The 6-Step Path to Cyber Essentials Certification for Consultancy Firms

More clients want proof of Cyber Essentials before they hand over a contract. Procurement teams use Cyber Essentials as a first filter, and UK consultancy firms without it get cut before their proposal is even read.

Skip it and bids get rejected before the technical review. Hold it, and you sit alongside the firms, ready to compete. Below is the six-step path to Cyber Essentials certification, mapped out for the contracts, tools and team structures consultancy firms actually work with.

Step 1: Understand what Cyber Essentials means for consultancy firms

Cyber Essentials is a UK government-backed scheme run by the National Cyber Security Centre and delivered by IASME. It rests on five technical controls that, applied properly, protect against the bulk of common internet-based attacks.

The five controls are:

• Firewalls: A security filter between your network and the internet.
• Secure configuration: Devices set up to limit obvious entry points.
• User access control: The right people with the right permissions, nothing more.
• Malware protection: Tools that catch viruses and dodgy software before they spread.
• Security update management: Patches applied promptly to close known vulnerabilities.

         With the right cyber security support, the scheme is achievable for consultants without an in-house security team.

Step 2: Choose between Cyber Essentials and Cyber Essentials Plus

The UK Cyber Essentials scheme has two certification levels. Pick the one that matches your contract pipeline.

Cyber Essentials is a verified self-assessment. You answer a structured questionnaire, an IASME-licensed assessor reviews it, and certification follows. The official IASME assessment fee sits between £320 and £600 plus VAT depending on your headcount.

Cyber Essentials Plus covers the same five controls but adds independent technical testing, including vulnerability scans and a sample audit of your devices.

Most consultancy firms start with basic Cyber Essentials. It satisfies most public sector tenders and corporate supplier checks. Cyber Essentials Plus comes into play for higher-value government work, MOD contracts, or enterprise clients with stricter supply-chain rules. The contract notice will state which level is required.

Step 3: Audit your IT compliance for the five Cyber Essentials controls

Before paying any assessment fee, run your own gap check. Most consultancy firms find the same handful of weak spots.

Common gaps include:

• Unmanaged personal devices used for client work, with no policy and no oversight
• Admin accounts shared between team members or used for everyday email
• Patching schedules that drift, particularly for browsers, PDF readers and Java
• Multi-factor authentication missing or only partially rolled out across Microsoft 365
• End-of-life operating systems still in use on a forgotten laptop or two 

    Unsupported software and patching gaps trip up plenty of applicants. Catching them in advance avoids a resubmission.

Step 4: Tighten access control across distributed consultancy teams

Consultancy work runs on collaboration. Associates, contractors, partner firms, and client-side users all need access to the right files at the right time. None of them needs access to everything.

Three changes deliver most of the value:

• Multi-factor authentication on every account: Under the current scheme requirements, MFA is mandatory across all cloud services in scope. No exceptions for senior partners.
• Role-based permissions: Consultants see only the projects they are working on. Admins do not need a permanent admin login for daily email.
• Tight offboarding: When a consultant leaves or a contract ends, accounts get disabled the same day. Lingering accounts are a known attack route into client data.

Step 5: Get your Microsoft 365 environment compliant

Most consultancies run on Microsoft 365. The default tenant settings handle the basics, but Cyber Essentials expects more from your Microsoft 365 environment.

Key configuration changes include:

• Conditional Access policies that enforce MFA, block legacy authentication, and restrict sign-ins from unmanaged devices
• Microsoft Defender configured properly for endpoint and email protection, with the default rules tightened
• Audit logs are enabled and retained so you can see what happened if an account is compromised
• Admin role separation, with Global Admin used sparingly and protected by phishing-resistant MFA

These changes are unglamorous but non-negotiable. Getting Microsoft 365 right is usually the largest piece of prep work, and the area where partner support pays back fastest.

Step 6: Choose between DIY and a certified IT partner

The self-assessment doesn’t pull punches. Questions are technical. Answers must match what is configured. Wrong answers fail the assessment, sometimes after the fee is paid.

Going it alone works if you have an internal IT lead with time to dig through Microsoft 365 settings, audit every device, and write up answers. Most consultancy directors do not have that time.

A certified IT partner runs the gap analysis, fixes what needs fixing, completes the questionnaire, and manages the annual renewal. Singularitee handles Cyber Essentials for consultancy clients as part of our managed service. UK firms with turnover under £20m also receive £25,000 of cyber liability insurance free with the certificate, arranged by IASME and underwritten through their broker.

Cyber Essentials pays for itself in won contracts

The certificate opens doors to bigger contracts, satisfies client procurement reviews, and gives prospects one less reason to pick someone else. The badge goes on the website, the certificate goes on the wall, and your bid lands on the shortlist. Book a consultation to map out your Cyber Essentials path.