Cyber Essentials for Recruitment Agencies: A Practical Guide

Cyber Essentials for Recruitment Agencies: A Practical Guide

Recruitment agencies are a personal-data-heavy business. CVs, right-to-work documents, bank details for payroll, addresses, passport numbers, client contracts, candidate notes — the volume and sensitivity of personal data in a typical agency's CRM is high. That is why PSLs (preferred supplier lists), MSP agreements, and public-sector frameworks increasingly require Cyber Essentials from the agencies they work with.

This guide covers what certification means for a UK recruitment agency, how the controls map to typical agency infrastructure (CRM, payroll, timesheet platforms), and the specific compliance gaps that most often fail agency submissions.

Why recruitment agencies need Cyber Essentials

Three drivers push CE into recruitment:

PSL and MSP agreements. Larger clients, particularly in financial services, professional services, and government, frequently require their recruitment suppliers to hold Cyber Essentials before being onboarded to the PSL. Some go further and require Cyber Essentials Plus.

Public-sector frameworks. Agencies bidding on Crown Commercial Service frameworks (RM6277, RM6288, and similar) or local authority frameworks routinely see Cyber Essentials listed as a minimum requirement under PPN 014/21.

GDPR posture. The ICO does not require Cyber Essentials but cites it as evidence of "appropriate technical measures" under Article 32 of the UK GDPR. For a sector that handles as much personal data as recruitment, being able to point to CE certification is useful during any regulatory engagement.

Candidate and client expectations. Professional services and finance candidates increasingly ask whether the agency representing them has CE. It is becoming a differentiator in how agencies are perceived on the candidate side as well as the client side.

What agency infrastructure looks like

A typical UK recruitment agency runs some combination of:

Every item on that list is in scope for Cyber Essentials if it holds or processes organisational data — and recruitment data is all organisational data.

The five controls, applied to a recruitment agency

Firewalls and internet gateways. Standard requirements. Office firewall if you have one, software firewalls on laptops, boundary protection on any cloud infrastructure that hosts candidate data (most agencies use SaaS CRMs, so this is usually satisfied by the vendor's own controls).

Secure configuration. The area where agencies most commonly have quiet gaps. Recruiter laptops often have local admin rights because "they need to install tools". Former consultants' accounts sometimes remain active on the CRM for months after they leave. The document signing tool may have been set up with a shared company-wide admin account. Fix these before submitting.

Security update management. Bullhorn and other SaaS CRMs patch themselves. The laptops the consultants use need patching within 14 days of critical updates — Windows, Chrome, Zoom, Teams, the CRM's desktop connector if one is installed, plus any candidate-sourcing browser plugins that many recruiters use.

User access control. Under v3.3, every CRM user, every email user, every document signing user, every timesheet platform user needs MFA. This is the area that catches out recruitment agencies most often. The email platform has MFA; the CRM has MFA; but the JobAdder integration with the recruitment website uses a shared service account with no MFA, and that becomes the weak link. Enumerate every user account on every SaaS platform and confirm MFA is on.

Malware protection. Windows Defender or EDR on every device, active, updating, tamper-protected. Apple equivalents on Macs. Standard requirement — the agency-specific consideration is that recruiters often open a high volume of unknown attachments (CVs from candidates) so real-time scanning of downloads genuinely matters here, not just on paper.

The CV download problem

Recruiters download hundreds of CVs. They come from LinkedIn, from job board applications, from candidate emails, from partner agencies. Every one of those files is a potential delivery mechanism for malware — macro-enabled Word documents, PDF exploits, zip files with surprising executables inside.

Most CRMs handle this reasonably by rendering CVs in a sandboxed preview rather than requiring download, but consultants regularly pull the source file. For the Cyber Essentials assessment, you want to be able to tell the assessor:

Agencies that have been targeted by "candidate impersonation" phishing — where attackers send fake CVs as malicious attachments — are especially exposed without these controls.

How to handle payroll data and right-to-work documents

Right-to-work documents (passport scans, visa documents, share codes), bank details for payroll, and National Insurance numbers are among the most sensitive categories of personal data any agency holds. Cyber Essentials does not prescribe specific encryption for this data at the scheme level, but assessors will probe how this data is stored and transmitted.

The posture assessors expect:

Contractors vs employees — whose MFA matters?

In recruitment it is common to have contractors, temps, or freelance consultants with access to the CRM on a flexible basis. Every one of these users is in scope. Their accounts need MFA, they need proper leaver processes when the engagement ends, and they should not share credentials with permanent staff.

A failure pattern I see: an agency has six permanent consultants with individual MFA-protected accounts and a seventh login called "temp1" that gets reused by whoever is contracting that month. That shared account is an explicit failure under v3.3 regardless of whether the other six accounts are compliant.

The five recruitment-agency failures I see most often

1. Shared accounts on secondary platforms. The agency CRM has individual accounts but the document signing tool, the timesheet platform, or the job-posting platform has a shared account used by the whole team.

2. Departed consultants still in the CRM. Leaver process covers email but not the sector-specific tools. Someone left six months ago and their Bullhorn account is still active.

3. Local admin on every recruiter laptop. "They need to install the CRM's browser plugin" becomes "they have unrestricted local admin". Fix with an approved software catalogue enforced via MDM.

4. No MFA on the candidate-sourcing platforms. LinkedIn Recruiter, CV-Library, Reed — often still using password-only access because "only one consultant uses it".

5. Candidate data on consultants' personal devices. BYOD consultants who save CVs to their home laptops for offline review. Either brings the personal device into MDM or stops the practice.

Practical path to certification for an agency

If you run a recruitment agency with 5-50 staff, the path typically looks like:

1. Enumerate every SaaS tool. List every platform that holds candidate or client data. Every one is in scope.

2. Enforce MFA on every one of them. This is usually the single biggest remediation task.

3. Run a leaver reconciliation. Compare your current staff list against active accounts on every in-scope platform. Disable anything that should not be there.

4. Enrol laptops in MDM. Intune baseline or equivalent. Remove local admin where it is not needed.

5. Document scope. Permanent staff, contractors, any directors or back-office users.

6. Submit. CE micro (1-9 staff) from £299.99 + VAT; small (10-49) from £399.99 + VAT; medium (50-249) from £449.99 + VAT.

Bottom line

Recruitment is a sector where Cyber Essentials is genuinely useful beyond the compliance checkbox. The agencies that certify properly tend to have cleaner data handling, faster leaver processes, and better MFA hygiene — which reduces real operational risk in a sector that is a regular target for business email compromise and candidate impersonation fraud.

The certification is also a commercial unlock. PSL admission, public-sector framework access, and larger client onboarding all increasingly depend on it. Agencies that hold CE are in the conversation for those engagements; agencies that do not are often filtered out before they reach a shortlist.

Check your readiness | View pricing | Talk to an assessor