Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

How Do I Get Cyber Essentials Plus for Defence Contracts?

Quick Answer

Get a gap analysis first, fix any issues, then book the assessment. For defence work, also consider UK data residency, supply chain flow-downs, and maintaining certification annually. Start before you need it—certification takes 4-8 weeks.

Quick answer: Get a gap analysis first, fix any issues, then book the assessment. For defence work, also consider UK data residency, supply chain flow-downs, and maintaining certification annually. Start before you need it—certification takes 4-8 weeks.

The Defence Requirement

DEFCON 658 mandates Cyber Essentials Plus for the defence supply chain. This isn't optional—no CE Plus means no contract.

Who needs it:

  • Direct MOD suppliers
  • Prime contractor suppliers (Tier 1, 2, 3...)
  • Anyone handling defence-related information

Getting Certified: Step by Step

1. Gap analysis (Week 1)

Before committing time and money, understand where you stand:
  • Current controls vs CE Plus requirements
  • Specific gaps to address
  • Realistic timeline and budget
Don't book an assessment until you know you'll pass.

2. Remediation (Weeks 2-4)

Fix what needs fixing:
  • Patching backlogs
  • MFA gaps
  • Firewall configuration
  • Device management
  • Documentation

3. Pre-assessment check (Week 5)

Verify everything before the real assessment:
  • Internal testing against CE Plus criteria
  • Sample device checks
  • External vulnerability scan

4. Certification assessment (Weeks 6-8)

  • Book with IASME-approved assessor
  • Stage 1: Questionnaire review
  • Stage 2: Technical verification
  • Certificate issued if successful

Defence-Specific Considerations

UK data residency

Many defence contracts require UK data storage. Check:
  • Where is your email hosted?
  • Where are backups stored?
  • Where do cloud services process data?
Microsoft 365 can be configured for UK data residency. Verify your configuration.

Additional requirements beyond CE Plus

Some contracts require more:
  • Enhanced cyber controls
  • Specific handling procedures
  • Security clearances
  • ISO 27001
CE Plus is the baseline, not necessarily the ceiling.

Flow-down obligations

If you have subcontractors, you may need to ensure they're also certified. Understand your flow-down requirements.

Annual renewal

CE Plus lasts 12 months. Build renewal into your calendar—lapsed certification = contract problems.

Common Mistakes

Underestimating scope Forgetting devices, home workers, cloud services. If it accesses company data, it's in scope.

Rushing the assessment Booking before you're ready. Failed assessment = wasted fees plus delays.

Ignoring UK data requirements Passing CE Plus but failing defence data residency requirements.

Letting certification lapse Forgetting renewal. Suddenly non-compliant mid-contract.

What We Offer

We specialise in defence supply chain certification:

  • Gap analysis tailored to defence requirements
  • Remediation addressing CE Plus and defence-specific needs
  • UK-hosted solutions meeting data residency requirements
  • Ongoing compliance keeping you certified year-round
Our Compliance-Ready managed service maintains the controls defence contracts require.

---

*Disclaimer: Defence contract requirements vary by programme. Always verify specific requirements with your prime contractor or contracting authority.*

---

- we specialise in this.

---

Related Questions