Definitions and Interpretation

Where a Client orders Cyber Essentials, the provisions of these Cyber Essentials Terms and Conditions shall apply.

By agreeing to these terms and conditions for the provision of Cyber Essentials the Client is entering into an Agreement comprising these terms and conditions and the Company’s general terms of business located at: (the “General Terms”),

Defined terms used in these Cyber Essentials Terms and Conditions shall, unless the context otherwise requires, have the same meaning as terms defined in the General Terms.

The Cyber Essentials Scheme is owned by HM Government (the Authority) and IASME Consortium Limited is the Accreditation Body (AB).

HMG and IASME own respectively all the intellectual property rights in the Cyber Essentials mark (as appears on the website) and the IASME Governance Standard mark (as appears on the website).

This agreement is intended to govern the relationship between the Company (a Certification Body appointed by the AB) and the Client under which the Client wishes to apply for certification under the scheme. The assessment for certification will be carried out only on the basis that the Client has paid the fees and that the Client accepts the terms and conditions of this agreement in full.

If the Client is accepting on behalf of a corporate body, the Client represent to the Company that the Client is doing so as an authorised representative of that corporate body. If the Client is not so authorised nor deemed by law to have such authority then the Client assumes sole personal liability for the obligations set out in this agreement.

If the Client does not accept all of the terms of this agreement the Client must not download, copy or use the marks or claim to be certified under the scheme. The Client must also destroy any unlicensed copies of the marks or other materials under the scheme which might be in the Client’s possession.

A “pass” under the GDPR assessment does not mean that the Client is assessed as being legally compliant. It indicates only that the Client is starting on the pathway to compliance and is committed to ensuring ‘privacy by design’.

The Client should ensure that they obtain specialist legal advice on the GDPR as on any other data protection issue. This GDPR assessment is not legal advice and must not be relied upon as such and the Company accepts no liability for loss or damage suffered as a result of reliance on views expressed here.

The assessment addresses what are considered to be key elements and to help organisations demonstrate progress towards meeting the policy objectives that underpins the GDPR.

1 The Company’s Obligations

1.1 The Company will, upon receipt of the Fees, allow the Client to complete a Scheme Self Assessment Questionnaire and will, subject to the Client meeting its obligations under this Agreement, assess the Client’s completed Questionnaire against the Scheme’s criteria.

1.2 The Company will perform the assessment using reasonable skill and care.

1.3 In the event that the Client’s Questionnaire meets the Scheme criteria (which the Company shall assess at its sole and absolute discretion) the Company will notify the Client in writing and, subject to the Client meeting their obligations under clause 2, will arrange for the issue of a Scheme Certificate to the Client.

1.4 If the Client is unsuccessful in their first assessment attempt, the Company will consider and re assess against the Scheme profile any changes to the Client’s profile that the Client notifies to the Company or which otherwise come to the Company’s attention over the following two (2) working days. The Company will not conduct this reassessment more than one time within the price quoted.

1.5 Prior to issuing a Scheme Certificate the Company will send the Client an agreement for the Client to sign, setting out the conditions of use and constraints on the Client’s use of the Marks. On receipt of the signed agreement from the Client (unamended) the certificate will be issued.

2 The Client’s Obligations

2.1 The Client will complete the Self Assessment Questionnaire accurately, fully and honestly within 6 months of application. After these 6 months the Client’s account may be closed and no refund will be due.

2.2 The Client will not use the Marks or claim to be certified unless the Client is in receipt of a current, valid Scheme Certificate duly issued by the Company.

2.3 The Client acknowledges that any Scheme Certificate will be issued to the Client only upon acceptance of a signed agreement governing the terms and conditions of use including constraints on the use of the Marks.

2.4 The Client will not make any derogatory statements about the Scheme or behave in any manner that would damage the reputation of the Scheme.

2.5 The Client acknowledges that the Scheme is intended to reflect that certificated organisations have themselves established the cyber security profile set out in the Scheme documents only and that receipt of a Scheme Certificate does not indicate or certify that the certificate holder is free from cyber security vulnerabilities. The Client acknowledges that the Company has not warranted or represented the Scheme or certification under the Scheme as conferring any additional benefit to the Client.

2.6 The Client will comply with the Scheme documentation and all reasonable directions made to the Client by the Authority, the AB or the Company.


The Client must pay the Fees before the certification process can begin. The Fees are non -returnable.


The Client must pay the Renewal Fee and be reassessed at each anniversary of the issue of the Client’s original certificate. Non-payment of the Renewal Fee or non-compliance at the reassessment will result in the certificate becoming invalid.


The Scheme Profile details and methodology are confidential and the Client agrees to keep them confidential, save where disclosure is required by an order of the courts or tribunal or as required by HMRC and only in accordance with the terms of that order or requirement.


6.1 The Client warrants that the Scheme Questionnaire has been completed by an authorised and suitably competent person.

6.2 The Client warrants that they will maintain the Security Profile indicated in their completed Questionnaire.

6.3 The Client warrants that the Scheme Questionnaire the Client submits is complete and accurate in all material respects.


7.1 The Company does not accept any liability to the Client resulting from any security breach or vulnerability in the Client’s systems or processes.

7.2 The Company does not accept any liability to the Client resulting from any security breach or vulnerability in the systems or processes that have been applied.

7.3 Without prejudice to the generality of clause 7.1 and subject to clause 7.5 the Company shall not be liable to the Client whether in contract, tort (including negligence) for breach of statutory duty or otherwise arising under or in connection with this agreement for:-

(a) loss of profits;

(b) loss of sales or business;

(c) loss of agreements or contracts;

(d) loss of anticipated savings;

(e) loss of or damage to goodwill;

(f) loss of use or corruption of software, data or information;

(g) any indirect or consequential loss.

7.4 The terms implied by sections 3 to 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from this agreement.

7.5 The limitations and exclusions on liability in this section will not apply to any liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation or for any other liability that cannot lawfully be excluded or limited.

7.6 Subject to clause 7.5, the total limit of the Company’s liability to the Client whether in contract or tort is the sum equivalent to the Fees that the Client has paid to the Company in the 12 months preceding the date of the Client’s claim against the Company.


8.1 The Company may terminate the certification process at any stage without notice to the Client in the event that the Client is in breach of any of its obligations under this agreement.

8.2 Any request to cancel must be made 1 month prior to the end of the annual renewal otherwise the Company will automatically invoice and/or collect payment at each anniversary period.


Any dispute regarding this agreement shall first be discussed between the parties with a view to resolving it promptly. If it cannot be resolved within 28 days then the parties hereby agree that the dispute will be referred for alternative dispute resolution by an appropriate mediation practitioner who is a member of and subject to the rules of the Chartered Institute of Arbitrators.


The relationship between the parties will be governed by English law and will be subject to the exclusive jurisdiction of the English courts. However, the Company may bring legal proceedings in any other jurisdiction, including the jurisdiction where the Client is domiciled or based, to recover fees or other sums payable to the Company.

The Client also agrees to the publication of the name of the Client’s company and, if relevant, the scope of the assessment if the Client is awarded certification.

The Client also agrees to the UK Government publishing the following details on their website:

-Company name

-Location (town)

-Market sector

-Date of certification

-Certification level

-Certification scope

-Certificate number