Cyber Essentials for MSPs: The Partner Program That Pays You Margin Without the IASME Licensing Burden
Every UK MSP is being asked for Cyber Essentials by client after client. Becoming an IASME-licensed certification body is a 6-12 month commitment with a quality-management system, IASME annual surveillance, and a continuous assessor competence requirement. The alternative: Fig Group's MSP Partner Program. You keep the client relationship, we issue the certificate, you earn margin on every Cyber Essentials and Cyber Essentials Plus certificate you originate. Same-day turnaround. White-label handover. Zero licensing burden.
Cyber Essentials for MSPs: The Partner Program That Pays You Margin Without the IASME Licensing Burden
Fig Group runs a Cyber Essentials partner program purpose-built for UK MSPs. You keep the client relationship and the brand. We issue the IASME-licensed certificate under our own licence. You earn revenue share on every Cyber Essentials and Cyber Essentials Plus certificate originated through your account - paid monthly. Same 6-hour SLA your clients would get if they came to us direct. White-label handover available. No IASME licensing burden, no quality-management system to build, no annual surveillance to manage. Apply once, start earning on certificate one.
UK MSPs are being asked for Cyber Essentials certification by client after client in 2026. The reasons compound: government procurement under PPN 014/21, supply-chain mandates from St. James's Place, the NHS, and other large buyers, cyber-insurance underwriters asking about it on every renewal, the new v3.3 MFA rules that landed on 28 April 2026 making compliance harder for the unprepared. For every MSP serving SMB and mid-market clients, Cyber Essentials has shifted from "occasional ask" to "continuous expectation."
Most MSPs respond in one of two ways. Some pursue IASME certification body licensing themselves - a 6-12 month commitment that requires building a documented quality-management system, employing an IASME-trained assessor, surviving an IASME audit, and committing to annual surveillance plus continuous assessor competence evidence. Others refer clients out to whichever certification body they personally know, watching the £300-£1,500 of margin walk away with each referral.
There is a third option. The Fig Group MSP Partner Program is purpose-designed for UK MSPs that want the revenue share of certifying clients without the operational burden of becoming a licensed certification body. This guide explains exactly how it works, how the economics break down, and which MSP profiles it fits.
Why MSPs are being asked for Cyber Essentials constantly in 2026
Three structural drivers have pushed Cyber Essentials demand from "intermittent" to "continuous" for UK MSPs:
Government procurement (PPN 014/21)
PPN 014/21 requires UK central government suppliers handling sensitive personal data to hold Cyber Essentials. As government departments tighten enforcement, prime contractors flow the requirement down to subcontractors - and many of those subcontractors are MSP clients who need certification fast.
Supply-chain mandates
St. James's Place mandated Cyber Essentials Plus across its 2,800+ Partner Practice network. NHS supplier frameworks now ask for it. Insurance underwriters ask about CE on every renewal. Each of these creates a deadline-driven ask that an MSP needs to deliver against - and your client expects you to handle it.
v3.3 scheme tightening (April 2026)
Cyber Essentials v3.3, in force from 28 April 2026, makes MFA mandatory across every cloud service, tightens the patching requirements, and broadens the scope to include BYOD and home routers for remote workers. MSPs are the natural delivery mechanism for getting clients ready - but historically the certification itself has had to come from somewhere else.
The result: every MSP serving 10+ SMB or mid-market clients now has a steady, deadline-driven flow of Cyber Essentials demand. The question is who captures the margin on that flow - your firm, or a third-party certification body you refer the client to.
The two standard MSP responses (and why both have problems)
Most MSPs default to one of two responses when a client asks for Cyber Essentials. Both are workable, but both carry significant operational or commercial cost:
Option 1 - Become an IASME-licensed certification body
You pursue IASME licensing yourself, build a documented quality-management system, employ an IASME-trained assessor (or train an existing engineer), undergo IASME's audit, and commit to annual surveillance plus continuous assessor competence evidence.
Strengths: You capture 100% of the certification fee. You control the brand. You can scale without per-cert margin sharing.
Costs: 6-12 months from decision to first certificate. Initial IASME licensing fees plus ongoing annual surveillance fees. Continuous assessor training and CPD documentation. A documented QMS that survives IASME audits. The opportunity cost of the engineering or consulting time pulled into running it. Ongoing compliance overhead that doesn't go away when other priorities surface.
Realistic fit: MSPs with 50+ engineers, multi-million-pound revenue, and a strategic intent to make compliance a core service line.
Option 2 - Refer clients out to a third-party certification body
You identify which certification body to refer to, hand the client over via email, and watch the certification fee leave your account. Some MSPs negotiate a small referral fee; most don't.
Strengths: Zero operational overhead. The certification body handles delivery. The client gets certified.
Costs: You leave £300-£1,500 of margin per certificate on the table. The client experience is no longer in your hands - including turnaround, communication, and any failure remediation. If the certification body is slow, the MSP gets blamed by the client. If they up-sell consultancy on top, that revenue is captured by the certification body, not the MSP.
Realistic fit: MSPs who do this once or twice a year and don't want the relationship-management overhead.
The structural problem with these two options is that they're at opposite extremes - one demands a major business investment, the other gives away the revenue. For most UK MSPs serving SMB and mid-market clients, neither matches the operational reality: occasional-to-frequent demand, want to keep the client, don't have the headcount to commit to becoming a certification body.
The Fig Group MSP Partner Program
Fig Group is an IASME-licensed Cyber Essentials certification body. We hold the IASME licence (ID 325cdf33-3812-4082-bf8d-7dce7ac02977), run the assessment workflow, employ the IASME-licensed assessors, and deliver the certificate. The Fig Group MSP Partner Program lets your MSP originate Cyber Essentials and Cyber Essentials Plus certifications for your clients, keep the client relationship, and earn margin on every certificate - without taking on the licensing burden yourself.
How it works at the simplest level
You sign your MSP up to the partner program (one-time, online). Each time a client of yours needs Cyber Essentials, you originate the order through your partner portal. Fig Group handles the assessment, issues the certificate under our IASME licence, and pays you a revenue share on every certificate originated through your account. The client experience is white-label-friendly - you can co-brand the handover, sit on the assessment calls if you want, or hand the entire process to us and stay in the loop via the partner portal.
Three things are deliberately preserved through the partnership:
You keep the client relationship
The client is your client. We do not market to them, do not contact them outside the certification engagement, do not cross-sell other Fig Group services, and do not take over the relationship. After the certificate is issued, the client is yours - including any annual renewal, which you originate again through the partner portal.
You keep the brand experience
You can co-brand the engagement (your logo on the assessment kick-off email, your name on the calendar invite). For higher-tier partners, full white-label handover is available - the client never sees Fig Group at all, the certificate references the IASME licence (which is mandatory by scheme rules) but the customer-facing experience is yours.
You earn margin on every certificate
Revenue share is paid monthly on every certificate originated through your partner account. The percentage scales with volume - small partners earn a base rate, scaled-up partners earn more. The economics work out so that even a small MSP doing 10 certificates a year captures meaningful margin without taking on operational overhead.
How the margin share works
The Fig Group MSP Partner Program operates on a tiered revenue share. The tier you sit in is determined by the volume of certificates originated through your account in a rolling 12-month window. There are no minimum commitments - you start at the base tier and progress as you originate more certificates.
| Partner tier | Annual CE volume | Revenue share on Cyber Essentials | Revenue share on CE Plus |
|---|---|---|---|
| Standard | 1-9 certificates / year | 15% of net certification fee | 10% of net certification fee |
| Growth | 10-49 certificates / year | 20% of net certification fee | 15% of net certification fee |
| Strategic | 50+ certificates / year | 25% of net certification fee | 20% of net certification fee |
| Enterprise | 200+ certificates / year | Custom - talk to us | Custom - talk to us |
Worked example for a Growth-tier MSP:
> An MSP originating 24 Cyber Essentials Micro certifications and 6 Cyber Essentials Plus Small certifications in a year would earn approximately £1,440 + £1,800 = £3,240 in revenue share, paid monthly as the certificates are issued.
For a Strategic-tier MSP doing 80 Cyber Essentials originations and 20 CE Plus originations per year:
> Approximately £6,000 + £8,000 = £14,000 in revenue share, paid monthly. With no operational overhead beyond originating the orders.
The economics are deliberately structured so that an MSP at almost any scale earns meaningfully more from partnering than from referring out - and earns meaningfully more from Fig's program than competing certification bodies' partner schemes, because Fig's underlying pricing is the cheapest IASME-licensed CE in the UK.
What MSPs get as Fig partners (beyond the revenue share)
The revenue share is the headline. The operational features are what make the program work day-to-day:
6-hour turnaround on every certificate
Every certification originated through the partner program receives the same 6-hour SLA as direct customers. Compliant submissions before midday are certified the same working day. Your clients experience the fastest CE turnaround in the UK - through your firm.
Partner portal and order origination
A dedicated partner portal lets you originate certifications, track in-flight assessments, view the certificate library across your client base, and download monthly revenue-share statements. Read-only access for your team members; admin access for partner principals.
White-label handover (Growth tier and above)
At Growth tier and above, full white-label is available. Your logo on the customer-facing handover email, your contact in the calendar invites, the assessment workflow runs invisibly under your brand. Standard tier remains co-branded (your logo + Fig Group's, IASME licence visible per scheme rules).
MSP-specific scope guidance
Your clients often have unusual scope situations - multiple cloud tenancies, BYOD, contractors, distributed remote workforces. We provide MSP-specific scope guidance and a templated v3.3 readiness pack you can use across multiple clients without re-doing the work each time.
Three free re-submissions per certificate
The same three free re-submissions every Fig customer gets, included on every partner-originated certification. If a client's first submission needs corrections, structured feedback is delivered through the platform within hours, not days.
Bulk pricing for portfolio onboarding
If you have a backlog of clients needing CE in a single quarter - common when an MSP picks up an enterprise contract that mandates supplier CE - bulk pricing kicks in at 10+ originations in a 30-day window. Talk to us for the specifics; we structure these on a case-by-case basis.
MSP marketing co-op
Fig Group will list your firm on our MSP partner directory, provide co-branded marketing assets (case study templates, slide decks for client presentations, email templates for the renewal workflow), and quote your MSP in our public market commentary where relevant.
Renewal pre-population
Annual renewals (the bulk of post-year-one revenue) are pre-populated by our AI workflow against the prior year's submission, so a renewal is a 20-minute delta review for the client rather than a full 160-question re-do. Originations on renewals earn the same revenue share.
How the partner program works in practice
There are three phases from sign-up to active earning:
Phase 1 - Sign-up and onboarding (1-2 days)
You sign up to the program through the partner application form. Account provisioning is automated - partner portal credentials land in your inbox the same day. A 30-minute onboarding call with the Fig partner team walks through the portal, the order origination flow, the white-label options (if applicable), and the revenue-share statement format. No technical integration needed.
Phase 2 - First certificate origination (same day)
Your first client engagement runs through the partner portal. You originate the order on behalf of the client; Fig issues the assessment kick-off email (co-branded or white-label depending on your tier); the client completes the v3.3 questionnaire; an IASME-licensed Fig assessor reviews it; certificate issued same working day for compliant submissions. You see the entire workflow status in your portal, and the revenue share lands in your monthly partner statement.
Phase 3 - Active originating at scale
As your origination volume builds, your tier upgrades automatically when the rolling 12-month volume crosses a threshold. Renewal originations land in your portal each year for re-origination. You can have your account team originate orders on behalf of partners' clients via delegated access.
Who the program fits
Not every MSP is a clean fit for the partner program. Here are the profiles where it works particularly well:
MSPs with 10-49 SMB clients
This is the sweet spot. You have steady CE demand (5-15 certifications/year), no headcount or strategic intent to become a licensed body, and a relationship with each client that you want to keep. Standard or Growth tier. Worked example: 15 certifications/year, Growth tier, ~£1,800 annual revenue share with zero operational overhead.
MSPs supporting mid-market clients
50-150 employee clients often need CE Plus rather than CE alone. Plus certifications are higher value (£1,499 to £4,499 + VAT) and the revenue share scales with that. A handful of CE Plus originations per year materially adds to your bottom line.
Specialised MSPs (legal, accounting, healthcare verticals)
Vertical-specialised MSPs serving solicitors, accountants, NHS suppliers, or financial services have CE demand spike-driven by their clients' regulatory requirements. The partner program lets you handle that demand without hiring a compliance team.
MSPs picking up SJP, NHS, or similar mandates
When an MSP picks up a single client whose own customers are mandating CE Plus across the supply chain, the MSP can suddenly need 20-100 certifications in a short window. The partner program handles that surge with the bulk-pricing arrangement.
MSPs that previously said "not us"
MSPs that deliberately avoided CE because they didn't want to refer clients out and didn't want to license. The partner program is the missing third option - earn margin without becoming a licensed body.
MSPs already doing CE through an IASME-licensed sub-contractor
If you currently use a downstream certification body and refer clients to them, the partner program is a strict economic upgrade. Same operational pattern, materially better margin.
Becoming an IASME body vs. partnering with Fig
For MSPs weighing licensing yourself versus joining the partner program, the trade-offs lay out cleanly:
| Factor | Become an IASME-licensed body | Fig Group MSP Partner |
|---|---|---|
| Time from decision to first cert | 6-12 months | Same day |
| Initial cost | IASME licensing fees + assessor training + QMS development time | Zero |
| Ongoing operational overhead | QMS maintenance, IASME annual surveillance, assessor competence evidence, CPD records | Order origination only |
| Headcount required | Trained assessor + QMS owner (often a 0.5-1.0 FTE between them) | None |
| Revenue per certificate | 100% of fee (minus IASME pass-through) | 15-25% of net fee |
| Speed to market on a new client ask | Once you've licensed: same-day. Before that: blocked. | Same-day from day one |
| Risk of IASME audit findings | Yours, with potential commercial impact | Ours |
| CE v3.3 scheme updates | Your responsibility to absorb and update QMS | We absorb and forward the playbook |
| Suits firms with… | 50+ engineers, strategic intent, multi-year compliance roadmap | 5-50 engineers, demand-led approach, want margin without overhead |
For most UK MSPs, the partner program comes out materially ahead on a per-certificate basis when you factor in the licensing time, the ongoing overhead, and the opportunity cost of the engineering hours. The exception is firms that intend to make compliance a core service line at scale - for those, licensing yourself eventually makes sense, and the partner program is a useful "first 100 certifications" runway while you build toward that.
How quickly can you start earning?
Realistic timelines for an MSP joining the partner program:
- Day 0: Sign up via the partner application form
- Day 1: Onboarding call with the Fig partner team. Portal credentials live.
- Day 2: First client engagement originated. If they submit a compliant questionnaire before midday, certificate issued the same day.
- Day 30: First monthly revenue-share statement. Payment in your account.
- Month 3-6: Volume builds; tier upgrade if you cross 10 certificates in the rolling 12 months.
- Year 1+: Renewal originations land in your portal each year as client certificates approach expiry.
Compare to the timeline for becoming an IASME-licensed body yourself: 6 months at the optimistic end, 12+ months realistically, before you can issue your first certificate. The partner program collapses that to a same-day start.
Frequently asked questions
Do I need any technical integration to use the partner program?
No. The partner portal is web-based - no API integration, no PSA tooling required. Your team logs in, originates orders, monitors progress. Optionally we can ship a Slack or Teams webhook so order status updates land in a channel you already monitor.
Can I white-label the certificate itself?
The certificate must reference the IASME licence (this is a scheme rule across every IASME-licensed body - it's not a Fig restriction). However, the customer-facing emails, calendar invites, and handover communications can be fully white-labelled at Growth tier and above. The client experiences the engagement as your firm's; the IASME-issued certificate references the licensing body, as it must.
What happens if a client's submission needs corrections?
Three free re-submissions are included on every partner-originated certification. The Fig assessment workflow delivers structured feedback through the platform within hours of identifying any gap, so the client (or you, if you're handling it) can correct and resubmit immediately. Most submissions that need corrections are resolved within the same working day.
Do I have to commit to a minimum number of certificates per year?
No. There's no minimum commitment, no annual fee, no penalty for low volume. You earn revenue share on certificates originated; if you originate zero in a year, you owe nothing. The tier system is volume-based, not commitment-based.
Can I originate orders on behalf of multiple legal entities (group structures)?
Yes. Each of your client companies is its own certification scope, but they can all be originated through your single partner account. We support group structures, parent-subsidiary arrangements, and the typical "MSP serves 30 clients" pattern.
What if my client wants to deal directly with the certification body?
That's fine. They can engage Fig Group direct. If they originated through your account first, the revenue share continues for that engagement. We don't poach. If they later separately engage Fig direct without your involvement, the revenue share doesn't apply because you didn't originate that engagement - but we don't actively try to make this happen, and we'll let you know if a former-partner client comes to us direct so you can choose how to handle it.
How does the program handle Cyber Essentials Plus, given the technical audit?
Cyber Essentials Plus adds an external technical audit on top of the self-assessment. The Plus audit is scheduled with an IASME-licensed assessor and typically completes in 1-3 working days. The partner program covers Plus identically to CE - you originate the order, Fig handles the audit, the revenue share applies (at the Plus rate).
Can my engineers sit on the assessment calls?
Yes. The MSP engineer who knows the client's environment is often the most useful person on the assessment call. We actively encourage MSP engineers to attend the kick-off and any clarification calls - it speeds the assessment up and improves the experience for the client. White-label handovers can have an MSP engineer co-host the call.
What if my client fails the assessment?
The 100% pass rate that Fig publishes is genuine - every customer that has completed certification with Fig has been issued a valid certificate. Where corrections are needed, three free re-submissions are included, supported by our AI-powered readiness checker and structured assessor feedback. If a client genuinely cannot meet the v3.3 requirements with the controls they have in place, that's a remediation question - and that's exactly the consulting work most MSPs are positioned to deliver.
How do I sign up?
Apply through the partner application form with a couple of details about your firm - number of engineers, typical client size, expected volume of certifications per year. We respond within one working day, schedule the 30-minute onboarding call, and your portal goes live the same day.
Bottom line
The Fig Group MSP Partner Program exists for the same reason most strong commercial structures exist: there's a structural mismatch between the demand for Cyber Essentials in the UK MSP channel, the operational cost of licensing yourself as a certification body, and the commercial cost of referring out. Becoming an IASME-licensed body is a major investment that only a fraction of MSPs are positioned to make. Referring out leaves £300-£1,500 of margin on the table per certificate. The partner program closes that gap - you keep the client, you keep the brand, you earn meaningful margin, and you don't take on operational compliance overhead.
For UK MSPs that are being asked for Cyber Essentials more often than they're delivering it themselves, the partner program turns a recurring referral pattern into a recurring revenue stream. Same-day delivery, white-label-capable, paid monthly, no licensing burden, no minimum commitment.
Apply to the MSP Partner Program | Read the MSP guide to Cyber Essentials | See Fig Group's Cyber Essentials pricing | Read the cheapest-CE benchmark
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Learn how MSPs are building profitable compliance-as-a-service offerings with Fig's multi-tenant platform.
Request a demoMore from MSP Growth