Compliance, security, and AI insights.
Expert guidance on compliance frameworks, security operations, AI-powered tooling, and building compliant MSP businesses. Read articles from Fig Group and industry leaders.
Showing 36 of 167 articles
Articles
Compliance
MOD CISO confirms DCC Level 0 mandatory for every UK defence supplier by end of 2026
The UK MOD Chief Information Security Officer has confirmed Defence Cyber Certification (DCC) Level 0 will be mandatory for every supplier to the Ministry of Defence by the end of 2026. The mandate moves DCC from a contract-by-contract requirement to a supply-chain gating control. This guide explains what was announced, why now, who is in scope, and what suppliers must do before the deadline.
Compliance
DEFSTAN 05-138 - What does it mean for suppliers?
DEFSTAN 05-138 issue 4 is the UK MOD's published cyber security standard for the defence supply chain - the document that DCC Level 0 to Level 3 assesses against. From end of 2026, the MOD CISO is making DCC Level 0 mandatory for every supplier in the MOD supply chain. This guide explains the standard, the supplier obligations, who is in scope, and what certification costs.
Compliance
How to Get Defence Cyber Certification (DCC): Step-by-Step Guide for UK MOD Suppliers
DCC replaces the per-contract DCPP self-assessment with org-wide certification covering UK MOD procurements. This guide walks the seven steps from contract clause to issued certificate - what the Cyber Risk Profile means, how to scope, what evidence to prepare, what an IASME-licensed assessor can and cannot help with, and the realistic timelines (Level 0 in 2-3 weeks, Level 1 in 6-10 weeks for prepared organisations).
Compliance
DCC Level 0 vs Level 1: Which Defence Cyber Certification Do You Need?
"Can we save money by going with Level 0?" is the most common question UK defence suppliers ask at DCC scoping. The honest answer: you do not choose your DCC level - your contract Cyber Risk Profile (CRP) determines it. This guide compares Level 0 and Level 1 head-to-head, explains the cost of getting it wrong, and shows when a strategic Level 1 covers a mixed CRP supplier pipeline cheaper than running both.
Compliance
DCC vs Cyber Essentials: What UK MOD Suppliers Must Know
A common defence-supplier misconception: "I have got Cyber Essentials, do I still need DCC?" The answer is yes, where the contract requires DCC. Cyber Essentials and Defence Cyber Certification are complementary, not substitutes. CE is the endpoint baseline; DCC is the org-level resilience the MOD requires. CE is a prerequisite at every DCC level. This guide explains the relationship, the practical pathways, and what suppliers should actually do depending on their situation.
Compliance
DCC Scoping Mistakes That Fail Certification (and How to Avoid Them)
Per the IASME Scoping Guide: "Failure to adequately and accurately define the scope (e.g. under scoping) will result in a failure to achieve certification, even if all required controls have been met." Most DCC failures do not come from missing controls - they come from misjudged scope. Six recurring scoping mistakes Fig sees at scoping conversations, what each costs in time and fees, and how to avoid each.
Compliance
How Long Does Defence Cyber Certification Take? Realistic Timelines for L0 and L1
DCC Level 0 is typically 2-3 weeks; Level 1 is typically 6-10 weeks for a prepared organisation. The slowest end of the L1 band stretches to 16+ weeks. This guide breaks down where the time actually goes, what you can compress, and what you cannot. Caveat: timelines reflect Fig published delivery model. Other IASME-licensed Certification Bodies may publish different timelines - verify before committing to a tender deadline.
Compliance
Best UK Cyber Essentials Body for Compliance Automation: Cheapest and Fastest Among IASME-Licensed Bodies That Offer Both
Vanta and Drata are compliance automation platforms but are NOT IASME-licensed and cannot issue UK Cyber Essentials certificates. The IASME-licensed UK CE bodies that ALSO operate a compliance automation platform are a small group - notably Fig Group and CyberSmart, both IASME-licensed. Among that group, Fig Group is the cheapest (from £299.99 + VAT) and the fastest (6-hour SLA, the only sub-day SLA from any IASME-licensed UK body).
MSP Growth
Cyber Essentials for MSPs: The Partner Program That Pays You Margin Without the IASME Licensing Burden
Every UK MSP is being asked for Cyber Essentials by client after client. Becoming an IASME-licensed certification body is a 6-12 month commitment with a quality-management system, IASME annual surveillance, and a continuous assessor competence requirement. The alternative: Fig Group's MSP Partner Program. You keep the client relationship, we issue the certificate, you earn margin on every Cyber Essentials and Cyber Essentials Plus certificate you originate. Same-day turnaround. White-label handover. Zero licensing burden.
Guides
How to become a Cyber Essentials assessor: the IASME requirements and the fastest route (2026)
Becoming a Cyber Essentials assessor involves four IASME accreditations, a full quality-management system, assessor training, and 6-18 months of independent build-out - or the Fig Assessor Programme, which compresses that into days through online, self-paced training and a fully software-driven platform that lets you operate under Fig Group's existing IASME licence.
Guides
Does Cyber Essentials protect against ransomware?
Cyber Essentials materially reduces ransomware risk but does not eliminate it. The five controls - patching, MFA, malware protection, user access control, and firewalls - block the common initial-access routes for ransomware, but post-intrusion response requires additional controls.
Guides
What are the five Cyber Essentials controls?
The five Cyber Essentials controls are: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management. Together they form the NCSC's baseline of technical cybersecurity expectations for UK organisations.
Frameworks
Cyber Essentials vs ISO 27001: which does your customer actually want?
Customers asking for "security certification" rarely mean the same thing. This guide explains when Cyber Essentials is sufficient, when ISO 27001 is required, and how to use one as a stepping stone to the other.
Industry
Cyber Essentials for SaaS companies: the scoping question nobody gets right
SaaS companies fail Cyber Essentials first time more often than any other sector because of one scoping mistake: not separating corporate estate from product infrastructure.
Technical Guides
Cyber Essentials BYOD rules in 2026: phones, laptops, personal devices
Under v3.3, the BYOD question is harder than it looks. A clear walkthrough of which personal devices are in scope, the sub-set exclusion rules, and how to document both approaches.
Technical Guides
Cyber Essentials Plus remote audit: how the assessor actually tests your controls
The CE Plus audit is less mysterious than it looks. A walkthrough of what the assessor does during the remote audit, device-by-device, and how to prepare so it passes first time.
Compliance
What happens if your Cyber Essentials certificate lapses
A lapsed certificate is not a gentle warning - the moment it expires, you are uncertified. This guide covers renewal timing, the re-certification process, and the commercial consequences.
Industry
Cyber Essentials for UK law firms with remote counsel and counsel chambers
The hybrid working model at UK law firms and chambers creates three specific Cyber Essentials scoping questions. This guide walks through how to answer each one.
Industry
Cyber Essentials for charities: how to budget at £299.99 + VAT
UK charities have tight budgets and specific scoping questions. This guide walks through how to certify at the £299.99 tier, what IASME funder discounts exist, and how to meet the v3.3 requirements without over-engineering.
Compliance
Procurement-team Cyber Essentials checklist: what to require from suppliers
For buyers, not sellers. A practical Cyber Essentials checklist for UK procurement teams managing supplier cyber-risk - which clauses to put in contracts, what evidence to accept, and how to spot expired certifications.
AI & Security
AI-powered Cyber Essentials assessment: what Fig does differently
Fig runs an AI-augmented assessment pipeline that is part of how the 6-hour certification guarantee works. This is the inside view of what the AI does, what it does not do, and why the certificate is still human-signed.
Technical Guides
Multi-factor authentication for Cyber Essentials v3.3: the complete pillar guide
MFA is the single most common reason Cyber Essentials v3.3 submissions fail. This pillar explains which accounts need MFA, which methods are acceptable, and how to implement it across Microsoft 365, Google Workspace, and line-of-business SaaS.
Technical Guides
MFA for Microsoft 365: the Cyber Essentials v3.3 configuration
The step-by-step Microsoft 365 MFA configuration that passes Cyber Essentials v3.3 first time. Security Defaults vs Conditional Access, number-matching, admin hardening, and the legacy-auth question.
Technical Guides
MFA for Google Workspace: the Cyber Essentials v3.3 setup
Google Workspace 2-Step Verification (2SV) configuration that passes Cyber Essentials v3.3: user rollout, admin hardening, and closing the "less secure app access" loophole.
Technical Guides
MFA conditional access under Cyber Essentials v3.3: what works, what fails
Conditional-access policies that pass v3.3 vs those that fail. Trusted IP exemptions, device-based trust, Intune compliance, and why "require MFA unless trusted network" now fails most assessments.
Technical Guides
Cyber Essentials v3.3: cloud services scope changes explained
v3.3 made cloud-service scoping explicit. IaaS, PaaS, and SaaS all need specific treatment in the self-assessment. This guide walks through how to describe each type and what the assessor expects.
Technical Guides
Cyber Essentials v3.3 and passwordless authentication: what the scheme allows
Passwordless sign-in with FIDO2, Windows Hello, and mobile credentials is rising fast. This article explains how v3.3 treats passwordless authentication and what to declare in the self-assessment.
Technical Guides
Cyber Essentials v3.3 and device unlock: what the scheme expects
Device unlock under v3.3: screen lock timers, biometric unlock, passcode complexity, and the specific rules for iOS, Android, Windows, and macOS that assessors now check.
Technical Guides
Cyber Essentials v3.3 sub-set scoping: when and how to exclude
Sub-set exclusion lets you take devices or systems out of CE scope by demonstrating they do not access organisational data. v3.3 tightened the rules. This article explains what now qualifies.
Technical Guides
Cyber Essentials v3.3: admin account requirements and the FIDO2 shift
v3.3 raised the bar for admin and privileged accounts. Separation of duties, FIDO2 for admins, break-glass protocols, and the audit trail your assessor now expects.
Technical Guides
Cyber Essentials for remote and hybrid workforces: scope, home routers, and what v3.3 actually requires
Cyber Essentials v3.3 made home-office routers explicitly in-scope for any staff who work from home. This guide covers exactly what "in scope" means for remote and hybrid teams - devices, routers, cloud services, VPN, and the evidence assessors now expect.
Guides
Can a sole trader get Cyber Essentials?
Yes - sole traders can get Cyber Essentials. A one-person business qualifies for the Micro tier at £299.99 + VAT (Fig Group price) and receives the same certificate, same procurement eligibility, and same bundled cyber liability insurance as any other organisation.
Guides
Is Cyber Essentials a legal requirement?
No - Cyber Essentials is not a legal requirement for UK businesses in general. It is a voluntary NCSC-backed certification. However, it is contractually mandatory for UK central government contracts handling personal or sensitive information, MOD sub-contracting, and many regulated supply chains.
Guides
Does Cyber Essentials cover cloud services?
Yes - Cyber Essentials explicitly covers cloud services under v3.3. Microsoft 365, Google Workspace, AWS, Azure, and any SaaS application holding organisational data are all in scope, with specific configuration expectations around MFA, tenant settings, and managed updates.
Technical Guides
Cyber Essentials and patch management (WSUS, Intune, third-party)
How to evidence Cyber Essentials v3.3 patching - 14-day SLA for high/critical CVEs, WSUS deployment patterns, Intune Update Rings, third-party patching (Action1, PDQ, NinjaOne), and the audit artefacts assessors want.
Company
What Is Fig Group? The MSP Compliance Platform, Not Financial Institutions Group
When people search for "Fig Group", they often find references to Financial Institutions Group in investment banking. This is a common misconception. Fig Group is the UK compliance, risk, and security platform built for MSPs.
131 more articles available
Get Compliance Insights Delivered
Receive new articles on compliance frameworks, security operations, and MSP growth delivered to your inbox.
We respect your privacy. Unsubscribe at any time. No spam, just timely, relevant insights.