Cyber Essentials Plus for UK Managed Service Providers: Why MSPs Hold the Certificate Their Customers Are About to Ask For
Cyber Essentials Plus for UK Managed Service Providers: Why MSPs Hold the Certificate Their Customers Are About to Ask For
UK Managed Service Providers occupy a structural position in the cyber supply chain that almost no other sector occupies. The MSP holds privileged access into every customer environment it manages. An MSP compromise propagates to every customer through that privileged access. NCSC guidance on supply chain security and MSP-specific advisories both expect MSPs to maintain a cyber posture commensurate with the access they hold.
Customer questionnaires are catching up. Large customers, regulated customers, public-sector customers, and increasingly mid-market customers now ask their MSP to evidence its own cyber posture before trusting the MSP with theirs. Cyber Essentials Plus is the artefact most often named.
What follows is what customer questionnaires actually ask the MSP, what CE Plus scope looks like for an MSP estate, the awkward conversation about why MSPs that implement CE Plus for customers often do not hold it themselves, and how an MSP whose own house is in some disorder gets in shape.
Why customers are now asking the MSP
The MSP supply-chain attack pattern has become well-understood across the cyber sector and increasingly across customer procurement teams. An attacker compromising an MSP gains a multiplier: the MSP's privileged access into customer environments lets the attacker pivot from the MSP into every customer the MSP manages.
NCSC's supply chain security guidance and the MSP-specific advisories from NCSC and CISA both call this out. Customers procuring managed IT services are now expected to do supplier-side cyber due diligence on their MSP. Many of those customers are themselves regulated (financial services, healthcare, defence supply chain, central government supplier base) and the regulatory framework on the customer side requires the customer to evidence the cyber posture of its own supply chain.
The cyber-side conversation across the customer base is consistent: the MSP that cannot evidence its own cyber posture is the MSP that the customer is going to switch away from at the next renewal cycle. The customers may not all act today. The pattern across the next 12 to 24 months is clear.
Cyber Essentials Plus is the named artefact in most of those customer questionnaires. The reasons are similar to other regulated sectors. CE Plus produces an external, dated, assessor-signed certificate. The certificate is a known scheme that the customer's procurement and cyber teams understand. The cost is low relative to the customer-retention value. The timeline is short relative to the customer's procurement cycle.
What customer questionnaires ask the MSP
The customer's questionnaire on the MSP runs a recognisable pattern across the engagements we have seen.
The certificate question always sits at the top. The questionnaire wants the MSP's own certificate number, the issuing certification body, and the expiry date. A current CE Plus on the MSP itself answers this in one line.
After the certificate comes multi-factor authentication on privileged accounts. The questionnaire wants confirmation that MFA is enabled on every account the MSP uses to access customer environments, including the RMM administrator accounts, the PSA accounts with customer-data access, and any direct-administrator accounts on customer infrastructure. The customer's interest in this is intense, because these are the accounts whose compromise would propagate into the customer's environment.
Patching cadence on the MSP's own tools is next. The questionnaire wants to know whether the MSP holds patches inside the 14-day window across the RMM, the PSA, the security tools the MSP relies on, and the MSP's own desktop estate. The CE Plus assessment confirms the cadence held in practice.
The remaining questions move from technical controls into operational governance specific to the MSP role. The customer wants the MSP's own incident-response process if the MSP itself experiences a compromise, including the customer-notification thresholds and the timeline for notification. The customer wants the MSP's approach to onboarding and offboarding technicians, particularly around the privileged-access lifecycle. The customer wants the MSP's approach to its own third-party tools, including the RMM and PSA vendors. CE Plus does not directly assess incident response, but the operational discipline it requires usually sits next to a documented response process. CE Plus scope does include the MSP's third-party tools.
Where the answers land varies sharply by which certificate the MSP holds. With a current CE Plus on the MSP itself, the cyber section of customer due diligence closes on the certificate. With CE Basic on the MSP, parts of it close. With neither, the customer notes the gap and weighs the renewal decision against it.
CE Plus scope for an MSP estate
An MSP runs a recognisable application stack that differs from most other sectors in the privileged access the stack carries.
Microsoft 365 sits in the centre, often as the MSP's own tenant alongside the customer tenants the MSP administers. The remote monitoring and management tool (RMM, often N-able, ConnectWise Automate, Datto RMM, NinjaOne, or similar) sits in the middle, with privileged access into every customer endpoint. The professional services automation tool (PSA, often ConnectWise PSA, Autotask, HaloPSA, or similar) holds customer data, contract data, and ticket history. The security tools (EDR platform, vulnerability scanner, MFA management, password vault) sit alongside, often with their own privileged access into customer environments. The MSP's own desktops, laptops, and the technician accounts that drive the whole operation tie everything together.
CE Plus scope covers all of these, with particular attention to the privileged-account hygiene around the RMM and the PSA.
Application-layer patching on the RMM, the PSA, the EDR platform, the vulnerability scanner, and the password vault. The patching cadence here matters because each of these tools is a high-value target whose compromise would propagate into customer environments. Browser plug-ins and extensions used by the technicians. Firmware on the perimeter device. Identity-layer hygiene on the technician accounts, with intense focus on the privileged accounts that have customer-environment access. BYOD arrangements where technicians use personal devices for any work-related task.
The first scan in a CE Plus engagement reveals the gap between what the MSP enforces at customer sites and what the MSP enforces internally.
A pattern that turns up regularly across MSP engagements: the RMM is on a vendor release that was superseded several months ago, with a known high-severity vulnerability the MSP never applied because the upgrade required scheduling around a maintenance window the MSP did not own (the RMM vendor sets the upgrade timing, the MSP's customers expect uninterrupted service). The MSP's own desktops were patched on the MSP's normal cadence. The RMM and PSA patching was the gap that sat outside the MSP's normal internal IT discipline until the assessor's report landed.
The fix is operational. The MSP's own internal IT function (or designated technical lead) takes ownership of the RMM and PSA patching cadence. The maintenance windows are scheduled around customer impact. The MFA position on technician privileged accounts is brought up to scheme expectation. The certificate issues once the gap closes.
The awkward conversation
This article exists because most MSPs implementing Cyber Essentials Plus for customers do not hold the certificate themselves. The pattern is recognisable.
The MSP's customers ask for cyber controls. The MSP responds by partnering with an IASME Certification Body to offer Cyber Essentials and Cyber Essentials Plus to those customers. The MSP becomes proficient at scoping and remediation work for customers. The MSP's own internal cyber discipline lags, because the MSP's own estate has no external customer driving the renewal cycle.
When the customer eventually asks the MSP for the MSP's own CE Plus certificate, the MSP scrambles. The scramble takes longer than it should because the MSP's own estate has not been kept under the same discipline the MSP enforces for customers.
The fix is straightforward in principle. The MSP scopes an internal CE Plus engagement on the same cycle as the MSP's largest customer engagements. The MSP runs the internal engagement with an external IASME Certification Body, not the MSP itself, to maintain assessment independence (and to satisfy the customer's expectation that the assessment is independent).
The fix is harder in practice because the MSP's own estate often carries technical debt the MSP would not tolerate at a customer site. The first internal scan reveals that debt. The remediation work is real. The conversation with the MSP's own technicians about the patching cadence on their own laptops is sometimes uncomfortable.
The honest framing is that an MSP holding CE Plus on its own estate has resolved this conversation. An MSP that has not is in the position of asking customers to hold a standard the MSP itself has not met.
How CE Plus and Cyber 365 fit together for MSPs
A CE Plus certificate is valid for 12 months. The MSP's customer base expects a continuous posture from the MSP, not an assessment-day posture. The privileged access the MSP holds into customer environments runs continuously. Those timeframes do not line up with annual certification.
That continuous posture is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.
For an MSP, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since, which matters for the MSP's customer-facing cyber posture story. (following the interim posture assessment protocol).
The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The continuous-posture expectation that the MSP's customers already implied has now been written into the scheme rules the MSP's own certificate sits inside.
Where to start
Book a 30-minute scoping call. We need the MSP's size, the RMM and PSA names, the security-tools stack, the technician headcount, the current patching arrangement on the MSP's own internal tools, whether multi-factor authentication is enabled across all technician accounts including privileged accounts, and any customer due-diligence deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the MSP wants the year-round discipline added, the Cyber 365 programme alongside it.
The CE Plus assessment for the MSP itself is run by NetSec as the IASME Certification Body. If the MSP is currently a partner of NetSec offering Cyber Essentials to customers through us, we maintain assessment independence by running the MSP's own assessment under the same scheme rules but with documented independence on the assessor side.
For MSPs wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.
The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified MSP and IASME. NetSec does not bundle, broker, or upsell it.
The MSP supply-chain position places responsibility on the MSP for the cyber posture protecting every customer the MSP manages. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the customer base expects between assessment days.
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus for NHS Suppliers: DSPT Alignment, Procurement Frameworks, and Patient-Data Confidentiality
NHS suppliers come to Cyber Essentials Plus through three doors: the Data Security and Protection Toolkit, the procurement frameworks NHS England and NHS Trusts run for IT and clinical-systems suppliers, and the patient-data confidentiality obligations under common law and the Caldicott principles. What CE Plus covers, what NHS procurement wants, and how a supplier with a tight contract deadline clears the assessment.
Cyber Essentials Plus for UK Accountancy Firms: ICAEW Standards, HMRC Data, and Client Mandate Cyber Reviews
UK accountancy firms hold HMRC-grade client data on every desktop. ICAEW and ICAS expect effective controls, corporate clients run cyber reviews on their auditors and tax advisers, and PI renewals ask increasingly specific cyber questions. What CE Plus covers, what reviewers want, and how a small partner-led firm with an outsourced MSP clears the assessment.
Cyber Essentials Plus for UK Charities: Trustee Accountability, Funder Requirements, and the Practical Path on a Tight Budget
UK charities face Cyber Essentials Plus from three directions: the Charity Commission's expectation that trustees protect charity assets, funders and grant-makers asking about cyber controls in funding applications, and donor-data confidentiality under UK GDPR. What CE Plus covers, what funders want, and how a charity with a small IT budget actually clears the assessment.
Cyber Essentials Plus for UK Construction: Main-Contractor Flow-Down, BIM Data Protection, and Project-Cyber Requirements
UK construction firms now meet Cyber Essentials Plus through main-contractor supply-chain flow-down, BIM and design data confidentiality on major projects, and the project-by-project cyber requirements that public-sector and large private clients now write into project documentation. What CE Plus covers, what main contractors want, and how a subcontractor or specialist firm clears the assessment.
Cyber Essentials Plus for UK Financial Services: FCA Operational Resilience, Third-Party Risk, and Client Mandate Requirements
FCA-regulated firms now meet Cyber Essentials Plus through three doors at once: operational resilience evidence for the regulator, cyber questionnaires from institutional clients, and increasingly specific PI and crime renewals. What the FCA expects, what the questionnaires want, and how a small in-house IT function clears the assessment.
Cyber Essentials Plus for UK Government Contractors: Central Government Framework, MoD Supply Chain, and OFFICIAL Data Handling
UK suppliers bidding for central government, local government, or MoD contracts now meet Cyber Essentials Plus as a baseline procurement requirement. CCS frameworks, PPN guidance, and Defence Cyber Protection Partnership all name the scheme. What CE Plus covers, what government procurement wants, and how a supplier with a tight bid deadline clears the assessment.
Cyber Essentials Plus for UK Law Firms: SRA Obligations, Client Confidentiality, and Panel Requirements
Law firms come to Cyber Essentials Plus through three doors: the SRA's accountability framework, panel-firm cyber questionnaires from corporate clients, and professional indemnity insurance renewals. What the scheme covers, what the regulator expects, and how a firm with a small IT function actually clears the assessment.
Cyber Essentials Plus for UK Manufacturers: Defence Supply Chain, Tier-1 Customer Audits, and OT/IT Convergence
UK manufacturers come to Cyber Essentials Plus through three doors: defence prime contractors flowing down DEFSTAN and JOSCAR cyber requirements, automotive and aerospace tier-1 customers running supplier cyber audits, and the operational-technology side of the business converging with the IT estate. What CE Plus covers, what tier-1 audits want, and how a manufacturing firm with mixed OT/IT scope clears the assessment.
Cyber Essentials Plus for UK Retailers and Hospitality: PCI DSS Adjacency, EPOS Estate, and Brand-Protection Insurance
UK retailers and hospitality operators run a payment-card environment, an EPOS estate across multiple sites, customer-loyalty databases, and supplier-portal integrations. Cyber Essentials Plus closes the cyber-controls section of the PCI DSS conversation, satisfies brand-protection insurance renewals, and answers the procurement questionnaires from B2B clients and suppliers.
Cyber Essentials Plus for UK Schools and MATs: DfE Digital Standards, Safeguarding Data, and the Governor Accountability Layer
UK schools and multi-academy trusts now meet Cyber Essentials Plus through the DfE Digital and Technology Standards, KCSIE safeguarding obligations, and the governor or trustee duty for school resources. What CE Plus covers across MIS, learning platforms, and safeguarding tools, and how a school with a small ICT budget actually clears the assessment.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.