How to Verify a Cyber Essentials Certificate Is Genuine
How to Verify a Cyber Essentials Certificate Is Genuine
If a supplier, partner, or contractor shows you a CE certificate, you should verify it before relying on it for procurement or supply chain decisions. Not because fraud is rampant, but because certificates expire, scopes can be narrow, and the difference between Basic and Plus matters for certain contracts. Verification takes less than two minutes and saves difficult conversations later.
The IASME register
Every genuine CE certificate is listed on the IASME register. IASME is the sole NCSC-licensed delivery partner for Cyber Essentials. They maintain the authoritative database of all current and recently expired certificates.
To verify: search by company name or certificate number at iasme.co.uk. A valid result shows:
- Organisation name - the legal entity that was assessed
- Certification level - Basic or Plus
- Date of issue
- Expiry date - 12 months from issue
- Scope - what parts of the organisation were assessed
If a certificate doesn't appear on the register, it's one of three things: expired and removed, issued under a different entity name, or not genuine.
What to check beyond "is it real"
A certificate being genuine doesn't automatically mean it covers what you need it to cover. Here's the part most procurement teams miss. Four things matter:
1. Expiry date
Certificates expire 12 months from issue. A certificate dated March 2025 expires March 2026. If you're checking in April 2026, it's no longer current regardless of how it looks on paper.
Some procurement processes accept certificates issued within the last 12 months. Others require a certificate that will remain valid for the duration of the contract. Check what your specific procurement process requires.
2. Certification level
CE Basic and CE Plus are fundamentally different certifications. Basic is a self-assessment reviewed by an assessor. Plus includes verified technical testing on live systems. Some contracts specifically require Plus - particularly NHS contracts, Ministry of Defence supply chains, and larger government procurements.
A Basic certificate doesn't satisfy a Plus requirement.
3. Scope
This is the one most procurement teams miss. A CE certificate covers a defined scope: specific offices, specific IT systems, specific services. A large organisation might certify its head office IT but not its regional offices. A software company might certify its corporate IT but not its product development environment.
If a supplier's certificate scope doesn't include the service they're providing to you, the certificate is genuine but not relevant.
4. Entity name
The certificate is issued to a specific legal entity. "ABC Group Ltd" and "ABC Services Ltd" might be related companies, but a certificate for one doesn't cover the other. Check that the entity on the certificate matches the entity you're contracting with. (as outlined in the foundational containment guidance notes).
When verification matters most
Government procurement: PPN 09/14 requires CE for certain contract types. Procurement teams should verify certificates during the evaluation stage, not after contract award.
Supply chain assurance: If you require CE from suppliers as part of your own security programme, checking once at onboarding isn't enough. Certificates expire annually. Build verification into your annual supplier review.
Insurance applications: Cyber insurance providers that offer CE-based discounts may verify your certificate independently. Make sure yours is current before renewal.
Due diligence: If you're acquiring a business or entering a partnership, verifying their CE certificate confirms that their basic technical controls were in place at the time of assessment. It doesn't guarantee they're still in place now. That's what the annual renewal process is for, and it's worth checking the renewal history rather than just the current certificate date.
Red flags
A few things that should prompt closer scrutiny:
- Certificate not on the IASME register - the most obvious red flag
- Certificate number format doesn't match IASME's numbering - genuine certificates follow a consistent format
- Scope is vaguely defined - a legitimate certificate has a clear scope description
- No assessor or certification body named - genuine certificates identify the assessing body
- The business can't explain what was in scope - if they don't know what was assessed, that's a concern regardless of the certificate's validity
Verifying your own certificate
If you hold a CE certificate and want to check it's correctly listed:
- Search the IASME register using your organisation name
- Confirm the scope matches what was assessed
- Note the expiry date and plan renewal accordingly
- If the listing is incorrect or missing, contact your certification body
The register is the authoritative source. If your certificate isn't listed or the details are wrong, resolve it with your assessor before a client or procurement team finds the discrepancy. A missing or incorrect listing raises questions that are easily avoided by checking proactively.
If you're preparing for your first certification, the readiness quiz checks where your controls stand in five minutes.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Cyber Essentials Certification Guide
- CE Plus vs Basic: What's the Difference?
- Failed Cyber Essentials? What to Do Next
- Cyber Essentials for Government Contractors
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.