Cyber Essentials is open to organisations of any size, in any country. There is no requirement to be UK-registered or to have a UK office. The certificate is issued in your organisation’s legal name and is identical in standing to one issued to a UK company.
That includes you if your organisation is headquartered in the United States, Ireland, the EU, Australia, New Zealand, Canada, India, or anywhere else.
This is the UK government’s Cyber Essentials scheme. Administered by IASME on behalf of the National Cyber Security Centre (NCSC), it is the certification required by UK central government, the Ministry of Defence, the NHS, and a growing number of UK private-sector buyers. It is a separate scheme from CISA’s Cyber Essentials guidance, which is a US framework with the same name but no certification component and no recognition in UK procurement. If a UK contract or buyer has asked you for “Cyber Essentials”, they mean the UK scheme.
Forensic Control is an authorised IASME Certification Body and has guided organisations across more than 30 countries through the certification process since 2017.
Mandatory for any supplier bidding on contracts involving personal data or IT products and services, since October 2014 under PPN 09/14 (updated by PPN 01/24). Without a valid certificate, your bid will not be considered.
Required for all Ministry of Defence contracts involving sensitive data or IT services, since January 2016. Applies to tier-2 and tier-3 international suppliers. Some contracts specify Cyber Essentials Plus.
Increasingly required by NHS procurement frameworks and UK public sector bodies as a baseline supplier requirement. CE Plus is often specified for contracts involving patient data.
UK-headquartered prime contractors, financial institutions, insurers, and enterprise buyers increasingly require Cyber Essentials from their suppliers, regardless of where the supplier is based.
US firms supplying UK MoD, central government, or NHS contracts. Common questions: how this differs from CISA's Cyber Essentials guidance, and how it sits alongside SOC 2.
Irish, Dutch, German, and French organisations trading into the UK supply chain. Common question: whether ISO 27001 or NIS2 compliance substitutes for Cyber Essentials in UK procurement (it does not).
Defence and government suppliers operating in both ANZ and UK markets. Common question: how Cyber Essentials maps to the Australian Essential Eight Maturity Model.
Canadian firms supplying UK government, defence, or financial-sector clients. Common question: whether Cyber Essentials is recognised by Canadian procurement (it is not, but it is recognised by UK procurement when the contract is UK-based).
Indian IT services firms and offshore development centres bidding for UK government or enterprise contracts. Common question: how to confirm a certification body is legitimately authorised by IASME.
Norway, Singapore, the UAE, South Africa, and beyond. Wherever a UK contract has asked you for Cyber Essentials, the same process applies. We work remotely across all time zones.
The certification process is the same as for UK-based organisations and is fully remote. No UK office, no on-site visit, no travel required.
Scope is the set of devices, users, and services covered by your certificate. For organisations with infrastructure in multiple countries, getting scope right at the outset is the single most important decision in the certification process.
A common pattern: a US-headquartered company has a UK subsidiary or a UK-facing product, and only that part of the business needs to be certified for the contract in question. We will help you decide whether to scope the whole organisation or a clearly defined subset, and we will document the scope boundary in a way that holds up under procurement scrutiny.
Under Cyber Essentials v3.3 (in force from 27 April 2026), any device that connects to the internet, in either direction, is in scope within the boundary you define. Cloud services used to store or process business data cannot be excluded.
We have run this scoping conversation with organisations from Boston to Bangalore. It usually takes 15 minutes of an introductory call to land the right answer.
Image placeholder
Government-backed scheme administered by IASME on behalf of the NCSC. Required for UK public-sector contracts. Annual renewal. The page you are reading.
AICPA framework for service organisations. Annual audit by a CPA firm. Standard for US enterprise procurement. Not recognised by UK government procurement.
International information security management standard. Useful internationally but does not, by itself, satisfy UK Cyber Essentials requirements for public-sector procurement.
EU-wide cyber security regulation for essential and important entities. Imposes operational obligations, not a certification. Does not substitute for UK Cyber Essentials in UK contracts.
Australian Cyber Security Centre baseline mitigations. Maturity model rather than a certification. Distinct from Cyber Essentials, though several controls overlap.
US federal frameworks for cloud services (FedRAMP) and defence contractors (CMMC). Required for US federal contracts. Separate from and not recognised by UK procurement.
Tell us about your contract and we will confirm the level of certification you need, define scope for your infrastructure, and walk you through the timeline. Calls held in your time zone where possible - select your time-zone from the Calendly menu to find a suitable slot.
