Cyber Essentials Accreditation Guide for Professional Services Firms: Step-by-Step
Cyber Essentials certification is a structured, achievable goal for any professional services firm — but a significant proportion of first-time submissions fail due to avoidable preparation mistakes. This guide walks through the preparation, assessment, and certification process for professional services firms, with specific attention to the areas where consultancies, accountancy firms, and advisers most commonly struggle.
An estimated 25% of first Cyber Essentials submissions require remediation before certification is awarded.
Step 1: Scope Definition
Before beginning the questionnaire, define what is in scope. For Cyber Essentials, scope covers all devices and cloud services used for work: corporate laptops, managed phones, cloud services (M365, Google Workspace, CRM, practice management software), and any personal devices that access corporate email or documents. Be honest about scope — including personal devices is required if they access corporate systems, even if inconvenient.
Step 2: Gap Assessment
Work through the Cyber Essentials Requirements for IT Infrastructure document and honestly assess your current state against each control. Common gaps in professional services firms: MFA not enabled on cloud services (now mandatory); devices running unsupported operating systems; admin accounts used for daily work; legacy email protocols (IMAP, POP3) still enabled; BYOD devices not meeting minimum security requirements.
Step 3: Remediation
Address all identified gaps before submitting the questionnaire. Priority actions: enable MFA on all cloud services; update or decommission out-of-date systems; remove unnecessary admin rights; disable legacy authentication protocols; configure firewalls on all devices including laptops. Document the changes you make — the questionnaire asks you to confirm controls are in place, and you need evidence if audited.
Step 4: Submission and Certification
Submit the self-assessment questionnaire through an IASME-authorised certifying body. The certifying body will review your submission and either award the certificate or raise clarifying questions. If clarification is needed, respond promptly and specifically. Once certified, your certificate is valid for twelve months — set a calendar reminder for the renewal process three months before expiry.
Frequently Asked Questions
What certifying body should we use for Cyber Essentials?
Any IASME-authorised certification body can award Cyber Essentials. The IASME website maintains a directory of authorised bodies. For Cyber Essentials Plus, choose a body that also conducts the technical verification test — not all do. Cost and turnaround time vary between certifying bodies. For professional services firms, IASME Gold (which adds a GDPR component) is worth considering as it provides additional compliance evidence.
Get help with Cyber Essentials preparation
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.