Terms & Conditions – Cyber Essentials

INFOSEC GOVERNANCE LTD

CYBER ESSENTIALS BASIC TERMS AND CONDITIONS

1. Application

1.1 These Cyber Essentials Basic Terms and Conditions (“CE Terms”) supplement and form part of the InfoSec Governance Ltd General Terms and Conditions of Service.

1.2 In the event of any conflict between these CE Terms and the General Terms and Conditions, these CE Terms shall prevail in relation to Cyber Essentials Basic certification services.

1.3 These CE Terms apply to the provision of Cyber Essentials Basic certification services by InfoSec Governance Ltd (“Service Provider”, “we”, “us” or “our”) to the Customer (“you” or “your”).


2. Customer Obligations

2.1 The quotation for Cyber Essentials Basic certification and any related services must be accepted before the assessment commences.

2.2 The Customer shall provide all information reasonably required to administer and conduct the assessment, including but not limited to:

  • Organisation name;
  • Registered address;
  • Billing information;
  • Purchase order details (where applicable);
  • Assessment contact details;
  • Any other information reasonably requested.

2.3 The Customer warrants that all information submitted during the certification process is accurate, complete and not misleading.

2.4 The Service Provider may rely upon information supplied by the Customer and shall not be liable for any loss, delay or certification failure arising from inaccurate, incomplete or misleading information.

2.5 The Customer is solely responsible for defining the scope of certification and ensuring all relevant systems, users, devices, networks and cloud services are correctly included within the declared scope.


3. Assessment and Certification

3.1 Cyber Essentials certification is based upon a self-assessment completed by the Customer.

3.2 Certification cannot be guaranteed and remains subject to compliance with the Cyber Essentials Scheme requirements and IASME / NCSC certification rules.

3.3 The Service Provider reserves the right to request clarification, supporting evidence or additional information where required to verify compliance.

3.4 Certification reflects the organisation’s compliance status at the time of assessment only and does not guarantee future compliance.

3.5 Cyber Essentials certification does not guarantee protection against cyber attack, malware infection, ransomware, unauthorised access, data breach, insider threat or any other security incident.

3.6 The Service Provider reserves the right to reject, suspend or fail an assessment where information supplied is materially inaccurate, incomplete, misleading or otherwise non-compliant with scheme requirements.

3.7 Where required by scheme rules, failures or material non-compliance may be reported to IASME.


4. Assessment Completion

4.1 The Customer shall complete the Cyber Essentials assessment within six (6) months of the assessment being made available.

4.2 Assessments that remain incomplete after six (6) months may be archived, suspended or removed by IASME and/or the Service Provider.

4.3 No refund shall be due where an assessment expires, is archived or remains incomplete due to Customer action or inaction.


5. Retests and Additional Work

5.1 Any additional assessment, review, retest, verification or remediation activity required following a failure may be chargeable unless expressly included within the quotation.

5.2 Additional work shall be charged at the Service Provider’s prevailing rates.

5.3 The extent of any reassessment or retesting shall be determined in accordance with scheme requirements and the auditor’s professional judgement.


6. Certification Period

6.1 Cyber Essentials certification is valid for a period of twelve (12) months from the date of issue.

6.2 Renewal and recertification are the responsibility of the Customer.

6.3 Continued compliance with Cyber Essentials requirements remains the responsibility of the Customer after certification has been awarded.


7. Certificate Details

7.1 The Customer is responsible for ensuring all organisation details submitted for certification are correct.

7.2 Requests to amend certificate details after issue may be subject to administration charges.


8. Fees and Payment

8.1 Fees are payable irrespective of whether certification is achieved.

8.2 Certification certificates shall not be issued until payment has been received in full unless alternative credit arrangements have been agreed in writing.

8.3 Failure to make payment in accordance with the agreed payment terms may result in suspension of certification activities and debt recovery action.


9. Appeals

9.1 The Customer may appeal a certification decision within thirty (30) days of notification.

9.2 Appeals should be submitted to:

[email protected]

or by telephone:

0330 043 0826

9.3 Appeals shall be handled in accordance with the applicable IASME Cyber Essentials appeals process.

9.4 The decision of IASME Consortium Ltd shall be final.


10. Complaints

10.1 Complaints regarding the Service Provider’s conduct or administration of the assessment should be submitted within thirty (30) days of the matter arising.

10.2 Complaints may be submitted to:

[email protected]

or by telephone:

0330 043 0826

10.3 The Service Provider will investigate complaints and seek a fair and reasonable resolution.


11. Governing Rules

11.1 Certification activities shall be conducted in accordance with the current Cyber Essentials Scheme requirements published by IASME Consortium Ltd and the National Cyber Security Centre (NCSC).

11.2 Where scheme requirements change, the Service Provider reserves the right to amend assessment procedures accordingly.


Version 3.0
Last Updated: 14 July 2026