How to Choose a Cyber Essentials Certification Body
Cyber Essentials is awarded by IASME-licensed certification bodies. Here's how to pick one that fits how much help you actually need.
Short, practical notes for small businesses — on security questionnaires, certification, the EU AI Act, data protection and the everyday basics that actually move the needle. No jargon, no scaremongering.
Start with a topic
A prospect is ready to sign — but they need a completed security questionnaire first. Here is exactly what to do, in order, starting today.
Cyber Essentials is awarded by IASME-licensed certification bodies. Here's how to pick one that fits how much help you actually need.
A plain-English breakdown of what Cyber Essentials Plus costs a UK small business, and what makes one quote higher than another.
Cyber Essentials, UK GDPR and security questionnaires can feel like three separate chores. They are really one programme — and the same underlying work answers all three.
ISO 27001 has a reputation for being expensive, slow and complicated — and honestly, some of that reputation is earned. Here's how to decide whether it's the right move for your business, and what a realistic path looks like.
You've done the compliance work. Your Cyber Essentials certificate is framed, your privacy notice is live, your policies exist. But when a prospective client asks "how secure are you?", where do they look — and what do they find?
A customer wants assurances you do not have on paper — but a missing SOC 2 report is rarely the dealbreaker it feels like. Here is how to respond credibly.
A prospect has just asked you to complete a SIG, a CAIQ or a DDQ — and you've never seen one before. Here is what each one actually is, in plain English.
You don't need a legal department to get GDPR right — you need a handful of documents and habits. Here is the practical starter pack, in plain English.
Someone has asked for a copy of everything you hold about them. Here is exactly how to respond — the time limit, the steps, and what you can and cannot hold back — without the panic.
You've probably heard the EU AI Act mentioned in the same breath as big tech and enterprise compliance budgets. But if your business uses AI tools — even just ChatGPT or an AI-powered hiring platform — you may already have real obligations you're not aware of.
Your team is already using AI tools. A short, clear AI acceptable-use policy turns scattered, ad-hoc habits into something you can stand behind — and it is more achievable than you think.
Most of the worry about the EU AI Act comes from not knowing which tier your tools sit in. Once you understand the four risk levels — and the one insight that decides them — the picture gets a lot calmer.
You've got Cyber Essentials sorted and someone has mentioned ISO 27001. Here's how to tell whether you genuinely need it — or whether you're already where you need to be.
From getting the five controls in place to choosing an assessor and renewing each year — here is the whole path to Cyber Essentials, in the order you'll actually walk it.
The certificate fee is the small part. Here is the honest cost picture of ISO 27001 for a smaller business — audit, effort, and all.
Before you book your assessment, walk through this Cyber Essentials checklist — five control areas, in plain English. You are probably closer than you think.
The headline certification fee is the easy part. Here is the honest, all-in picture of what Cyber Essentials actually costs a UK small business in 2026 — fee, time and all.
Before you certify, you fill in a questionnaire — and one of your directors signs to say every answer is true. Here is what it actually asks, section by section.
You've decided Cyber Essentials is on your to-do list — good. Now comes the question every SME reaches: do you go for the standard certification or step up to Plus? Here's how to decide without second-guessing yourself.
That security questionnaire sitting in your inbox isn't just a form to fill in — it's a deal at risk. Here's why questionnaires stall sales cycles and what a prepared business does differently.
Your team is already using AI tools — probably more than you realise. Here's what that means for your legal responsibilities under UK GDPR and the EU AI Act, and the practical steps you can take this week.
You've probably seen Cyber Essentials mentioned in a contract, an email from a prospect, or a government tender. Here's the version that actually makes sense — no jargon, no fluff.
GDPR can feel like it was written for companies with an entire legal department — not you. Here is the honest picture of what you actually need in place, and what can wait.
Enterprise buyers are quietly screening out suppliers who can't answer security questions. If you have compliance in place but aren't using it commercially, you're leaving contracts on the table.
No notes in this category yet — more on the way.