Terms & Conditions

Cyber Essentials Plus


  1. These Terms and Conditions apply to the provision of the Cyber Essentials Plus certification which are provided by InfoSec Governance Ltd a company registered in England and Wales under number 12289766 whose registered office is at 73 Duke Street, Darlington, County Durham, DL3 7SD (we or us or Service Provider) to the person buying the services (you or Customer).
  2. You are deemed to have accepted these Terms and Conditions in addition to our standard terms and conditions of service when you accept our quotation or from the date of any performance of the Services (whichever happens earlier) and these Terms and Conditions and our quotation (the Contract) are the entire agreement between us.
  3. This agreement overrides any conflicting or existing terms and conditions which are in place for the provision of the Cyber Essentials Plus audit and certification.
  4. You acknowledge that you have not relied on any statement, promise or representation made or given by or on our behalf. These Conditions apply to the Contract to the exclusion of any other terms that you try to impose or incorporate, or which are implied by trade, custom, practice or course of dealing.


  1. The quotation for Cyber Essentials Plus and any additional related services must be agreed before the start of the audit.
  2. The basic Cyber Essentials certification must have successfully taken place in the preceding 3 months inclusive of the Cyber Essentials Plus audit duration.
  3. A full copy of the self-assessment report and certificate must be sent to InfoSec Governance before commencement of audit to ensure fully scoping and verification.
  4. The scope of the audit must match the Cyber Essentials basic scope and be agreed before testing takes place; a sample set of machines can be tested when being performed remotely.
  5. Failure to provide adequate assistance to the auditor in carrying out the audit will be reported as an audit fail (no refunds will be made).


  1. To perform a successful audit, it may be required that additional software be installed and configured on devices which are in scope of the certification. The customer will agree to these necessary changes before the audit commences.
  2. To perform a successful audit, it is a requirement to have access to a local / domain administrator account for the purpose of the credentialed vulnerability scanning. If this is not available or AzureAD is being utilised, it is the customers responsibility to configure and deploy a dedicated local administrator account to all devices in scope.
  3. If a full audit is not completed due to technical, misconfiguration or inability to access required services, (such as not having access to a local administrative account) it is in the auditor’s right to stop the audit and issue a failure of certification. Payment will still be required.
  4. InfoSec Governance and/or the auditor accept no liability to the performance, crashing, reliability or otherwise of network connected devices through the scanning and accessing of systems whilst performing the audit.
  5. The test files which are used for email and web browser tests contain no malicious content and are designed only to test your system defences.
  6. Where a large deviation from the declared scope and the real network when audited is detected, at the discretion of the auditor, an extra charge may be applied to take this into account in addition to recertification for basic certification if required.
  7. An audit is a snapshot in time it does not guarantee that the business is 100% secure but does provide assurance that key aspects are working in accordance with the scheme
  8. Failure of certification will be reported to IASME where systems are clearly non-compliant with the Cyber Essentials Scheme requirements.
  9. Technical failure reports will be provided within 2 working days on the conclusion of the audit.
  10. Full or partial retests will be determined at the discretion of the auditor/IASME and will be billed separately under the same terms as the original agreement on a time and materials basis.
  11. Certification is for one year, annual renewals are required to stay certified.


  1. The certificate, report and associated logos and branding guidelines will not be provided and registered until full payment has been received.
  2. Payment of invoice is due regardless of certification outcome and by invoice due date.


  1. You have the right to appeal a failure within 30 days directly to InfoSec Governance Ltd via [email protected] or telephone at: 0330 043 0826. The IASME Consortium Ltd and/or the UK National Cyber Security Centre(NCSC) are the final arbitrators of any appeal process.
  2. You can complain directly to InfoSec Governance Ltd via [email protected] or telephone via 0330 043 0826 within 30 days, we will work with you to find a mutually satisfactory resolution.