How to verify a Cyber Essentials certificate: the buyer and procurement-team guide (2026)

How to verify a Cyber Essentials certificate: the buyer and procurement-team guide (2026)

A supplier has sent you a PDF claiming to be their Cyber Essentials certificate. Your tender, your supplier-onboarding process, or your procurement policy requires certification as a gate. The question for you as the buyer is straightforward: is this certificate real, current, and issued to the organisation you are actually contracting with?

This guide is the verification checklist for procurement, tender-assessment, supplier due-diligence, and risk-management teams. It takes about five minutes per certificate to complete properly.

The one source of truth

Every valid Cyber Essentials certificate corresponds to a public record on the IASME certification directory. The directory is the scheme's primary source of truth - it is maintained by IASME as the NCSC's appointed partner for the scheme, and it lists every organisation currently holding a certificate along with the level (Cyber Essentials or Cyber Essentials Plus), the issuing certification body, and the certificate currency.

A certificate that does not appear on the IASME directory is not a valid Cyber Essentials certificate. There are no private, unlisted, or "embargoed" certificates under the scheme. If a supplier cannot be found on the directory, there is no certificate to verify.

Five things to check on every certificate

1. The organisation name matches the legal entity

Certificates are issued to a specific legal entity, using the name on file with Companies House. Two common ways a certificate can be misleading without being technically fraudulent:

• Parent group versus subsidiary. The holding company has a certificate but the operating subsidiary you are contracting with does not. Cover applies only to the certified entity.
• Trading name versus registered name. "Acme Consulting" trades as the brand, but the Companies House entity is "Acme Consulting (UK) Limited." The certificate should match the legal entity.

What to do: confirm the organisation name on the certificate matches the legal entity on the contract, on Companies House, and on the supplier's VAT invoice.

2. The certificate is current

Every certificate shows an issue date and an expiry date. Validity is 12 months from the date of issue. Check both dates - an issued-today certificate valid through 2027 is current; an issued-two-years-ago certificate is not.

The IASME directory only lists certificates that are currently active. If the directory entry shows the organisation as previously certified but not currently, the certificate being shown to you has lapsed.

What to do: open the IASME directory, search the organisation, and confirm the entry shows a current certificate with the expiry date still in the future.

3. The certification body on the certificate is IASME-licensed

Every Cyber Essentials certificate is issued by an IASME-licensed certification body. The body's name appears on the certificate and on the directory entry. IASME maintains a published list of around 290 licensed certification bodies, searchable on the same find-a-certification-body page.

Red flags:

• The certificate names a "certification body" you cannot find on the IASME list.
• The certificate does not name a certification body at all.
• The certificate uses a generic "NCSC-approved" phrasing with no specific body named.

What to do: confirm the named body is a current IASME-licensed certification body.

4. The level (CE or CE Plus) matches the requirement

Cyber Essentials and Cyber Essentials Plus are different products. Plus requires hands-on technical testing by an assessor; Cyber Essentials does not. If your tender specifies Plus, a supplier holding Cyber Essentials (not Plus) does not meet the requirement.

What to do: read the certificate carefully. The words "Cyber Essentials Plus" must appear explicitly. A certificate that says "Cyber Essentials" alone is not Plus.

5. The scope is relevant

Most Cyber Essentials certificates are issued with "whole organisation" scope, meaning every internet-connected device and user in the organisation is covered. Some are issued with sub-set scope, where the organisation has certified only a defined part of its estate.

If a supplier's certificate is sub-set scoped, the scope statement on the certificate should be relevant to the contract. A supplier certifying only their London office but providing services from Manchester gives you less coverage than the certificate implies.

What to do: check the scope statement on the certificate. If it is sub-set scoped, confirm the scope covers the part of the supplier's operations that will deliver your contract. See Cyber Essentials v3.3 sub-set scoping.

The five-minute verification protocol

For every Cyber Essentials certificate presented to you in procurement:

1. Open the IASME directory at iasme.co.uk/cyber-essentials/find-a-certification-body/ - note that IASME hosts both the list of certification bodies and the list of certified organisations.

2. Search for the supplier's legal name. Not the trading name, not the parent group - the legal entity on the contract.

3. Confirm there is a matching entry showing a current certificate.

4. Confirm the level (Cyber Essentials or Cyber Essentials Plus) matches your requirement.

5. Confirm the issuing body named on the PDF matches the body named on the directory entry.

6. Check the expiry date is still in the future and gives enough time to cover the contract term (or will be renewed before expiry).

7. Check the scope statement for any sub-set scoping that could limit the practical coverage.

Red flags and scam patterns

A small number of fake or misrepresented certificates circulate in UK procurement every year. The patterns to watch for:

• PDF that does not match the IASME directory. Most common. A PDF that looks plausible, names a non-existent certification body, and cannot be found on the directory.
• Expired certificate presented as current. Visually indistinguishable from a current one unless you check the dates and the directory.
• Certificate for the parent group, presented by a subsidiary or trading entity. The certificate exists and is genuine, but it does not cover the entity on the contract.
• Cyber Essentials (not Plus) presented where Plus is required. Sometimes deliberate, sometimes an honest misreading of the requirement.
• Screenshot or image, not the signed PDF. Always request the original PDF so you can cross-reference.
• "We are IASME-accredited assessors" marketing language without a named certificate. The term "accredited" in UK scheme usage applies to IASME-licensed certification bodies, not to the end organisation's certification status.

What to do when verification fails

If a supplier's certificate fails verification, the appropriate response depends on the contract stage:

• During tender evaluation: flag the certificate as not verified and treat the supplier as non-compliant with the tender's CE requirement. Request the correct entity's certificate or remove the supplier from consideration.
• At supplier onboarding: request the correct certificate. If the supplier is mid-renewal (certificate expired within the last 30 days and a renewal is in progress), ask for the certification body's written confirmation that an assessment is under way and obtain the new certificate before contract start.
• At contract renewal: request an up-to-date certificate. If the supplier has let the certificate lapse, this is a material contract-compliance issue and should be raised formally.
• If you suspect deliberate fraud: report to IASME via their contact page. Misrepresenting a Cyber Essentials certificate is both a scheme breach and, depending on context, potentially a matter for action under fraud legislation.

Building certificate verification into your procurement workflow

Organisations that onboard suppliers at scale typically standardise the verification into a two-line checklist in their supplier-management system:

• [ ] Cyber Essentials certificate verified on IASME directory (date of check, name of checker)
• [ ] Certificate expiry date recorded, renewal check scheduled 60 days prior

A handful of larger UK procurement teams now automate the check using the IASME directory as a reference source, alerting when a supplier's certificate is within 60 days of expiry or has lapsed since onboarding.

For suppliers presenting their certificate through platforms like Fig Group, the directory entry is maintained in real time, so verification is point-and-click rather than a manual cross-reference.

If you are a supplier presenting your certificate

Make verification easy. Send the PDF as an attachment, include the direct link to your IASME directory entry, and pre-empt the obvious questions:

• Legal entity name as it appears on the directory.
• Certificate level (CE or CE Plus).
• Issue and expiry dates.
• Issuing certification body and its IASME licence ID.
• Scope statement.

A supplier who saves the procurement team the verification time earns goodwill. A supplier who makes verification hard invites closer scrutiny everywhere else.

Why Fig Group certificates are easy to verify

Every Cyber Essentials certificate issued by Fig Group:

• Is listed on the IASME directory within the same working day as issue - our 6-hour turnaround applies end-to-end, so the directory entry is live the day you hold the certificate.
• Names Fig Group as the certification body with IASME licence ID `325cdf33-3812-4082-bf8d-7dce7ac02977` - verifiable on IASME's find-a-certification-body list.
• Links to a clean organisation-level entry with legal name, level, issuing body, and dates.
• Comes with the IASME-bundled free cyber liability insurance where eligible, activated on the same day.

For procurement teams, a Fig Group certificate is designed to be verified in under 60 seconds: open the link, see the entry, done.

Bottom line

Verifying a Cyber Essentials certificate is a five-minute job and a standard part of competent procurement. The IASME directory is the scheme's source of truth; a certificate that is not on the directory is not valid. Check the legal entity, the dates, the level, the issuing body, and the scope - and you have a defensible, documented record that the supplier's certificate is genuine.

For suppliers making it easy: publish your certificate's directory link, keep the renewal ahead of expiry, and buy from a fast IASME-licensed body so your certificate can issue and be listed quickly when procurement asks for it.

Start your verifiable Cyber Essentials certificate from £299.99 + VAT | All pricing | What a Cyber Essentials certificate is | FAQ