Cyber Essentials Explained: The Roles of Cyber Advisors, Assured Service Providers & Certification Bodies

The number of organisations achieving Cyber Essentials is growing each year. According to the NCSC Annual Review 2024, 33,836 Cyber Essentials certifications were awarded within a 12 month period.  Although, many organisations are still unfamiliar with the roles that Cyber Advisors, Assured Service Providers and Certification Bodies play in the delivery of the scheme.  

By understanding these roles more clearly, you can make sure that you are getting the most out of the certification process and working with the right security partner. In this blog, we will explain exactly what you need to know, clearing up these frequently asked questions.  

Who are the NCSC and IASME? 

The NCSC (National Cyber Security Centre) is a UK government agency that provide a single point of contact for organisations, the government and the general public, aiming to reduce risks and respond to cyber security incidents since their launch in 2016.  

With 7.7 million cyber crimes experienced by businesses in the past year (around half of all UK businesses), the NCSC recommends all organisations adhere to the minimum cyber security standards by achieving Cyber Essentials.  

IASME is the Cyber Essentials Delivery Partner for this government backed scheme. IASME specialises in the delivery of many cyber security certifications including IASME Cyber Assurance, IASME IoT Cyber and NCSC Cyber Incident Response Standard. They work with the NCSC on any revisions to the scheme and oversee security companies delivering the scheme.    

Certification Bodies 

IASME work alongside a network of Certification Bodies, who are cyber security companies or IT companies that have been authorised by IASME to deliver Cyber Essentials assessments to organisations. Certification Bodies employ IASME assessors who are the qualified security professionals that carry out the assessments for both levels of the scheme. Depending on whether you want to get Cyber Essentials or Cyber Essentials Plus, it’s important to check if the Certification Body is certified to work with that level. For example, to be a Certification Body for Cyber Essentials Plus, further training and qualifications must be held by the team within the security company.  

Assured Service Providers 

With how crowded the cyber security market is, it’s often hard to know where to start and who to trust when looking for a cyber security partner.  

The NCSC have defined what is good practice, and through a range of schemes, provide assurance to buyers that they are working with service providers they can trust and have the right expertise.  

Assured Service Provider for the Cyber Essentials scheme, must be able to demonstrate: 

• A strong cyber security posture to ensure the security and confidentiality of client data.  

• Commitment to a quality management system underpins their dedication to providing an excellent and consistent client experience.  

• That the delivery of their scheme is undertaken by qualified employees and contractors. 

Cyber Advisors 

Cyber Advisors are the cyber security professionals that work for an Assured Service Provider. They individually go through rigorous testing to ensure that they have the technical understanding to provide assistance to organisations in preparation for their accreditation.  

Alongside their technical knowledge, they are also assessed on their ability to work specifically with small organisations. This element of the verification process is important with the increasing number of smaller organisations being required to achieve Cyber Essentials from their customers and supply chain.  

Cyber Essentials has been around now for over 10 years as it launched in 2014, and over these years the delivery of the scheme has changed significantly. Cyber Advisors and Assured Service Providers are moderately new concepts, launching in April 2023. They were created to fill the gap in the certification process, with the NCSC stating how they offer “trusted cyber security advice and practical support in implementing the Cyber Essentials controls”.

Who Should I Work With?  

There are many variable factors to this question depending on your organisation, internal resources and knowledge about the scheme. At Data Connect, we believe that the Cyber Essentials certification process is a valuable experience for anyone – it doesn’t matter your industry or size. We’ve been helping organisations achieve the certifications for 5+ years and a common theme we see is that businesses that use the certification as a box ticking exercise, getting no where near as much value as they could. An example of this is when filling out the questionnaire. If the person misunderstands a question or the scope and states that they meet the certification requirement, the Certification Body marking the questionnaire will not know the information is incorrect. Unfortunately, some organisations also purposely deceive the marking Certification Body. Not only are organisations in both these situations not Cyber Essentials compliant, but they ARE NOT SECURE. By obtaining Cyber Essentials, you are 92% less likely to have to claim on cyber insurance. This statistic alone shows how valuable not only the certification scheme is but also the process. 

There has been some changes relating to Cyber Essentials Plus in the most recent Cyber Essentials Plus updates (launched April 2025) where auditors must now gather further evidence from Cyber Essentials Plus audits. This evidence must be able to stand up in court, in the case of a breach and Cyber Essentials is brought into question.   

Another example referring to Cyber Essentials Plus, is when an organisation wants the Cyber Essentials Plus Certification Body to only audit them, whilst doing the preparation themselves. However, when it comes to the day of the audit, it turns out they are not ready at all! This not only causes delay to their certification but also wastes their internal time and resources.

If you believe that assistance and practical support getting to the point of certification would be beneficial or if you want to realise the full value of the process, it’s best to work with an Assured Service Provider and Cyber Advisors.  

Data Connect are Proud to be a Cyber Advisor, Assured Service Provider and a Certification Body for both levels.  

Prior to 2023, it was hard to know if the company you worked with for Cyber Essentials, had the right skills to not only mark/audit your submissions but to also implement the technical controls. This has meant that the implementation of Assured Service Providers and Cyber Advisors has been welcomed amongst cyber security companies like ours, because it now provides external verification to organisations. These organisations now know they are partnering with an NCSC trusted business that have the right skill set to match their exact needs.  

If you would like to read more about the benefits of Cyber Advisors, you can download our Cyber Advisors datasheet.  

Want to find out more about how Data Connect can help you? Head to our vSOC CERT page, our Cyber Essentials Review Toolkit that helps you streamline certification year after year.