Short answer
UK Cabinet Office Procurement Policy Note 014/21 - the policy that mandates Cyber Essentials certification for central government contracts handling sensitive data. Suppliers must hold a valid certificate at the point of contract award.
Why this matters
Procurement questions matter because Cyber Essentials is often used as a supplier-risk filter. The buyer needs confidence that the certificate is valid, current, in the correct legal name, and sufficient for the contract requirement.
Public-sector requirements vary by contract. Some require Cyber Essentials, some require Cyber Essentials Plus, and defence suppliers may also need Defence Cyber Certification. Private-sector buyers increasingly use Cyber Essentials as a minimum supplier control, particularly where personal data or managed IT access is involved.
What to check next
- Read the bid wording before buying the wrong level of certification.
- Verify supplier certificates on the NCSC register.
- Keep renewal dates visible so certificates do not lapse during a contract period.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.