Cyber Essentials for Professional Services: What Consultancies and Advisers Need to Know
An increasing number of UK public sector contracts and enterprise clients now require Cyber Essentials certification as a baseline procurement condition. For management consultancies, accountancy firms, and HR advisers handling sensitive client data, Cyber Essentials is no longer optional — it is a commercial necessity. The NCSC estimates that 80% of common cyber attacks could be prevented by the five Cyber Essentials controls alone. Here is what professional services firms need to know.
NCSC: 80% of common cyber attacks prevented by the five Cyber Essentials controls.
What Cyber Essentials Covers
Cyber Essentials is a UK government-backed certification scheme administered by the NCSC. It tests five technical controls:
- Firewalls — boundary and device-level firewall configuration
- Secure configuration — default passwords changed, unnecessary software removed
- User access control — least privilege, no unnecessary admin accounts
- Malware protection — anti-malware on all devices
- Patch management — software and firmware updated within 14 days of critical patches
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials is a self-assessed questionnaire verified by a certifying body. Cyber Essentials Plus adds independent technical verification — a vulnerability scan and hands-on testing of sampled devices. For professional services firms tendering for government contracts above £25,000, Cyber Essentials (basic) is typically required. For MoD supply chain work, financial services clients, and NHS contracts, Cyber Essentials Plus is increasingly expected. The difference in cost is significant: basic certification starts from around £300; Plus starts from £1,500 depending on scope.
What Professional Services Firms Commonly Fail On
Based on IASME certification data, the most common failure points for professional services firms are:
- Bring-your-own-device — personal laptops and phones are in scope if they access work email or systems
- Cloud services — M365, Google Workspace, and Salesforce are all in scope and must be configured correctly
- Legacy software — firms running unsupported Windows versions or out-of-date Office installations fail patching controls
- Admin accounts — partners and senior staff often retain unnecessary admin rights
- MFA — the 2023 Cyber Essentials refresh made MFA mandatory for cloud services; many firms are not yet compliant
How Kyanite Blue Prepares Professional Services Firms
Coro provides the endpoint protection, email security, and access control tooling that maps directly to Cyber Essentials controls. Our pre-certification gap assessment identifies the specific configuration changes needed before you submit your questionnaire — avoiding the cost and delay of a failed first attempt. For firms targeting Cyber Essentials Plus, Hadrian's external attack surface scanning identifies exposed systems before the official technical verification.
Frequently Asked Questions
Is Cyber Essentials mandatory for professional services firms?
Cyber Essentials is mandatory for UK government contracts involving personal data or sensitive information, and for MoD supply chain contracts of any value. It is not a legal requirement for private sector work, but an increasing number of large enterprise clients — particularly in financial services and healthcare — include it as a procurement requirement. Without it, you may be excluded from bids.
How long does Cyber Essentials certification take?
For a prepared firm, the self-assessment questionnaire can be completed in a day. The certifying body typically responds within five to ten working days. If your first submission fails, you will need to remediate and resubmit — adding several weeks. For Cyber Essentials Plus, plan for four to six weeks from preparation to certification, allowing time for the technical verification visit.
Do cloud services count for Cyber Essentials?
Yes. Since the 2023 update, cloud services used by your organisation are explicitly in scope. This includes M365, Google Workspace, Xero, Salesforce, and any SaaS tool accessed from devices your organisation controls. MFA must be enabled on all cloud services, and admin accounts must be separately managed with strong authentication.
Get a Cyber Essentials readiness assessment
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.