest and most effective means of mitigating cyber security risks associated with such contracts is to request that suppliers provide evidence of CE certification before contract award. 

CCS procurement teams will decide on whether to make CE or CE plus a mandatory requirement according to the nature of the contract and the type of market you’re working  with. Suppliers will be notified at the Preliminary Market Engagement stage.

What are Cyber Essentials and Cyber Essentials Plus?

CE is a Government-backed scheme developed by the National Cyber Security Centre (NCSC). It represents the minimum baseline of technical cyber security controls prescribed by the Government for organisations of all sizes in the UK.

The scheme is administered by government approved certification bodies which are currently accredited by Information Assurance for Small and Medium Enterprises (IASME). 

CE helps organisations to protect against the most common cyber attacks by ensuring 5 basic technical controls are in place that can protect against 80% of common cyber security threats.

CE Plus assesses the same technical controls as CE and comprises remote and on-site vulnerability testing. CE Plus checks whether the controls put in place actually provide a defence against basic hacking and phishing attacks. It is a more rigorous assessment, to be used when there is a higher risk of cyber security threats.This audit helps organisations demonstrate a stronger commitment to cyber security and can be a requirement for some government contracts. An organisation can complete their CE Plus audit within 3 months of their last CE certification.

How can suppliers get Cyber Essentials and Cyber Essentials Plus certification?

Cyber Essentials

CE is a self assessment option. Organisations complete a questionnaire which is verified by an independent certification body to assess whether the appropriate standard has been achieved and certification can be awarded. 

The cost of CE at basic level ranges from £320+VAT for a micro organisation

Cyber Essentials Plus

For CE Plus costs start from approximately £1,400+VAT for a micro organisation due to the thoroughness of the assessment. 

CE certifications, both Standard and Plus, are valid for 12 months. Certification must be renewed annually. Failure to renew within the 12-month period will result in the organisation being removed from the NCSC’s certified list.

Suppliers are encouraged to read the full requirements of the Cyber Essentials and Cyber Essentials Plus Scheme 

Why should SMEs get cyber essentials certification? 

Obtaining CE certification demonstrates your business’s commitment to cyber security. This can build trust with public sector clients, who are increasingly focused on ensuring the security and integrity of their sensitive data. 

There are a number of further benefits to obtaining certification: 

• implementing CE controls can significantly reduce your organisation’s vulnerability to cyber attacks, improve overall cyber security and reduce damage to operations and costly disruption. 
• According to a recent report(i), the average cost of a cyber attack for an SME is over £3,000. Furthermore, research carried out by the NCSC states that “92% fewer insurance claims are made by organisations who have CE controls in place”. 
• CE certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and has less than £20 million annual turnover.

• Public sector organisations are increasingly aware of the risks associated with cyber attacks, including financial loss, reputational damage, and legal repercussions. Companies with robust cyber security measures can demonstrate their ability to mitigate these risks and reduce their liability, making them more appealing to public sector clients.

Need help with getting your CE certification?

PPN 014 contains links to CE Advice and Guidance, the CE readiness toolkit and the NCSC Supply Chain Risk Assessment Guidance. There is also a list of useful FAQs regarding CE certification available from IASME

Cyber Essentials certification –  5 things suppliers need to know

1. Although required for all CCS commercial agreements, not all contracts require suppliers to be certified under a CE Scheme. CE certification (or equivalent) should only be required by contracting authorities where it is relevant to the subject matter of the contract, proportionate and necessary to manage cyber security risks. 
2. If a supplier does not hold CE certification, they can still bid for CCS agreements requiring CE if they can demonstrate equivalent controls are in place which meet CE requirements. This should be verified by a technically competent, independent third party.
3. The ISO27001 standard doesn’t automatically conform to CE because it is not usual for all of the 5 CE technical controls to be included in the scope for ISO27001 implementation
4. Evidence of holding a CE certificate (or equivalent) is essential at the point when data is to be passed to the supplier at the point of entering into a call off contract. The initial self-assessment will help you identify areas to address to avoid having to reapply and incurring an additional application fee. If you receive a ‘fail’ notification, you will have 2 working days to resolve any issues and resubmit for further review without  further cost.

Find out more

If you require further information when bidding on a CCS procurement please follow the instructions for clarification questions in the published bid pack.

To learn more about how CCS is levelling the playing field for suppliers of all sizes, download our digital brochure.

We always welcome feedback, suggestions or queries. These can be submitted to smefeedback@crowncommercial.gov.uk

(i) Source: Securing SuccessThe Role of Cybersecurity in SME Growth