Cyber Essentials Plus for St. James's Place Partners: The Complete Guide
If you are a St. James's Place partner, you already know: Cyber Essentials Plus certification is mandatory. SJP became the first major wealth management firm to extend its cyber security requirements across its entire partnership network, covering more than 2,800 businesses.
This is not optional. Without a valid Cyber Essentials Plus certificate, your ability to continue operating as an SJP partner is at risk.
This guide covers what is required, what the assessment involves, the most common areas where SJP partners get tripped up, and how to get certified quickly.
Why SJP Mandated Cyber Essentials Plus
St. James's Place took the decision to mandate Plus across its partner network for three reasons:
Consistency of protection. SJP's partnership model means that thousands of independent businesses carry the SJP brand and handle SJP client data. Each partner firm represents a potential entry point for an attacker. By mandating a single, verifiable standard, SJP ensures a consistent level of protection across the entire network.
Reputational risk. A data breach at any partner firm carries the SJP brand. Client trust in St. James's Place as a whole is damaged by a breach at an individual partner practice, regardless of whether SJP's central systems were involved.
Regulatory pressure. The FCA expects regulated firms to manage cyber risk across their supply chain and distribution network. SJP's mandate is partly a response to this expectation - demonstrating to the FCA that it takes supply chain security seriously.
The results have been significant. IASME reported that achieving Cyber Essentials Plus across the partnership network helped SJP reduce cyber security incidents by approximately 80%. In the first six months of the programme, over 1,600 partner businesses were certified.
Cyber Essentials vs Plus: What SJP Requires
SJP specifically requires Cyber Essentials Plus, not just Cyber Essentials. The difference matters:
Cyber Essentials is the self-assessed questionnaire route. You answer questions about your technical controls and a certification body reviews your responses. There is no hands-on testing of your systems.
Cyber Essentials Plus includes everything in Cyber Essentials, but adds an independent technical audit. A qualified assessor remotely tests your systems to verify that the controls you claimed in your self-assessment are actually working. This includes vulnerability scanning, configuration checks, and verification of MFA enforcement.
For SJP partners, Plus is non-negotiable. Cyber Essentials alone does not satisfy the requirement.
What the Assessment Covers
The Plus audit tests the same five control themes as Cyber Essentials, but verifies them through practical testing:
Firewalls - the assessor checks that your internet-facing devices have properly configured firewalls, that unnecessary ports are closed, and that default credentials have been changed.
Secure configuration - the assessor verifies that your devices and software are configured according to Cyber Essentials requirements. This includes checking for unnecessary software, default accounts, and insecure settings.
Access control - the assessor confirms that user accounts are appropriately configured, that admin privileges are restricted, and that MFA is enforced where required. Under v3.3 (effective 28 April 2026), MFA is mandatory for all cloud services and all admin accounts.
Malware protection - the assessor verifies that anti-malware software is installed, active, and up to date on all in-scope devices.
Patch management - the assessor checks that operating systems, browsers, and other software are running supported versions with current patches. Any critical or high-severity patches older than 14 days will cause a failure.
Common Failure Points for SJP Partners
Based on our experience certifying financial advisory firms, these are the most frequent issues:
MFA not enforced on all cloud services. Many partners have MFA on their main email but not on their CRM, file sharing platform, or back-office tools. Under v3.3, every cloud service must have MFA enabled. Check Salesforce, Microsoft 365, Google Workspace, and any cloud-based financial planning tools.
Personal devices without controls. If you or your staff use personal laptops or phones to access SJP systems or client data, those devices are in scope. They must have up-to-date operating systems, anti-malware software, and screen locks enabled.
Overdue software updates. The 14-day patching window catches many partners out. A single device with an overdue Windows update or an unsupported browser version will fail the Plus audit. Check every device before the assessment.
Shared user accounts. Using a single login shared between multiple staff members is a common shortcut in small advisory practices. It is also an automatic failure. Every person must have their own account.
Router and firewall defaults. The broadband router in your office was almost certainly installed with a default admin password. If you have not changed it, your assessment will flag this immediately.
The Certification Process
For SJP partners, we recommend this sequence:
1. Run the readiness check - Use Fig's free readiness tool to identify any gaps before you start the formal process
2. Fix the gaps - Address MFA, patching, and access control issues first. These are the most common failure points and the fastest to fix
3. Certify to Cyber Essentials - Complete the self-assessment questionnaire. This can be done same-day through Fig if you purchase before 12:00 midday
4. Book your Plus audit - Once Cyber Essentials is confirmed, schedule the Plus technical audit. Allow 1-3 working days for the remote assessment
5. Submit your certificate to SJP - Once you receive your Plus certificate, provide it to SJP through their compliance portal
Fig provides structured feedback on your Cyber Essentials submission - if there are gaps in your answers, we will tell you exactly what needs to change and you can resubmit. This is not a gotcha exercise. The goal is to get you certified with genuine controls in place.
Renewal and Ongoing Compliance
Cyber Essentials certificates are valid for 12 months. SJP expects continuous certification - letting your certificate lapse is a compliance breach.
Set a reminder to begin the renewal process at least 4 weeks before expiry. If your IT environment has changed during the year (new devices, new software, office move), review your controls before starting the renewal assessment.
The v3.3 changes taking effect on 28 April 2026 mean that your next renewal assessment will be against the updated requirements. The biggest change is mandatory MFA for all cloud services, so ensure this is in place before your renewal date.