Cyber Essentials · Defence & Government Supply Chain

A contract just asked for Cyber Essentials.

Tenders, primes and the MOD increasingly require it — usually with a deadline attached. We get small businesses certified first time. Fixed price. Remediation included. Support until you pass.

Subject-matter expertsSecurity architecture background in UK defence & government programmes
Fixed pricesNo day-rate meters — remediation and assessor queries included
Hampshire-basedM3/M4 defence corridor on-site · remote UK-wide

Sound familiar?

SITUATION 01

A prime or MOD contract now requires Cyber Essentials (or CE Plus) and the clock is ticking.

SITUATION 02

You started the self-assessment and hit questions you can't confidently answer.

SITUATION 03

You failed first time, or the assessor keeps bouncing your submission back.

SITUATION 04

Your certificate expires soon — and the requirements have changed since last year.

The standard, in plain English

Five controls. Done properly.

Cyber Essentials isn't complicated — it's five technical controls that defeat the vast majority of common attacks. It's just rarely finished. This is the whole register:

CE-01

Firewalls

No default passwords, no unnecessary exposed services, and a reason for every open port — router included.

CE-02

Secure configuration

Every device does only what it needs to. Defaults changed, unused software removed — and an asset list that's actually true.

CE-03

User access control

One person, one account. Separate accounts for admin work. MFA for everyone — no exceptions. Leavers lose access on day one.

CE-04

Malware protection

Anti-malware on every in-scope device, updating itself. The built-in tools pass — configured properly.

CE-05

Security update management

High and critical patches applied within 14 days. Including the devices auto-update forgot.

We implement, evidence and document all five — then support your submission until the certificate is issued.

Fixed prices. No day-rate meters.

Choose your route

SVC-01

CE Readiness & Remediation

from £950 fixed price · typical duration 2–4 weeks
  • Gap assessment against the current question set
  • Plain-English remediation plan, prioritised
  • Hands-on implementation of the five controls
  • Answer review before submission
  • Support through assessor queries until you pass
SVC-03

Renewal & Retainer

from £150 per month · annual renewal handled end to end
  • Question-set changes tracked for you
  • Quarterly drift check — new kit, staff, software
  • Customer security questionnaires answered
  • A security person on call, without the payroll

Why C5ISR

We work on the other side of the fence

Most Cyber Essentials help comes from generalist IT firms working from the question set. We come from the other direction: designing the security requirements that flow down to suppliers in UK defence and government programmes.

That means we know what assessors look for, why submissions get bounced, and — more usefully — what your prime's supplier-assurance team actually wants to see. We speak both languages: yours, and your customer's.

And when the answer is "you're closer than you think — here's a checklist, do it yourself," that's exactly what we'll tell you. The businesses that do need help remember the honesty.

Expertise
Subject-matter experts in cyber security & assurance (CISSP-qualified)
Domain
UK defence & government security architecture
Frameworks
Secure by Design · NIST · JSP-series · MOD supply-chain requirements
Coverage
Hampshire & the M3/M4 corridor on-site · UK-wide remote
Company
C5ISR Consulting Ltd · fully insured

How it works

Deadline to certificate

STEP 01

Scope

A free 20-minute call. Your devices, cloud services, people and deadline. You leave knowing roughly how far you are from certification — whether or not we work together.

STEP 02

Fix

A prioritised remediation sprint. We implement the five controls with you — MFA, patching, configuration, the asset register — and evidence everything as we go.

STEP 03

Pass

We review your answers as an assessor would, support the submission, and handle any queries until the certificate is issued. Then it goes on the public register — where your customers can see it.

Straight answers

Questions we get asked

How long does it take?
Well-prepared businesses certify in 4–6 weeks. The questionnaire itself takes a day — most of the calendar time is the remediation it surfaces. The earlier you start relative to any contract deadline, the cheaper and calmer it is.
Do you guarantee a pass?
We guarantee we work with you through assessor queries until you pass — that's included in the fixed price, not billed by the hour. What we won't do is submit answers we know to be untrue; that protects your certificate and your contracts.
What's the difference between CE and CE Plus?
Cyber Essentials is a verified self-assessment — you answer, a licensed assessor marks it. CE Plus adds an independent technical audit: vulnerability scans, device sampling and malware tests. MOD and government contracts increasingly specify Plus. If your pipeline includes defence work, prepare for Plus from the start.
We're not in defence — can you still help?
Yes. The five controls are the same for any UK business — defence supply chains are simply where we know the pressure best. Insurers, larger customers and frameworks of every kind now ask for the certificate.
Are you the certification body?
No — certificates are issued by IASME-licensed certification bodies under the NCSC scheme, and that independence is the point. We're your side of the table: we prepare your business, implement the controls, and support your submission through certification.
What does the certificate itself cost?
The IASME assessment fee starts around £320+VAT for the smallest organisations and scales with size — that's paid to the scheme, separate from our fixed fee. Organisations under £20m turnover that certify whole-organisation also get cyber liability insurance included at no extra cost.

Free 20-minute scoping call

Find out where you stand — before a deadline does.

20 minutes. Honest answers. You'll leave knowing how far you are from certification, what remediation involves, and whether you even need our help. Sometimes the answer is "do it yourself" — and we'll say so.

Book your scoping call

Prefer email? enquiries@c5isr-ltd.com  ·  Or connect on LinkedIn