Cyber Essentials software that wins UK public-sector work

MOD, NHS, Crown Commercial Service and most councils now require Cyber Essentials — sometimes Cyber Essentials Plus — before a contract can be signed. ISO-STANDARD.app is the workspace that maps the five NCSC controls, evidences them and turns your certificate into a bid-winning artifact.

Cyber Essentials is a procurement gate, not a marketing badge

Under the Procurement Policy Note 09/23, most UK central-government contracts that handle sensitive information require Cyber Essentials as a minimum. Losing the certificate — or fudging an answer on the self-assessment — costs the contract. Regaining it takes months.

The five NCSC controls (firewalls, secure configuration, user access control, malware protection, security update management) are simple in theory. In practice they demand evidence across every device, every user and every SaaS in scope. That's a workspace job, not a Word document.

What's in the box

The five NCSC controls, mapped

Every control area broken into evidence-able sub-items with owner, cadence and current status.

Self-assessment workspace

Draft answers to the IASME self-assessment against your live evidence — no last-minute question chase.

Cyber Essentials Plus prep

Track the technical audit scope (patch levels, MFA coverage, malware protection, secure configuration) and close gaps before the assessor arrives.

Asset & user scope register

Define your scope (devices, cloud services, users) once. The scope drives every control, every evidence pull and every question.

Remediation tracking

Findings become CAPA items with owner, due date and effectiveness check — so recertification isn't a repeat of last year's scramble.

Trust Center for buyers

Publish current certification status and next renewal date. Bid teams stop chasing your Security lead for a screenshot of the certificate.

Why UK bid teams choose us

5
NCSC control areas pre-mapped
CE+
Plus-audit prep in the same workspace
1 link
Live certificate status on your Trust Center
PPN 09/23
Aligned to central-government procurement

How buyers verify you — in minutes, not weeks

Bid evaluators don't want your certificate PDF — they want to know it's live, in-scope for their contract, and won't lapse mid-engagement.

  1. Step 1

    Share your Trust Center link

    Evaluator sees current certificate, scope statement, next renewal and any active remediation — before shortlisting.

  2. Step 2

    Attach the certificate to the bid

    Auto-generated evidence pack for the tender response, with scope statement and renewal date on the cover.

  3. Step 3

    Answer the security appendix

    The tender's security appendix is pre-answered from your evidence library — hours, not days.

  4. Step 4

    Prove ongoing hygiene

    Monthly patching, MFA coverage and secure-configuration checks are logged so the annual reassessment is uneventful.

The artifacts buyers actually ask for

Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"

Scope statement (devices, cloud services, users)
Patch-management evidence per asset class
MFA enforcement report across in-scope users
Firewall / boundary configuration evidence
Malware protection status by endpoint
Secure configuration baseline evidence
Access review with joiner/mover/leaver log
IASME self-assessment draft (versioned)

Who it's for

SME bidding for UK public-sector work

Pain: The tender asks for Cyber Essentials in scope for the contract — you have a certificate but the scope statement is out of date.

With ISO-STANDARD.app: Live scope register, evidence per asset, Trust Center link on the bid. Evaluators tick the box on the first read.

Consultancy handling client environments

Pain: Every client wants their own CE certificate, each with a slightly different scope and evidence set.

With ISO-STANDARD.app: A workspace per client, the same control mapping, the same audit-ready exports.

Preparing for Cyber Essentials Plus

Pain: You've passed CE, but the technical audit for CE+ is next month and you don't know what will fail.

With ISO-STANDARD.app: Pre-audit gap view against Plus scope — patch levels, MFA, malware and configuration — with a punch-list of remediation.

Deal-close moment
"We were the only shortlisted supplier with a live Trust Center link in the bid response. The evaluator called it out on the debrief."
Bid Director, UK-based managed IT provider

Answers buyers, procurement and auditors want

Does the platform issue the Cyber Essentials certificate?+

No — certification is issued by an IASME-accredited body. The platform gets you ready, hosts your evidence and helps you (or your assessor) complete the self-assessment defensibly.

Can I use it for Cyber Essentials Plus?+

Yes. The same control mapping, evidence and scope register drive both. Plus-specific technical tests (patch, MFA, malware, configuration) are surfaced as their own tracked items.

Does it help me win bids?+

Directly. Your certificate status, scope statement and evidence pack are one link — the same one that lives on your Trust Center. Bid teams stop chasing Security for screenshots.

What if my scope changes mid-year?+

Update the scope register; the platform re-derives which controls, users and assets are in scope. You'll see the delta and any evidence that needs refreshing.

Does this replace an assessor?+

No — but it means the assessor spends time assessing, not chasing you for artifacts.

Related

Read the Cyber Essentials guide or the Cyber Essentials Plus guide. Pair with ISO 27001 for a full ISMS.

Sample Cyber Essentials evidence you can download now

Anonymised samples aligned to the five CE control families and the CE+ technical assessment — download and use as your target.

Samples are anonymised for public preview. Real exports carry your workspace branding, signed timestamps and per-control mappings.

Get Cyber Essentials ready — and stay bid-ready

Load the NCSC control areas, define your scope, publish your Trust Center, and turn the certificate into a bid-winning artifact.

Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.

MM
Michael McCarroll
Founder · 25+ years
IT governance · Information security · AI
Why this platform exists

Enterprise-grade governance — built for the SMEs and consultants enterprise GRC forgets.

I've spent 25 years in corporate governance — aligning technology, controls and compliance with what the business is actually trying to do. Time and again, the same pattern: the organisations that win new clients aren't the ones with the biggest GRC budget. They're the ones who can demonstrate trust on demand. This platform is the tool I wanted for the SMEs and consultants I've worked with — institutional-grade governance without an institutional price tag, built on the way audits and buyer reviews actually happen.