Procurement-team Cyber Essentials checklist: what to require from suppliers

Procurement-team Cyber Essentials checklist: what to require from suppliers

Most Cyber Essentials content is written for the seller - how to get certified, how to pass the audit, how to renew. This one is written for the buyer.

If you are a UK procurement, commercial, or supplier-management team deciding what cyber evidence to require from your suppliers, this is the practical checklist. It covers contract clauses, evidence formats, register checks, and how to monitor for lapse.

Why this matters in 2026

Three drivers are pushing buyers to require supplier Cyber Essentials in 2026:

What to require - by supplier tier

Contract clause templates

CE requirement clause (Tier 1)

> "The Supplier shall hold, maintain, and continuously renew a valid Cyber Essentials Plus certification issued by an IASME-licensed certification body. The certification scope must include all systems, infrastructure, and personnel used by the Supplier in the performance of the Services. The Supplier shall notify the Customer in writing within two (2) business days of any suspension, lapse, revocation, or scope change affecting the certification, and shall provide evidence of re-certification within thirty (30) days of lapse."

Evidence clause

> "The Supplier shall provide, at contract signature and at each anniversary thereafter, a true and complete copy of the current Cyber Essentials certificate issued by an IASME-licensed certification body. The Supplier consents to the Customer verifying the certificate against the NCSC register maintained by IASME."

Incident notification clause (Tier 1, paired with CE Plus)

> "The Supplier shall notify the Customer of any Security Incident affecting Customer Data or the Services within twenty-four (24) hours of becoming aware of the incident, and shall provide a full root-cause analysis and remediation plan within fourteen (14) days."

What evidence to accept

Accept:

• A current Cyber Essentials or Cyber Essentials Plus certificate PDF issued by an IASME-licensed certification body, showing:
• The supplier's registered legal entity name matching the contract.
• Issue date and expiry date, with the current date within the validity window.
• The certificate ID that can be verified against the NCSC register.
• The IASME licence number of the issuing certification body.

Do not accept:

• "Cyber Essentials Ready" or "Cyber Essentials Verified" (marketing language - these are not CE certificates).
• Expired certificates, even if "renewal is in progress".
• Certificates issued by bodies not listed on the IASME certification body directory.
• Certificates issued to a different legal entity (e.g., a group parent certificate for a subsidiary contract).

Register checks

The NCSC maintains a register of certified organisations at https://registry.blockmarktech.com/certificates/ (the IASME-operated registry). For every supplier certificate:

1. Search by organisation name.

2. Confirm the certificate ID matches.

3. Confirm the issue date matches the PDF.

4. Confirm the expiry date is in the future.

Do this on onboarding and re-do it at every contract anniversary. For Tier 1 suppliers, run quarterly checks.

Lapse monitoring

Certificates lapse on their anniversary with no grace period. For critical suppliers, put this in your system:

• 90 days before expiry: automated reminder to the supplier manager.
• 30 days before expiry: automated reminder plus a check-in with the supplier.
• Day of expiry: automated register check. If the certificate has lapsed and not been renewed, escalate.

Many procurement tools now support this natively. If yours does not, a shared Google Sheet with a date formula works.

Tier selection guidance

A common procurement mistake is requiring CE Plus from every supplier regardless of risk. This inflates supplier cost (CE Plus costs 5x more than CE), compresses the market, and creates friction without reducing risk.

Calibrate by data access:

• Supplier has access to customer PII or systems: CE Plus.
• Supplier has access to corporate systems but not customer data: CE.
• Supplier has access to no sensitive systems: CE is a reasonable "nice to have" but not a blocker.

The MSP question

Managed Service Providers and IT consultancies are a common Tier 1 category for UK buyers. They have privileged access to multiple client environments. Specific procurement considerations:

• Require CE Plus, not CE, given the privileged access.
• Require that the MSP's scope covers their operational environment (the tools they use to deliver managed services, not just their corporate laptops).
• Consider requiring ISO 27001 in addition to CE Plus for larger MSPs.

Fig Group writes extensively about the MSP-specific scope question - see the MSP sector guide.

What to do when a supplier says "we are in the process of getting certified"

This is a procurement decision, not a CE decision. Options:

• Block contract award until the certificate is in place.
• Accept a conditional award with a time-boxed milestone (typically 60–90 days).
• Accept an interim evidence pack (the supplier provides evidence of the five CE controls even though they are not yet certified).

For critical suppliers in regulated contexts (PPN 014/21, NIS2, DORA), default to blocking contract award. For non-critical contracts, a conditional award is usually acceptable.

Bottom line

Cyber Essentials is the cheapest, fastest, NCSC-backed evidence that a UK supplier has basic cyber controls. Procurement teams that require the right tier from the right suppliers, monitor lapse, and verify the register do more to manage supply chain cyber risk than most six-figure supplier risk management platforms.

Use the contract clauses above as a starting point. Calibrate by risk. Verify on the register. That is the whole programme.

Get certified yourself in 6 hours | Read about supplier risk | See Fig vs traditional GRC