1.1 These Cyber Essentials Plus Terms and Conditions (“CE Plus Terms”) supplement and form part of the InfoSec Governance Ltd General Terms and Conditions of Service.
1.2 In the event of any conflict between these CE Plus Terms and the General Terms and Conditions, these CE Plus Terms shall prevail in relation to Cyber Essentials Plus certification services.
1.3 These CE Plus Terms apply to the provision of Cyber Essentials Plus certification services by InfoSec Governance Ltd (“Service Provider”, “we”, “us” or “our”) to the Customer (“you” or “your”).
2.1 A valid Cyber Essentials certification must exist before a Cyber Essentials Plus assessment can commence.
2.2 The Cyber Essentials Plus assessment must be completed within the time limits specified by the Cyber Essentials Scheme requirements in force at the time of assessment.
2.3 The Customer shall provide a copy of the current Cyber Essentials certificate and assessment report before testing commences.
2.4 Certification cannot be guaranteed and remains subject to compliance with the Cyber Essentials Plus Scheme requirements and IASME/NCSC certification rules.
3.1 The Customer shall provide all information, access, personnel, systems, devices and assistance reasonably required to conduct the assessment.
3.2 The Customer warrants that:
a) all information supplied is accurate, complete and not misleading;
b) it owns, controls or has obtained all necessary permissions and authorisations for the testing of systems included within scope;
c) all systems included within scope have been declared accurately;
d) the declared scope reflects the actual systems intended to be certified.
3.3 The Customer shall provide a complete and accurate asset inventory upon request.
3.4 Failure to provide required information, access, permissions, administrative credentials or reasonable assistance may result in:
a) suspension of the assessment;
b) additional charges;
c) certification failure.
3.5 No refund shall be due where the assessment cannot be completed because of Customer action or inaction.
4.1 The scope of the Cyber Essentials Plus assessment must correspond to the scope of the underlying Cyber Essentials certification.
4.2 The Service Provider reserves the right to verify the declared scope before and during testing.
4.3 Where the actual environment materially differs from the declared scope, the Service Provider may:
a) suspend testing;
b) revise fees;
c) require additional certification activities;
d) require recertification of Cyber Essentials Basic;
e) terminate the assessment.
4.4 Any additional work arising from scope changes shall be chargeable at the Service Provider’s prevailing rates.
5.1 Cyber Essentials Plus assessments may be conducted remotely, onsite or through a combination of both methods.
5.2 Where remote assessment is undertaken, the Customer shall ensure that Microsoft Teams or another agreed platform is available and operational.
5.3 The Service Provider may require the installation or execution of approved assessment tools to complete testing activities.
5.4 The Customer shall ensure that suitable administrative access is available on all sampled devices selected for testing.
5.5 The Service Provider may perform vulnerability scanning, malware protection verification, configuration review, account verification, update verification, email security testing, browser security testing and any other testing required by the Cyber Essentials Plus Scheme.
6.1 Assessment sessions may be recorded for evidential, certification, quality assurance, training and dispute resolution purposes.
6.2 Recordings shall be stored securely within the Service Provider’s Microsoft 365 UK tenancy or equivalent secure environment.
6.3 Access to recordings shall be restricted to authorised personnel and retained in accordance with the Service Provider’s retention policies.
7.1 The Service Provider will perform the number of vulnerability scans included within the quotation.
7.2 Additional scans, retests or verification activities may be chargeable at the Service Provider’s prevailing rates.
7.3 The Customer acknowledges that security testing activities may generate network traffic, system events, alerts or temporary performance degradation.
7.4 Whilst reasonable care shall be exercised, the Customer acknowledges that vulnerability scanning, configuration review and security testing may cause disruption, degradation, instability, service interruption or system failure.
7.5 The Service Provider shall not be liable for such consequences except where caused by its gross negligence or wilful misconduct.
7.6 Test files used for email, browser and malware protection testing do not contain malicious code and are designed solely to validate security controls.
8.1 An assessment represents a snapshot in time and does not guarantee future compliance or security.
8.2 Cyber Essentials Plus certification does not guarantee protection against cyber attack, ransomware, malware infection, unauthorised access, insider threat, data breach or any other security incident.
8.3 Failure of certification may be reported to IASME where required by scheme rules.
8.4 Technical findings and remediation requirements will normally be provided within two (2) Business Days following completion of testing.
8.5 The Customer shall complete remediation activities within the timescales specified by the Cyber Essentials Plus Scheme.
8.6 Failure to achieve compliance within the applicable scheme timescales may result in certification failure.
9.1 Any additional assessment, retest, review, verification or remediation validation required following a failure may be chargeable unless expressly included within the quotation.
9.2 The extent of any reassessment or retesting shall be determined in accordance with scheme requirements and the auditor’s professional judgement.
9.3 Additional work shall be charged at the Service Provider’s prevailing rates.
10.1 Cyber Essentials Plus certification is valid for twelve (12) months from the date of issue.
10.2 Renewal and recertification are the responsibility of the Customer.
10.3 Continued compliance with Cyber Essentials Plus requirements remains the responsibility of the Customer following certification.
11.1 Fees are payable irrespective of whether certification is achieved.
11.2 Certification certificates shall not be issued until payment has been received in full unless alternative credit arrangements have been agreed in writing.
11.3 Failure to make payment in accordance with agreed payment terms may result in suspension of certification activities and debt recovery action.
12.1 The Customer may appeal a certification decision within thirty (30) days of notification.
12.2 Appeals should be submitted to:
Telephone: 0330 043 0826
12.3 Appeals shall be handled in accordance with the applicable IASME Cyber Essentials appeals process.
12.4 The decision of IASME Consortium Ltd shall be final.
13.1 Complaints regarding the Service Provider’s conduct or administration of the assessment should be submitted within thirty (30) days of the matter arising.
13.2 Complaints may be submitted to:
Telephone: 0330 043 0826
13.3 The Service Provider will investigate complaints and seek a fair and reasonable resolution.
14.1 Certification activities shall be conducted in accordance with the current Cyber Essentials Plus Scheme requirements published by IASME Consortium Ltd and the National Cyber Security Centre (NCSC).
14.2 Where scheme requirements change, the Service Provider reserves the right to amend assessment procedures accordingly.
Version 3.0
Last Updated: 14 July 2026