1.1 These Cyber Essentials Basic Terms and Conditions (“CE Terms”) supplement and form part of the InfoSec Governance Ltd General Terms and Conditions of Service.
1.2 In the event of any conflict between these CE Terms and the General Terms and Conditions, these CE Terms shall prevail in relation to Cyber Essentials Basic certification services.
1.3 These CE Terms apply to the provision of Cyber Essentials Basic certification services by InfoSec Governance Ltd (“Service Provider”, “we”, “us” or “our”) to the Customer (“you” or “your”).
2.1 The quotation for Cyber Essentials Basic certification and any related services must be accepted before the assessment commences.
2.2 The Customer shall provide all information reasonably required to administer and conduct the assessment, including but not limited to:
2.3 The Customer warrants that all information submitted during the certification process is accurate, complete and not misleading.
2.4 The Service Provider may rely upon information supplied by the Customer and shall not be liable for any loss, delay or certification failure arising from inaccurate, incomplete or misleading information.
2.5 The Customer is solely responsible for defining the scope of certification and ensuring all relevant systems, users, devices, networks and cloud services are correctly included within the declared scope.
3.1 Cyber Essentials certification is based upon a self-assessment completed by the Customer.
3.2 Certification cannot be guaranteed and remains subject to compliance with the Cyber Essentials Scheme requirements and IASME / NCSC certification rules.
3.3 The Service Provider reserves the right to request clarification, supporting evidence or additional information where required to verify compliance.
3.4 Certification reflects the organisation’s compliance status at the time of assessment only and does not guarantee future compliance.
3.5 Cyber Essentials certification does not guarantee protection against cyber attack, malware infection, ransomware, unauthorised access, data breach, insider threat or any other security incident.
3.6 The Service Provider reserves the right to reject, suspend or fail an assessment where information supplied is materially inaccurate, incomplete, misleading or otherwise non-compliant with scheme requirements.
3.7 Where required by scheme rules, failures or material non-compliance may be reported to IASME.
4.1 The Customer shall complete the Cyber Essentials assessment within six (6) months of the assessment being made available.
4.2 Assessments that remain incomplete after six (6) months may be archived, suspended or removed by IASME and/or the Service Provider.
4.3 No refund shall be due where an assessment expires, is archived or remains incomplete due to Customer action or inaction.
5.1 Any additional assessment, review, retest, verification or remediation activity required following a failure may be chargeable unless expressly included within the quotation.
5.2 Additional work shall be charged at the Service Provider’s prevailing rates.
5.3 The extent of any reassessment or retesting shall be determined in accordance with scheme requirements and the auditor’s professional judgement.
6.1 Cyber Essentials certification is valid for a period of twelve (12) months from the date of issue.
6.2 Renewal and recertification are the responsibility of the Customer.
6.3 Continued compliance with Cyber Essentials requirements remains the responsibility of the Customer after certification has been awarded.
7.1 The Customer is responsible for ensuring all organisation details submitted for certification are correct.
7.2 Requests to amend certificate details after issue may be subject to administration charges.
8.1 Fees are payable irrespective of whether certification is achieved.
8.2 Certification certificates shall not be issued until payment has been received in full unless alternative credit arrangements have been agreed in writing.
8.3 Failure to make payment in accordance with the agreed payment terms may result in suspension of certification activities and debt recovery action.
9.1 The Customer may appeal a certification decision within thirty (30) days of notification.
9.2 Appeals should be submitted to:
or by telephone:
0330 043 0826
9.3 Appeals shall be handled in accordance with the applicable IASME Cyber Essentials appeals process.
9.4 The decision of IASME Consortium Ltd shall be final.
10.1 Complaints regarding the Service Provider’s conduct or administration of the assessment should be submitted within thirty (30) days of the matter arising.
10.2 Complaints may be submitted to:
or by telephone:
0330 043 0826
10.3 The Service Provider will investigate complaints and seek a fair and reasonable resolution.
11.1 Certification activities shall be conducted in accordance with the current Cyber Essentials Scheme requirements published by IASME Consortium Ltd and the National Cyber Security Centre (NCSC).
11.2 Where scheme requirements change, the Service Provider reserves the right to amend assessment procedures accordingly.
Version 3.0
Last Updated: 14 July 2026