Terms and Conditions
Cyber Essentials and Cyber Essentials Plus Scheme Terms and Conditions
Cyber Essentials and Cyber Essentials Plus (individually and together referred to as the Scheme) are owned by NCSC and managed for NCSC by IASME Consortium Limited who are NCSC’s exclusive Cyber Essentials Partner. Important: Please read these carefully as they form part of the contract between you and IASME Consortium Limited.1 Definitions
1.1 The following words and expressions shall have the meanings assigned to them below and the following rules of interpretation shall apply to this agreement:-“Agreement” | means these Terms and Conditions; |
“Branding Guidelines” | means the branding guidelines applicable (as the case may be) to use of:
|
“Certificate” | The certificate issued by a Certification Body to an organisation which has successfully been assessed against the Cyber Essentials Technical Standard; |
“Certification Body“ | means a Cyber Essentials Supplier which has been appointed by IASME to provide Certification Services; |
“Certification Mark” | means the Cyber Essentials Certification Mark and the Cyber Essentials Plus Certification Mark; |
“Cyber Essentials Certification Mark“ | means the Mark awarded to organisations that successfully certify to Cyber Essentials |
“Cyber Essentials Plus Certification Mark” | means the Mark awarded to organisations that successfully certify to Cyber Essentials Plus |
“IASME” | means the IASME Consortium Limited; |
“You” | refers to the applicant company or other organisation seeking certification under the Scheme; Yours and Your shall be interpreted accordingly; |
“Fee” | means the fee payable for each assessment; |
“We” | refers to IASME or the CB as applicable. “Us” and “Our” shall be interpreted accordingly. |
“Scheme Controls” | means the technical controls described in the Cyber Essentials Requirements for IT Infrastructure (https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-April-2023.pdf) |
“Questionnaire” | means the self-assessment questionnaire by which You will describe how you implement the Scheme Controls. |
- (a)another person (or its nominee) by way of security or in connection with the taking of security; or (b) its nominee.
2 Assessment
2.1 We will upon receipt of the Fees give you access to a Scheme self- assessment Questionnaire and will, subject to You meeting You obligations under this agreement, assess the completed Questionnaire in accordance with the Scheme Controls. 2.2 You must complete and submit the Questionnaire to Us within 6 months of our sending You the Scheme Questionnaire form. Any Questionnaire submitted after that date will not be assessed and no refund of the Fees will be due or payable to You. 2.3 We will notify You of the results of our assessment as soon as reasonably practicable after completing its assessment. 2.4 If You are successful, We will issue You with a Certificate (valid for 12 months from the date of issue); 2.5 We will perform its assessment with reasonable skill and care but the results are not subject to any appeal mechanism and are made entirely at Our sole and absolute discretion; 2.6 If You are unsuccessful in your first assessment attempt We will carry out one further assessment free of any additional charge provided that your resubmission is made within 48 hours of receipt of our notice that Your first assessment attempt has failed. Any further assessment attempts will be charged as a new application.3 Your Obligations
3.1 You warrant and represent that 3.1.1 Your submitted Questionnaire is complete and accurate in all material respects and has been completed honestly and in good faith; 3.1.4 Your Scheme Questionnaire has been completed and signed by an authorised and suitably competent person of suitable seniority within Your organisation; 3.1.5 You will not do or permit to be done anything that might damage the reputation or standing of the Scheme, Us or NCSC; 3.1.6 You will cooperate with Us and our permitted agents and advisers in the management and auditing of the Scheme and will in particular provide Us with access to Your records, personnel and premises for the purposes of auditing Your compliance with the terms of this agreement. 3.2 You acknowledge that the Scheme is intended to reflect the fact that certified organisations have themselves established the Security Controls set out in the Cyber Essentials Requirements for IT Infrastructure only and that receipt of a Certificate does not indicate or certify or guarantee that Your organisation is free from cyber security vulnerabilities. You acknowledge and accept that We have not warranted or represented the Scheme or certification under the Scheme as conferring any additional benefit to You. 3.3 You will comply with the Scheme Documentation and all reasonable directions made to You by Us or the by relevant Certification Body. 3.4 You will follow the Branding Guidelines in your use of the Certification Essentials Certification Mark and / or the Cyber Essentials Plus Certification Mark4 Fee
4.1 You will pay the Fee in accordance with the Our published fee scale or as advised by the Certification Body 4.2 The issuance of the first Cyber Essentials Certificate and first Cyber Essentials Plus Certificate (if applicable) are included in the assessment fee. Any further certificates or changes to that certificate will be charged at the following rates: 4.2.1 Price per company certificate name/address change – £65.00-
- This includes up to 5 additional certificates with different Trading As/subsidiary names (if applicable)
- If 6 or more different certificates are required, additional certificates with Trading As/subsidiary names will be charged at £20 each
5 Scheme IPR and Use of Certificate
5.1 You will comply with the Scheme documentation and all reasonable directions made to You by Us, NCSC or the relevant CB. 5.2 You acknowledge that any Certificate will be issued to You only upon acceptance of the terms and conditions of use including constraints on the use of the Marks. 5.3 We reserve the right to rescind (without compensation to You) a Scheme Certificate that has been issued to You in error.6 Confidentiality
6.1 We will keep the information You submit during the assessment as confidential and protect it as we would our own confidential information. We will only use the confidential information you submit for the purposes of performing, managing or reviewing the assessment and for the purposes of the effective management, supervision and development of the Scheme. We may disclose Your confidential information to HM Government; and (for the purpose only of performing an assessment or managing or auditing the Scheme) to Our staff and contractors and to a CB. Such disclosure will be on terms of confidentiality. We may also disclose Your information as required by law, by an order of any court or tribunal; or as required by HMRC. In the event that management of the Scheme is to be transferred to a third party we may disclose to them the confidential information You have submitted, for the purpose of ensuring the continuation of the assessment and or the Scheme. 6.2 You also agree to us publishing the name of your company and, if relevant, the scope of the assessment if you are awarded certification. You also agree to the UK Government publishing the details of your organization and the level of certification held on Our website and on NCSC’s website.7 Data Protection
7.1 Both Parties will comply with their respective obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). 7.2 You shall hold Us harmless from and against any and all claims (including reasonable and properly incurred costs and expenses) made against Us by an individual arising as a result of any loss, unauthorised disclosure of or unauthorised access to any Personal Data by the You or any of Your staff in relation to this Agreement or the Scheme. 7.3 The provisions of this Clause 7 shall apply during the continuance of this Agreement and for twelve months after the expiry or termination of this Agreement.7A Indemnity
7A.1 You shall indemnify Us against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other [reasonable] professional costs and expenses) suffered or incurred by Us arising out of or in connection with:- (a) any breach of the warranties or representations contained in clause 3; (b) Your breach or negligent performance or non-performance of this agreement; (c) The enforcement of this agreement; (d) any claim made against Us for actual or alleged infringement of a third party’s intellectual property rights arising out of or in connection with Our use of Your information for the purposes of the Scheme;
8 Limitation of Liability
8.1 We do not accept any liability to You resulting from any security breach or vulnerability in Your systems or processes either during the assessment or subsequently. 8.2 Without prejudice to the generality of clauses 8.1 and subject to clause 8.4 We shall not be liable to You whether in contract, tort (including negligence) for breach of statutory duty or otherwise arising under or in connection with this agreement for:--
- loss of profits;
- loss of sales or business;
- loss of agreements or contracts;
- loss of anticipated savings;
- loss of or damage to goodwill;
- loss of use or corruption of software, data or information;
- any indirect or consequential loss.
8A Inadequacy of Damages
Without prejudice to any other rights or remedies that We may have, You acknowledge and agree that damages alone would not be an adequate remedy for any breach of the terms of this agreement by You. Accordingly, We shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this agreement.9 Cancellation, Termination and Effects of Termination
9.1 We may terminate the certification process at any stage without notice to you in the event that you are in breach of any of your obligations under this agreement. 9.2 We may cancel Your Certificate at any time in the event that You use the Certificate or Marks in breach of the terms of the Scheme or in the event that You are in material breach of any of your other obligations under this agreement. 9.3 In the event that we cancel Your Certificate You will immediately cease to use it or to hold Yourself out as holding a Certificate in any other way whatsoever. 9.4 We will not be obliged to return any Fee or other payment You have made in connection with the assessment that we terminate or Certificate that we cancel under this clause 9. 9.5 Neither Termination of the assessment nor cancellation of the Certificate will prohibit Us from enforcing our other rights under this Agreement.10 Further Assurance
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
11 No Agency
11.1 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party. 11.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
12 Waiver
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
13 Third Party Rights
13.1 Unless it expressly states otherwise, this agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement. 13.2 The rights of the parties to rescind or vary this agreement are not subject to the consent of any other person.
14 Entire Agreement
14.1 This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter. 14.2 Each party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement. Each party agrees that it shall have no claim for innocent or negligent misrepresentation [or negligent misstatement] based on any statement in this agreement.
15 Severance
15.1 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. 15.2 If any provision or part-provision of this agreement is deemed deleted under clause 15.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
16 Force Majeure
Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 12 weeks months, the party not affected may terminate this agreement by giving 10 days’ written notice to the affected party.
17 Dispute Resolution
Any dispute regarding this agreement shall first be discussed between us with a view to resolving it promptly. If it cannot be resolved within 28 days then you and we hereby agree that will be referred for alternative dispute resolution by an appropriate mediation practitioner who is a member of and subject to the rules of the Chartered Institute of Arbitrators.
18 Law and Jurisdiction
Each party irrevocably agrees, for the sole benefit of Us that, subject as provided below, the courts of England and Wales shall have exclusive jurisdiction over any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation. Nothing in this clause shall limit Our right to take proceedings against You in any other court of competent jurisdiction, nor shall the taking of proceedings in any one or more jurisdictions preclude the taking of proceedings in any other jurisdictions, whether concurrently or not, to the extent permitted by the law of such other jurisdiction.
19 Behaviour
IASME has a zero tolerance in relation to bullying, abusive language, bribery or undue influence. Where this is directed at an assessor, it may result in your assessment being terminated and, if deemed necessary, legal action. In addition to taking legal action we reserve the right to report suspected bribery and other offences to the police.
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.