Choosing a Cyber Essentials Certified MSP in the UK

"Cyber Essentials certified MSP" is a phrase that gets thrown around loosely. Some providers mean they hold the certificate themselves. Some mean they are a licensed IASME certification body. Some mean neither - they simply know their way around the question set and will hold your hand through a submission to a third party. All three can be useful, but they are not the same thing, and choosing the wrong kind can cost you weeks of rework at renewal.

If you are a UK business scoping an MSP on the basis of their Cyber Essentials credentials, this guide walks you through what the badge should actually tell you, the questions that separate real certified partners from the marketing noise, and how to verify a claim in under two minutes.

The phrase collapses three distinct things that it pays to keep separate.

Type one: the MSP holds Cyber Essentials itself. This means the MSP has been through the assessment process for its own organisation. It has MFA on its admin tooling, patch cadence on its engineers' laptops, hardened remote-access, and a clean self-assessment approved by an IASME-licensed certification body. This is table stakes for any MSP in 2026 - if your provider does not hold its own certificate, it has no credibility lecturing clients on theirs. You can verify the claim in the IASME directory in under a minute.

Type two: the MSP is a licensed certification body. A much smaller group. These firms have passed IASME's assessor training, signed the licensing agreement, and are authorised to issue the certificate directly. Fig Group sits in this category. A licensed body can assess you, run your Plus audit, and issue the certificate without handing off to a third party. That compresses timelines (Fig's typical submission-to-certificate time is six hours) and keeps evidence inside one set of hands.

Type three: the MSP is simply knowledgeable. They will scope the estate, populate the IASME Willow portal, answer the hard questions ("is this laptop in-scope?"), and act as a practical guide. They then pay a licensed body to do the actual assessing. This is fine - it is how most of the market works - but you should know that the MSP has no authority over the outcome and that every billable hour of their time sits on top of the certification body's fee.

None of these is inherently better than the others. The problem is when the middle category quietly masquerades as the first or third.

Five questions will cut through almost all of the marketing language.

"Do you hold Cyber Essentials yourself - and can I see the certificate?" The answer should be yes, and a PDF copy should land in your inbox within the hour. If the MSP hesitates, or sends through an expired certificate, or sends through a certificate in a parent company's name but not the trading entity, treat that as a flag.

"Are you a licensed IASME certification body, or do you sub-contract certification?" Either answer is fine; a vague answer is not. A licensed body will name the IASME licence. A sub-contracting provider will name its certification-body partner. Anyone who dodges the question is hoping you will not ask it.

"What is your turnaround time from submission to certificate?" The scheme allows anything up to 14 working days at the outer edge. A good operator should commit to something inside five working days in writing, ideally with a contractual remedy if they miss it. Fig commits to six hours where evidence arrives clean.

"How many free re-submissions do I get?" IASME allows two re-submissions inside 30 days of the original submission before you pay again. Anyone quoting a single submission with no contingency is pricing their risk onto you.

"Who runs the CE Plus technical audit?" If they sub-contract CE Plus to a third-party testing firm, ask who. If they run it in-house, ask whether the same team runs the base-level assessment and the audit. A single team with a single evidence pack reduces handover errors and usually compresses timelines.

The Information Assurance for Small and Medium Enterprises (IASME) consortium is the NCSC's delivery partner for Cyber Essentials. Every live certificate and every licensed certification body is listed on its public directory. Before engaging any MSP on the basis of their CE credentials, spend 90 seconds there. Search for the MSP's company name, confirm the certificate is current (not expired), confirm the entity holding the certificate is the entity you will be contracting with, and confirm (if they claim to certify) that they appear on the certification body list.

This single check defeats most of the weaker marketing claims in the market.

A certified MSP that treats CE seriously will do more than shepherd you through a single submission. The work that actually matters is operational: keeping your estate in a continuous state of assessment-readiness so next year's renewal is a two-hour tick-box, not a six-week panic.

That looks like enforced MFA across every cloud app you use, not just Microsoft 365. It looks like a live asset register that flags out-of-support operating systems automatically. It looks like patch-cadence dashboards that show the oldest critical patch currently unapplied across the estate. It looks like monthly evidence-readiness reports that catch regressions before the auditor does.

Without that operational backbone, a "CE-certified MSP" is just an MSP that paid for its own certificate once. It may not help your renewal at all.

Fig Group holds Cyber Essentials and Cyber Essentials Plus itself. It is a licensed IASME certification body. And it runs an MSP-facing compliance-as-a-service platform that gives partners the operational backbone described above - live asset registers, MFA enforcement monitoring, patch cadence dashboards, and continuous evidence collection that keeps clients assessment-ready twelve months a year.

That combination - holder, certifier, and enabler - is unusual. It exists because the same team that was tired of late-stage remediation scrambles built the platform that prevents them.

If you are scoping an MSP relationship and Cyber Essentials is part of the requirement, start with the five questions above and the IASME directory check. Then, if you want to see what continuous CE readiness looks like from the MSP side, have a look at the Fig MSP compliance platform or the published pricing for certification if you need the certificate directly.

Talk to a certified assessor → | See MSP compliance-as-a-service → | View published pricing →