How will Cyber Essentials changes affect you?

In a move to standardise the requirements for Cyber Essentials certification, from 1st April 2020 the IASME Consortium will be the National Cyber Security Centre’s sole Cyber Essentials Partner (formerly accreditation body), and the other four bodies will no longer be involved in the scheme.

The National Cyber Security Centre (NCSC) is the authority for appointing Cyber Essentials partners on behalf of HMG.

How will this affect certification applications/renewals?

  • All existing certification bodies will continue to operate as normal until 31 March 2020.
  • Applicants should apply for new certification/renewal under the current scheme’s requirements through any existing certification body.
  • Certificates issued from applications that were submitted before 1 April 2020 will be valid for at least 12 months.
  • If you apply for new or renew your Cyber Essentials certification with your existing certification body by 31 March 2020, you will have until 30 June 2020 to complete the application process (provided the application was started by 31 March and is being actively progressed).
  • All existing structures that were put in place under the current scheme to obtain certification will remain valid until 31 March 2020.
  • Vulnerability scans that were required under CREST-accredited certification bodies will still be required for applications purchased before 31 March 2020.

From 1 April 2020, any organisation that wants to apply for Cyber Essentials or renew their certification will need to follow the new process as required by IASME.

What can you expect from the new process after 31 March 2020?

  • All certification processes will be standardised through IASME.
  • Vulnerability scans that were required by certain certification bodies will no longer form part of the requirements for Cyber Essentials basic certification.
  • All Cyber Essentials applications and renewals will need to be completed using the IASME self-assessment questionnaire.
  • The questionnaire requires applicants to answer open-ended questions in free text format.
  • All applications need to be manually reviewed by an assessor. The open-ended free text format could lead to a lengthier and more onerous certification review process than the existing CREST questionnaire.
  • All renewals administered through IASME will be treated similarly to new applications, meaning data for Cyber Essentials assessments will need to be entered from scratch.
  • IT Governance customers will still be able to access their completed Cyber Essentials applications in the IT Governance Cyber Essentials portal, but we will not be able to transfer any data to IASME.

We urge customers to renew their certifications before 31 March 2020, even if it means bringing forward their certifications, to avoid having to start the process from scratch.

What about Cyber Essentials Plus?

  • All Cyber Essentials Plus applications continue as normal until 31 March 2020.
  • From 1 April, Cyber Essentials basic certification will be a prerequisite of Cyber Essentials Plus. Customers will be required to achieve the basic level first, followed by the Cyber Essentials Plus element, whichmust be completed within a mandatory three-month period and could incur additional charges.

Save yourself the hassle by securing early certification renewal

As we are a CREST-accredited certification body, you can fast-track your renewal through the IT Governance online portal before 31 March and reap the benefits of a simple, fast and convenient process.

Renewing your certification with IT Governance before the IASME-controlled process begins has many benefits:


Get certified or renew your certification now. 


  1. Dave 30th January 2020
    • Jane Reeves 30th January 2020