Cyber Essentials Terms

Terms of Service for Cyber Essentials and Cyber Essentials Plus Purchases

Definitions:

• We, us, our, certification body – TheTechForce Limited, with registered office address at Balmoral Hub, Balmoral Park, Wellington Circle, Aberdeen. AB12 3J
• You, your - the person or organisation named as the client on the client application form.

Terms of Service

1. Completion Timeframe:

Clients are required to finish and submit the Cyber Essentials self-assessment questionnaire (SAQ) via the IASME Consortium (IASME) portal within six months of order placement. Any unfinished applications after this period will be deemed void, archived, and no refund shall be available.

2. Client Responsibilities:

If a specific certification deadline or certificate renewal is desired, clients should initiate the application well in advance. This includes supplying a comprehensive asset inventory that complies with Cyber Essentials standards.

3. Service Delivery:

We adhere to IASME standards, the official Cyber Essentials Partner for the National Cyber Security Centre (NCSC). We aren’t accountable for matters beyond these criteria. Price adjustments due to NCSC or IASME updates will be communicated.

4. Certification Attempts:

In case of unsuccessful first submissions, clients will receive feedback. A two-day window is given for re-submission. Failing this or a second unsuccessful attempt requires a fresh package purchase.

5. Cyber Essentials Plus Prerequisites:

Before advancing to this level, clients must confirm existing Cyber Essentials certification obtained via an IASME-accredited body within the past three months.

6. Certification Timelines:

Cyber Essentials Plus should be accomplished within three months post the base-level Cyber Essentials certification. Failing at this level might revoke the primary certification.

7. Testing Deadlines and Requirements:

For Cyber Essentials Plus, all assessments must be finalised and approved by us within the stipulated timeframe. If clients don't adhere to specified timelines, we aren’t obliged to offer services or refunds. Extra work on our part might be billed separately.

8. Testing Authorisations and Limitations:

Before commencing tests, explicit authorisation from the client and relevant stakeholders is mandatory. Any test constraints should be outlined during the request phase. Surcharges for special conditions will be agreed upon beforehand.

9. Retesting Procedures:

Failed Cyber Essentials Plus tests may warrant further assessments. We’ll guide on the retests, which will be separately billed.

10. On-site Engagements:

If we are necessitated to perform on-site consultations or tests, whether within or outside the mainland UK, associated expenses may apply.

11. Public Recognition:

We may, unless objected, display your brand on our site as a testament to certification success.

12. Cancellation Policy:

Cancellations within five business days of the scheduled date might incur full charges, and a 50% fee might apply for cancellations between five to ten days.

UK-based clients with a turnover below £20 million who secure full organisation Cyber Essentials certification are entitled to Cyber Liability Insurance (T&Cs apply). Further details can be found here.

14. Validity:

Both Cyber Essentials and Cyber Essentials Plus certifications remain valid for one year post issuance.

Vulnerability Scanning for Cyber Essentials Plus Certification

1. Scope of Vulnerability Scanning:

• Vulnerability Identification: The tests will only identify vulnerabilities known as of the testing date and within the capabilities of the tools used.
• Limitations: The nature of security testing is such that new flaws might be discovered later, or by different tools and methods, that were not evident at the time of the initial test.

2. Liability:

• Damages: No liability will be accepted for damages from any automated or non-automated attacks on your infrastructure or applications. This holds whether the testing identified any vulnerabilities.
• Future Vulnerabilities: The company cannot be held accountable for vulnerabilities discovered in the future that were not identified during the initial testing.

3. Remediation:

• Vulnerability Reporting: Identified vulnerabilities will be reported, and where possible, guidance will be provided referencing public sources to rectify them.
• Responsibility: It's solely your responsibility to recognise and implement solutions to the vulnerabilities identified by the security testing.

Terms of Service for Guided Cyber Essentials Support

1. Guided Cyber Essentials (CEB002) Provision:

• This service encompasses up to 2 hours of remote assistance to facilitate the completion of your questionnaire.

2. Guided Cyber Essentials Plus (CEP002) Offering:

• The CEP002 package integrates the entirety of the CEB002 services.
• Prior to the final audit, preliminary audits will be conducted to pinpoint and highlight areas requiring remediation.
• The service includes a cumulative remote support duration of 4 hours. This is inclusive of the 2 hours allocated for the CEB002 assistance preceding your final audit.

3. Additional Support Terms:

• Should clients necessitate further support beyond the stipulated durations, supplementary assistance can be arranged at an additional fee.