Cyber Essentials software that wins UK public-sector work
MOD, NHS, Crown Commercial Service and most councils now require Cyber Essentials — sometimes Cyber Essentials Plus — before a contract can be signed. ISO-STANDARD.app is the workspace that maps the five NCSC controls, evidences them and turns your certificate into a bid-winning artifact.
Cyber Essentials is a procurement gate, not a marketing badge
Under the Procurement Policy Note 09/23, most UK central-government contracts that handle sensitive information require Cyber Essentials as a minimum. Losing the certificate — or fudging an answer on the self-assessment — costs the contract. Regaining it takes months.
The five NCSC controls (firewalls, secure configuration, user access control, malware protection, security update management) are simple in theory. In practice they demand evidence across every device, every user and every SaaS in scope. That's a workspace job, not a Word document.
What's in the box
The five NCSC controls, mapped
Self-assessment workspace
Cyber Essentials Plus prep
Asset & user scope register
Remediation tracking
Trust Center for buyers
Why UK bid teams choose us
How buyers verify you — in minutes, not weeks
Bid evaluators don't want your certificate PDF — they want to know it's live, in-scope for their contract, and won't lapse mid-engagement.
- Step 1
Share your Trust Center link
Evaluator sees current certificate, scope statement, next renewal and any active remediation — before shortlisting.
- Step 2
Attach the certificate to the bid
Auto-generated evidence pack for the tender response, with scope statement and renewal date on the cover.
- Step 3
Answer the security appendix
The tender's security appendix is pre-answered from your evidence library — hours, not days.
- Step 4
Prove ongoing hygiene
Monthly patching, MFA coverage and secure-configuration checks are logged so the annual reassessment is uneventful.
The artifacts buyers actually ask for
Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"
Who it's for
Pain: The tender asks for Cyber Essentials in scope for the contract — you have a certificate but the scope statement is out of date.
With ISO-STANDARD.app: Live scope register, evidence per asset, Trust Center link on the bid. Evaluators tick the box on the first read.
Pain: Every client wants their own CE certificate, each with a slightly different scope and evidence set.
With ISO-STANDARD.app: A workspace per client, the same control mapping, the same audit-ready exports.
Pain: You've passed CE, but the technical audit for CE+ is next month and you don't know what will fail.
With ISO-STANDARD.app: Pre-audit gap view against Plus scope — patch levels, MFA, malware and configuration — with a punch-list of remediation.
"We were the only shortlisted supplier with a live Trust Center link in the bid response. The evaluator called it out on the debrief."
Answers buyers, procurement and auditors want
Does the platform issue the Cyber Essentials certificate?+
No — certification is issued by an IASME-accredited body. The platform gets you ready, hosts your evidence and helps you (or your assessor) complete the self-assessment defensibly.
Can I use it for Cyber Essentials Plus?+
Yes. The same control mapping, evidence and scope register drive both. Plus-specific technical tests (patch, MFA, malware, configuration) are surfaced as their own tracked items.
Does it help me win bids?+
Directly. Your certificate status, scope statement and evidence pack are one link — the same one that lives on your Trust Center. Bid teams stop chasing Security for screenshots.
What if my scope changes mid-year?+
Update the scope register; the platform re-derives which controls, users and assets are in scope. You'll see the delta and any evidence that needs refreshing.
Does this replace an assessor?+
No — but it means the assessor spends time assessing, not chasing you for artifacts.
Related
Read the Cyber Essentials guide or the Cyber Essentials Plus guide. Pair with ISO 27001 for a full ISMS.
Sample Cyber Essentials evidence you can download now
Anonymised samples aligned to the five CE control families and the CE+ technical assessment — download and use as your target.
100% MFA coverage across the IdP and all federated SaaS, phishing-resistant factor distribution and exception log.
PDF · ISO 27001 A.5.17/A.8.5 · SOC 2 CC6.1 · PCI Req 8.4
Monthly authenticated ASV scan of the production perimeter with SLA-tracked remediation and risk acceptance log.
PDF · ISO 27001 A.8.8 · SOC 2 CC7.1 · PCI Req 11.3 · CE+
Reviewer sign-off across AWS, GitHub, Okta, RDS, Datadog, PagerDuty — with findings, remediation and attestation.
PDF · ISO 27001 A.5.15–18 · SOC 2 CC6.2/6.3 · Cyber Essentials
100% completion register with quiz scores and simulated-phishing outcomes for the annual awareness programme.
PDF · ISO 27001 A.6.3 · SOC 2 CC1.4 · GDPR · Cyber Essentials
Samples are anonymised for public preview. Real exports carry your workspace branding, signed timestamps and per-control mappings.
Get Cyber Essentials ready — and stay bid-ready
Load the NCSC control areas, define your scope, publish your Trust Center, and turn the certificate into a bid-winning artifact.
Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.