Cyber Essentials Plus for UK Accountancy Firms: ICAEW Standards, HMRC Data, and Client Mandate Cyber Reviews

‍‌​​‌‌​‌​‌​‌‌​​​​‌​‌‌​​‌‌​​‌​​‌‌‌​​​‌‌‌‌‌‌​‌‌​​​‌‌‌​‌‌‌​‌‌‌‌​‌​​​‍UK accountancy firms hold HMRC-grade client data on every desktop and across half a dozen SaaS applications the partners adopted directly. Three drivers now bring those firms to Cyber Essentials Plus. The professional-body standards from ICAEW, ICAS, ACCA, AAT, and CIOT expect effective controls. Corporate clients with their own cyber teams run procurement-grade reviews on their auditors, tax advisers, and corporate-finance advisers. PI renewals ask increasingly specific questions about cyber posture.

What follows is what those professional bodies expect on the cyber side of effective systems, what the corporate-client questionnaires want, what the insurers are asking about now, and how a partner-led firm with a small in-house IT function or an outsourced MSP closes the gap.

What the professional body expects

The ICAEW Code of Ethics and the Practice Assurance regime do not name Cyber Essentials. They name the obligations that Cyber Essentials closes.

The Code of Ethics carries confidentiality as a fundamental principle. Members must respect the confidentiality of information acquired as a result of professional and business relationships. Practice Assurance reviews check that firms have effective systems for the matters within scope, which includes the protection of client information. ICAS, ACCA, AAT, and CIOT carry equivalent confidentiality and effective-systems expectations under their own ethical frameworks.

The accountability framing matters. The professional body does not tell the firm which technical controls to put in place. It holds the firm and the responsible individual partner accountable for the outcome. If client tax data, payroll data, or draft accounts end up exposed because the firm did not maintain effective controls, the conversation with the professional body is about the partner, not about the IT vendor.

Cyber Essentials Plus is the cleanest way I have seen an accountancy firm build that evidence. The scheme produces an external, dated, assessor-signed certificate that says the five technical controls were in place on assessment day. That is what the Practice Assurance review and the Code of Ethics framework expect to be able to point at.

The five controls translate into the practical work of accountancy confidentiality without much friction. Firewalls keep traffic that should not reach the firm's network from reaching it. Secure configuration removes default credentials and exposed services from the firm's devices. User access control restricts client folders to the people working on the matter. Malware protection runs on every device that touches client data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.

A firm holding those controls is meeting the practical work of the professional-body confidentiality and effective-systems expectations. A firm without them is exposed on the day a problem surfaces.

What corporate-client cyber reviews want

Corporate clients running procurement-grade cyber reviews now extend that review to their external auditors, their tax advisers, and the corporate-finance advisers handling deal data. The questionnaire is the deliverable. The questions on it have settled into a recognisable pattern across the engagements we have run.

The certificate question always sits at the top. The questionnaire wants the certificate number, the issuing certification body, and the expiry date. A current CE Plus answers this in one line.

After the certificate comes multi-factor authentication. The questionnaire wants confirmation that MFA is enabled on every account with access to client data, including the partner accounts. Senior accounts are where MFA most often gets rolled back because an integration with the practice-management or audit-working-papers tool broke. CE Plus assessment day samples the identity layer to confirm what is actually enrolled in production.

Patching cadence is next. The questionnaire wants to know whether the firm holds patches inside the 14-day window for high-severity vulnerabilities across the desktop estate, the tax software, the practice-management application, and the document management system. The CE Plus assessment confirms the cadence held in practice across a sample of devices.

The remaining questions move from technical controls into operational governance. The corporate client wants a named incident-response contact, a documented response process with defined notification thresholds, and evidence that the firm assesses its own IT vendors. CE Plus does not directly assess incident response, but the operational discipline it requires usually sits next to a documented response process. CE Plus scope does include the firm's third-party tools, which means the supplier question is partially answered by the certificate.

Where the answers land varies sharply by which certificate the firm holds. With a current CE Plus, the cyber section closes on the certificate alone. With CE Basic, parts of it close. With neither, the firm gets a long-form security audit from the corporate client's cyber team, on a deadline that almost always came from procurement rather than from finance.

The PI insurance angle

Accountancy PI insurance renewals now include a cyber security section. The questions overlap with the corporate-client questionnaire because the insurer is pricing the same risk: the likelihood of a client-data exposure or a fraudulent-instruction loss and the firm's likely response when it happens.

Most PI insurers in the accountancy sector now ask whether the firm holds a Cyber Essentials or Cyber Essentials Plus certificate. Many give favourable consideration to firms holding Plus. The specific premium adjustment varies by insurer and by firm. The broker is the right person to confirm what a CE Plus certificate would mean for a specific renewal.

The honest framing is that CE Plus produces a documented, externally-verified statement of cyber controls that the insurer can evaluate against a known scheme. Insurers like known schemes because they reduce the underwriting friction. The premium effect, if any, sits downstream of that.

The MSP gap

This is where most accountancy CE Plus engagements run into the practical gap.

A typical accountancy firm runs on Microsoft 365 plus a tax software stack (CCH, IRIS, TaxCalc, or similar) plus a practice-management application plus a payroll application plus a document management system plus a cloud-based bank-feed or reconciliation tool. The MSP usually covers desktops and the M365 tenancy. The tax and payroll vendors handle their own application updates. The practice-management vendor handles the practice-management application. The bank-feed tool sits in a SaaS estate the partners adopted directly.

CE Plus checks layers across all of these.

Application-layer patching on the tax software, the practice-management application, the audit working-papers tool, the payroll application, and the document management system. Browser plug-ins and extensions, including the bank-feed connectors and the ones partners installed individually for receipt scanning. Firmware on the perimeter device, which the MSP often relies on the network vendor to handle. Third-party SaaS tools partners adopted without central procurement. Identity-layer hygiene, including MFA coverage on partner accounts that may have been excluded because an integration with the practice-management tool broke.

The first scan in a CE Plus engagement reveals the gap between what the MSP manages and what the assessor will sample.

A pattern that turns up regularly across firms: the tax software is on a vendor release that was superseded six months ago, with a known high-severity vulnerability the firm never applied because the upgrade required scheduling around the self-assessment season and nobody owned the calendar. The MSP applied OS patches and treated the firm as patched. The application-layer gap sat outside the MSP's scope and outside the partners' visibility until the assessor's report landed.

The fix is operational, not confrontational. The MSP retains the desktop and Microsoft 365 work. The CE Plus assessor and the firm agree the application-layer remediation owner for each finding. The managing partner makes the operational call on the tax-software upgrade scheduling around the season calendar. The certificate issues once the gap closes.

How CE Plus and Cyber 365 fit together

A CE Plus certificate is valid for 12 months. The professional-body framework expects continuous effective controls, not annual ones. Those two timeframes do not line up without something running in between.

That something is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift. (referenced in the interim containment benchmarking report).

For an accountancy firm operating under ICAEW, ICAS, ACCA, AAT, or CIOT confidentiality and effective-systems expectations, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The professional-body principle the firm's partners already operated under has now been written into the scheme rules the firm's certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the device count for the firm, the tax software and practice-management application names, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including partner accounts, and the corporate-client questionnaire or PI deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the firm wants the year-round discipline added, the Cyber 365 programme alongside it.

For firms that already hold a current CE Plus certificate, Cyber 365 sits alongside whatever certification arrangement is in place. For firms starting from neither, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with the year-round discipline into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.

The professional-body framework places the responsibility on the firm's partners for the protection of client confidential information. Cyber Essentials Plus produces the dated, externally-verified evidence those partners need. Cyber 365 produces the continuous discipline the framework expects between assessment days.

netsec-canary-e05a783695da.