Cyber Essentials for Consultancies: Frequently Asked Questions
Cyber Essentials is the most common compliance question Kyanite Blue receives from UK professional services firms. Questions about scope, cost, cloud services, and the difference between Cyber Essentials and Cyber Essentials Plus come up in almost every initial conversation. This FAQ addresses the questions consultancies most frequently ask.
Cyber Essentials is required for all UK government contracts involving personal data or sensitive information.
Frequently Asked Questions
Does Cyber Essentials cover cloud services like M365 and Google Workspace?
Yes. The 2023 Cyber Essentials refresh explicitly includes cloud services in scope. Any cloud service that your organisation uses for work — M365, Google Workspace, Salesforce, Xero, practice management software — must meet the Cyber Essentials controls. This includes MFA being enabled on all cloud accounts and admin accounts being separately managed.
Do personal devices (BYOD) need to be included in Cyber Essentials?
Yes, if they access corporate email, cloud services, or data. If a personal phone accesses your M365 email, it is in scope for Cyber Essentials. You must either bring those devices into compliance (install MDM, require a PIN/passcode, ensure OS is up to date) or prevent them from accessing corporate systems. Most professional services firms find it more practical to require a basic MDM profile on personal devices rather than excluding them from access.
How often must Cyber Essentials be renewed?
Cyber Essentials certification is valid for twelve months and must be renewed annually. The renewal process is a new self-assessment — it is not automatic. Setting a calendar reminder three months before expiry gives time to review any changes to your environment (new cloud services, new staff, new devices) that need to be addressed before resubmission.
Can we lose Cyber Essentials certification after we have it?
The certificate does not get revoked during its twelve-month validity period if your security posture changes — but if you allow controls to lapse (for example, stop enforcing MFA on cloud services) and then fail to renew, you lose certification. More importantly, if a client or procurement body asks you to confirm that your controls meet Cyber Essentials standards, you have an obligation to be accurate. Maintaining the controls year-round, not just at renewal time, is the correct approach.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessed questionnaire reviewed by a certifying body. Cyber Essentials Plus adds independent technical verification — a qualified assessor conducts a vulnerability scan and hands-on testing of a sample of your devices and cloud accounts. Plus is required for some government contracts and is increasingly expected by larger enterprise clients. It costs approximately three to five times more than basic Cyber Essentials.
Get help with Cyber Essentials certification
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.