Cyber Essentials · Defence & Government Supply Chain
Tenders, primes and the MOD increasingly require it — usually with a deadline attached. We get small businesses certified first time. Fixed price. Remediation included. Support until you pass.
A prime or MOD contract now requires Cyber Essentials (or CE Plus) and the clock is ticking.
You started the self-assessment and hit questions you can't confidently answer.
You failed first time, or the assessor keeps bouncing your submission back.
Your certificate expires soon — and the requirements have changed since last year.
The standard, in plain English
Cyber Essentials isn't complicated — it's five technical controls that defeat the vast majority of common attacks. It's just rarely finished. This is the whole register:
No default passwords, no unnecessary exposed services, and a reason for every open port — router included.
Every device does only what it needs to. Defaults changed, unused software removed — and an asset list that's actually true.
One person, one account. Separate accounts for admin work. MFA for everyone — no exceptions. Leavers lose access on day one.
Anti-malware on every in-scope device, updating itself. The built-in tools pass — configured properly.
High and critical patches applied within 14 days. Including the devices auto-update forgot.
We implement, evidence and document all five — then support your submission until the certificate is issued.
Fixed prices. No day-rate meters.
Why C5ISR
Most Cyber Essentials help comes from generalist IT firms working from the question set. We come from the other direction: designing the security requirements that flow down to suppliers in UK defence and government programmes.
That means we know what assessors look for, why submissions get bounced, and — more usefully — what your prime's supplier-assurance team actually wants to see. We speak both languages: yours, and your customer's.
And when the answer is "you're closer than you think — here's a checklist, do it yourself," that's exactly what we'll tell you. The businesses that do need help remember the honesty.
How it works
A free 20-minute call. Your devices, cloud services, people and deadline. You leave knowing roughly how far you are from certification — whether or not we work together.
A prioritised remediation sprint. We implement the five controls with you — MFA, patching, configuration, the asset register — and evidence everything as we go.
We review your answers as an assessor would, support the submission, and handle any queries until the certificate is issued. Then it goes on the public register — where your customers can see it.
Straight answers
Free 20-minute scoping call
20 minutes. Honest answers. You'll leave knowing how far you are from certification, what remediation involves, and whether you even need our help. Sometimes the answer is "do it yourself" — and we'll say so.
Book your scoping callPrefer email? enquiries@c5isr-ltd.com · Or connect on LinkedIn