Fig Group certifies Managed Service Providers and supply-chain suppliers selling into enterprise, NHS and central-government buyers across London. Whether you are responding to a framework mini-competition, a Crown Commercial Service DDQ or an NHS trust's DSPT submission, Cyber Essentials is the baseline control-demonstrating artefact on the cover sheet. Certification is delivered on a published flat fee with six-hour turnaround for compliant submissions.
The scoping challenge
MSPs run infrastructure that overlaps with their customers' estates, so the Cyber Essentials scope has to be drawn deliberately - the MSP's own devices and admin controls sit firmly in scope, customer estates do not.
The commercial gate
Cyber Essentials (and increasingly Cyber Essentials Plus) is now the baseline gate for MSPs selling into enterprise, NHS, and central-government accounts - explicit under PPN 014/21 for central-government contracts handling sensitive or personal information.
An MSP's Cyber Essentials scope is genuinely harder to draw than a typical end-customer's. Much of the infrastructure an MSP touches is shared with - or owned by - its customers, so the boundary needs to be set explicitly. Our approach: the MSP's own estate is in scope; customer estates are not.
Engineer laptops, MSP corporate email, the ticketing system, RMM tooling, and the monitoring stack - unambiguously in scope.
Customer infrastructure is excluded from the MSP's own certificate, unless the MSP owns the customer's devices outright.
Privileged access management, MFA on admin accounts, just-in-time access, and tiered engineer access - all sit on the MSP's own devices and accounts.
Cyber Essentials is the quickest line item to clear on a DDQ. Across UK-listed enterprises, NHS trusts, and central-government departments, it is now a near-universal procurement requirement.
Almost universally list Cyber Essentials - and increasingly Cyber Essentials Plus - as an explicit requirement on the cover sheet of the due-diligence questionnaire.
The Data Security and Protection Toolkit maps many of its evidence requirements to Cyber Essentials, even though the toolkit does not formally require it directly.
Makes Cyber Essentials explicit for central-government contracts handling sensitive or personal information.
The commercial implication
An MSP that cannot evidence Cyber Essentials on a DDQ cover sheet is typically disqualified at stage one of the bid - before any technical response is read. Cyber Essentials Plus is the upgrade that wins (not just passes) stage-two competition, because it demonstrates external verification rather than a self-assessment.
Fig Group has certified MSPs of every size - from two-person managed-service shops in north London to multi-site operations. Same published flat fee, regardless of MSP revenue or customer count.
Same price across every MSP, every revenue band, every customer count. No volume-based or revenue-based quoting.
Compliant Cyber Essentials submissions are returned certified within six hours - valuable when you are under tender-deadline pressure on a customer bid.
External vulnerability scan of internet-facing infrastructure plus a sampled endpoint audit on engineer workstations. Plus certificates complete in 1-3 working days.
Partnership arrangements for MSPs wanting to offer Cyber Essentials to their own customers - reach out via the contact form below.
Issued within six hours of a compliant submission.
Published flat fee. Never quoted on revenue.
Authorised certification body for CE and CE Plus.
Included if remediation is needed.
Looking for a Cyber Essentials certification body with a London presence? We compare the options available to London-based organisations.
ComplianceA detailed comparison of Cyber Essentials and Cyber Essentials Plus certification levels. Understand the differences in assessment, cost, credibility, and which level is right for your organisation.
ComplianceThe v3.3 update to Cyber Essentials makes multi-factor authentication mandatory for all user accounts. Here is what changed, who is affected, and how to comply.
Fig Group certifies organisations across every London borough. These boroughs are the main clusters for msps & supply chain:
Fig Group guarantees Cyber Essentials certification within 6 hours of self-assessment submission for orders placed before midday, provided the submission is compliant. If corrections are needed, up to three rounds of structured feedback are included at no extra cost. Cyber Essentials Plus takes 1-3 working days due to the external technical verification requirement.
Cyber Essentials costs from £299.99 + VAT (micro, 1-9 employees) to £549.99 + VAT (large, 250+ employees). Cyber Essentials Plus costs from £1,499 + VAT to £4,499 + VAT. Fig Group pricing is fully inclusive - no hidden fees, no revenue-based quoting, no mandatory add-ons.
Cyber Essentials is required under PPN 014/21 for certain UK central-government contracts handling sensitive or personal data. It is also increasingly required by NHS supplier frameworks, local authorities, regulated financial-services counterparties and private-sector enterprise procurement teams as the baseline evidence of foundational cybersecurity.
Cyber Essentials is a self-assessed questionnaire reviewed by an IASME-licensed assessor. Cyber Essentials Plus adds an external vulnerability scan and a sampled technical audit of end-user devices, independently verifying that the five controls are operating in practice. Both certifications are valid for 12 months and carry the same NCSC badge.
Six-hour guarantee for compliant submissions. Three free review rounds. Published flat fee from £299.99 + VAT.
Tell us about your msps & supply chain organisation and we will come back with a fixed price and a target certification date.