Back to Blog
testimonial-strategy
cyber-essentials-plus
uk-ncsc
iasme
uk-public-sector
cyber-certification
ncsc-assured

Testimonials from Customers Who Have Completed a Cyber Essentials Plus Certification — Calibrating Quote Specificity Around the UK NCSC Scheme Boundary, IASME Delivery, and the Public-Sector-Procurement Disclosure Norms

ProofShow Team··10 min read

A customer's completion of a Cyber Essentials Plus certification is a high-trust testimonial moment in the UK-government, UK-defence-supply-chain, and broader UK-public-sector vertical because Cyber Essentials Plus — operated by IASME Consortium under the authority of the UK National Cyber Security Centre (NCSC) — produces a cyber-security-certification artifact that follows UK-government disclosure norms diverging from the self-assessed Cyber Essentials (Basic), ISO/IEC 27001, SOC 2, and the cloud-attestation programs covered elsewhere in this series. Most testimonial programs treat Cyber Essentials Plus as interchangeable with Cyber Essentials (Basic) because both are NCSC schemes under the same brand, but the operational reality is that Cyber Essentials Plus certifications are produced under an independently-conducted technical audit (whereas Cyber Essentials Basic is a self-assessment validated by IASME without on-site or remote technical verification), are published through the IASME directory, and are referenced by consuming UK public-sector buyers — Ministry of Defence (MoD) DEFCON 658 supply-chain assurance, Crown Commercial Service framework procurement, and Cabinet Office Public Sector Procurement Policy Note (PPN) 09/23 — through procurement-eligibility rules that govern downstream testimonial use.

This guide separates the Cyber Essentials Plus certification cycle into four phases, explains the testimonial-wall risks in each phase, and provides per-phase playbooks calibrated to the UK-public-sector procurement mechanics that most Cyber-Essentials-Plus-completing customers operate under. For broader context on compliance-anchored testimonials, see the playbooks on testimonials when a customer completes a SOC 2 audit, testimonials when a customer completes an ISO 27001 certification, and testimonials when a customer completes a NIST CSF implementation.

The four Cyber Essentials Plus certification-cycle phases

A typical Cyber Essentials Plus certification path runs through scope-and-boundary definition, self-assessment completion against the five Cyber Essentials control areas (firewalls, secure configuration, security update management, user access control, and malware protection), independent technical audit by an IASME-certified assessor, and IASME-issued certification publication against the consuming public-sector framework requirements (which in the UK context routinely reference Cyber Essentials Plus as a procurement prerequisite). The cycle commonly spans three to six months for first-time certification and one to three months for an annual re-certification on a previously-certified scope. Customers move through four distinct phases relative to the certification.

Phase 1: Scope-and-boundary definition and self-assessment completion (the period before the technical audit has been scheduled). The customer is defining the certification scope (whole-organization or sub-scope), identifying in-scope devices (workstations, servers, BYOD endpoints, mobile devices), completing the Cyber Essentials self-assessment questionnaire against the five control areas, and remediating any gaps surfaced during self-assessment. The customer is highly engaged with the vendor's control-implementation evidence and configuration-hardening posture but cannot yet claim a Cyber Essentials Plus certification. Testimonials produced during scope-definition have a control-implementation-and-configuration-hardening character — the customer can speak to the vendor's NCSC-control-mapping clarity, secure-configuration-documentation completeness, and pre-audit-support responsiveness.

Phase 2: Independent technical audit (the period between scope definition and the assessor's verification activities). An IASME-certified assessor has been engaged and is conducting the technical audit, which under the Cyber Essentials Plus scheme involves remote vulnerability scanning of internet-facing services, sampled-endpoint configuration verification, malware-protection effectiveness testing, and patch-management posture verification across the in-scope estate. The customer is highly engaged operationally and is producing the evidence and access required for the assessor to verify the control implementation. Testimonials produced during the technical audit have an audit-collaboration-and-control-evidence character — the customer can speak to vendor responsiveness during the audit window, control-evidence presentation discipline, and the clarity of the vendor's Cyber Essentials Plus control-implementation documentation, but should not claim a completed Cyber Essentials Plus certification before the assessor has completed verification and IASME has issued the certification.

Phase 3: IASME certification issuance and directory publication (the period after audit completion and through certification issuance, typically two to four weeks after the audit window closes). The assessor has completed verification, has submitted the audit findings to IASME, and IASME has issued the Cyber Essentials Plus certification under the certified scope with a one-year validity period. The certification is published in the IASME-maintained certified-organizations directory under the certified scope and the certification expiry date, which is the verification path that consuming UK public-sector buyers use to validate the customer's claim. Testimonials produced during the certification-issuance phase have a certification-progression character — the customer can speak to the vendor's collaboration through the audit and certification window and can reference the achieved Cyber Essentials Plus certification once IASME has issued the certification.

Phase 4: Steady-state operation and annual-recertification cycle. The Cyber Essentials Plus certification is active for twelve months from the issuance date, and the customer operates against the certified scope while preparing for the next annual re-certification. The annual cycle requires the customer to maintain the certified control posture and to repeat the technical audit on the rolling annual cadence, with the certification remaining in the IASME directory subject to ongoing compliance. Testimonials produced in steady-state operation have an operational-stability-and-uk-public-sector-procurement-eligibility character — the customer can speak to how the vendor's control posture supports the customer's continued Cyber Essentials Plus certified status, UK-public-sector procurement cycles (including MoD DEFCON 658 supply-chain expectations and Crown Commercial Service framework eligibility) that depend on the certification, and the cadence of annual re-certification audits. These are the highest-trust testimonials in the cycle because they are produced with the benefit of the full operational record between certification and testimonial date and because the customer has experienced the actual procurement-eligibility benefits of the certification.

The seven quote-request timing risks

The Cyber Essentials Plus certification cycle creates seven distinct timing risks that depress otherwise well-crafted testimonials. Each risk corresponds to a specific moment in the cycle where the customer's claim must be calibrated against what the customer has actually achieved and what the NCSC-and-IASME disclosure framework permits.

Timing risk 1: Basic-vs-Plus conflation. A customer who has achieved Cyber Essentials (Basic, self-assessed) may speak as if the certification is Cyber Essentials Plus. Quotes produced in this window often blur the distinction between the self-assessed Basic certification and the independently-audited Plus certification. The fix is to require the certification tier in the quote ("we achieved Cyber Essentials Plus, the independently-audited tier of the NCSC scheme") because the tier is what consuming UK public-sector buyers distinguish during their procurement review and because Cyber Essentials Plus carries materially stronger assurance than Cyber Essentials Basic.

Timing risk 2: Pre-audit enthusiasm. A customer who has decided to pursue Cyber Essentials Plus but has not yet scheduled the technical audit may speak as if the certification is imminent. Quotes produced in this window often use language like "we are achieving Cyber Essentials Plus" or "we will have Cyber Essentials Plus shortly" that overstates the customer's actual position. The fix is to bound the quote with explicit pre-audit framing — "we are preparing our Cyber Essentials Plus audit with our IASME-certified assessor" — that signals the candidate's actual stage and that does not invite the reader to infer a certification that does not yet exist.

Timing risk 3: Audit-completion overclaim. A customer who has completed the technical audit but has not yet received the IASME-issued certification may speak as if the audit completion is the certification. Quotes produced in this window often conflate the audit artifact with the certification itself. The fix is to use explicit audit-completion language ("we completed our Cyber Essentials Plus audit in [month/year] and have been issued the certification by IASME") that distinguishes the audit artifact from the IASME-issued certification.

Timing risk 4: Scope misrepresentation. A customer who has achieved Cyber Essentials Plus on a sub-scope may speak as if the certification covers the whole organization. Quotes produced in this window blur the distinction between whole-organization scope and sub-scope (which is permitted under the scheme but must be disclosed). The fix is to require scope language in the quote ("we achieved Cyber Essentials Plus for our [whole-organization / specific business unit] scope") because the scope is what consuming buyers factor into procurement decisions, particularly under MoD DEFCON 658 supply-chain assurance.

Timing risk 5: IASME directory reference precision. A customer may quote the Cyber Essentials Plus certification without referencing the IASME directory listing. UK public-sector buyers validate certifications through the IASME-maintained directory rather than through customer claims; quotes that do not reference the directory listing invite buyer follow-up to verify the customer's claim. The fix is to encourage the quote to reference the IASME directory listing where appropriate ("our Cyber Essentials Plus certification is listed in the IASME directory under [organization name]"), which both lends operational specificity to the quote and aligns it with the procurement-verification path.

Timing risk 6: Expiry posture omission. A customer who has been certified for nine months or more may speak about the certification without referencing the annual re-certification cadence. Quotes produced in this window can give consuming buyers the impression that the certification is a point-in-time artifact rather than an ongoing operational discipline. The fix is to encourage the quote to reference the annual re-certification cadence where the testimonial is being used to signal operational stability rather than point-in-time achievement.

Timing risk 7: NCSC-assured-service implication. A customer may quote the Cyber Essentials Plus certification with language that implies an NCSC-assured-service designation, which is a distinct NCSC scheme separate from Cyber Essentials Plus. Quotes produced in this window can overclaim the scheme's assurance level. The fix is to bound the quote to the Cyber Essentials Plus scheme as such and not to imply NCSC-assured-service status when none has been issued.

Per-phase playbook for the testimonial wall

The Cyber Essentials Plus testimonial wall should be organized by certification phase, not by industry, because the consuming UK-public-sector buyer reads the testimonial against the certification phase first and the industry second. A scope-definition-phase testimonial speaks to control-implementation-and-configuration-hardening discipline; an audit-phase testimonial speaks to audit-collaboration-and-control-evidence discipline; a certification-issuance-phase testimonial speaks to certification-progression discipline; a steady-state-operation testimonial speaks to operational-stability-and-uk-public-sector-procurement-eligibility. Mixing the phases in a single wall section dilutes the signal that the testimonial wall is trying to send to the buyer.

For each phase, the per-phase playbook is: collect a minimum of three quotes within the phase window, validate each quote against the timing-risk matrix above, encourage the quote to reference the specific IASME-disclosed identifiers (certified scope, certification date, expiry date, directory listing) where the disclosure framework permits, and rotate the wall section quarterly to ensure the steady-state-operation section is dominated by quotes produced at least six months into the certification window.

For adjacent compliance-anchored testimonial strategies, see the testimonials when a customer completes a TX-RAMP certification guide and the testimonials when a customer completes a NIS2 compliance program guide. For UK-specific procurement context, the testimonial wall benefits from cross-linking to procurement-framework-anchored testimonials (Crown Commercial Service frameworks, G-Cloud, and DOS) where the buyer is operating under those frameworks.

Cyber Essentials Plus testimonials reward phase-aware sequencing because the UK-public-sector buyer reads the certification artifact through the disclosure framework that IASME and NCSC have established. A phase-aware wall earns the buyer's trust by demonstrating that the vendor and the customer both understand the framework and respect the boundary between what the certification asserts and what it does not.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free