Certifying IT you manage
You run the client's IT, so you cannot be the one who certifies it. Cyber Essentials needs an independent body. No one can mark their own homework.
Why your clients are asking about Cyber Essentials
The pressure on your clients to hold Cyber Essentials, the UK government-backed certification that sets a baseline of technical security against common cyber attacks, is rising from several directions, and the questions tend to reach you first.
Insurers increasingly ask for it at renewal. Procurement teams in regulated sectors now treat Cyber Essentials Plus as a baseline rather than the upper end. And the Cyber Security and Resilience Bill, currently progressing through Parliament and expected to become law during 2026, raises the bar again for the businesses you serve. The Bill is also widely expected to bring managed service providers themselves into scope of the UK’s network and information systems rules, so the security expectations land on you as well as on your clients.
There is also a structural reason the work comes to you rather than around you. A managed service provider cannot certify the IT it manages, because no one can mark their own homework. An independent Certification Body partner is essential, not optional, and the only real question is which one you trust with your clients.
Common challenges MSPs face with Cyber Essentials.
The MSPs we work with tend to run into the same handful of issues.
Mapping your RMM to the controls
Your RMM already produces most of the evidence. The hard part is mapping it to the five Cyber Essentials controls.
Keeping up with v3.3
Cyber Essentials v3.3, in force since 27 April 2026, made multi-factor authentication (MFA) an automatic failure point and tightened cloud scope.
A ready answer when clients ask
When an insurer or buyer asks your client for Cyber Essentials, they come to you. Without a certification partner, you are improvising the answer.
Evidence and scope for CE Plus
Cyber Essentials Plus is an audited test. The common gaps are MFA enforcement, cloud scope and patching evidence, and they are easier to fix before assessment than during it.
Defending the certificate
If a client you certified is breached, you need a partner who can investigate and stand behind the certificate, not one who disappears.
Partnering with an independent Certification Body
We are an authorised IASME Certification Body, not a reseller, and we have delivered Cyber Essentials since 2017. Certification is the only thing we do for your clients. We never compete for the managed contract.
Most partners offer two levels. Cyber Essentials Plus is an independent technical audit with vulnerability scanning included at no extra cost, and it is what most regulated and procurement-driven clients expect. Cyber Essentials Duo combines Basic and Plus at a single price point, which suits clients certifying ahead of a contract or an insurance renewal. Where a client’s cloud environment makes scope complex, a short pre-assessment readiness review keeps the certification predictable.
You add the certification to the client’s bill at your own margin, and because it renews each year it becomes a recurring line with no new acquisition cost.
How partnering works
Adding Cyber Essentials to your offer is straightforward, and it leaves your client relationship untouched.
1
Scope it together
We agree which clients to certify and at which level, Cyber Essentials or Cyber Essentials Plus.
2
We assess and certify
We run the assessment, make the IASME submission and issue the certificate. We never contact your client to sell them anything.
3
The relationship stays yours
You add the certification to the client's bill and keep the account. We hand the client back to you.
4
We support and stand behind it
We handle renewals each year, and if a client is breached we step in through you to investigate and defend the certificate.
"If a client you certify is breached, the same team that signed the certificate can run the forensics and defend it. Most certification bodies cannot help when something goes wrong."
Jonathan Krause
Founder & Head Assessor, Forensic Control. Former Metropolitan Police Hi-Tech Crime Unit, New Scotland Yard
Wider services for MSPs and their clients
Beyond certification, the same team supports you and your clients across the security and investigations lifecycle.
Penetration testing
Application, API and infrastructure testing that exposes the risks automated scanning misses, for clients who need more than the baseline.
Vulnerability scanning
Continuous monitoring for known vulnerabilities with prioritised remediation guidance. Included with every Cyber Essentials Plus certification.
Incident response
When a client is breached, we help you contain, investigate and recover, drawing on Metropolitan Police Hi-Tech Crime Unit experience.
Digital forensics and eDiscovery
Forensic-grade investigation and electronic evidence handling when a matter ends up in dispute or in court.
Frequently asked questions
What is Cyber Essentials?
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Do you compete with us for the managed IT contract?
How does the commercial model work?
What happens if a client fails their Cyber Essentials Plus assessment?
What happens if a client is breached after we certify them?
We already work with another Certification Body. Can we switch?
Can we white-label the certification?
Speak to us about partnering
Whether you are adding Cyber Essentials to your offer for the first time, switching from another Certification Body, or working out what the partnership is worth, we can help.
