Verify a Cyber Essentials certificate — the official UK register
Free supplier-due-diligence tool. Search the IASME / NCSC register to confirm if a UK organisation holds a current Cyber Essentials or Cyber Essentials Plus certificate, and learn exactly what each result field means before you sign a contract.
Quick answer: Use the official IASME Cyber Essentials register to check if a UK company has Cyber Essentials. The IASME certificate search lets you look up by company name or certificate reference number — results show the certification level (CE or CE Plus), issue date, expiry, score and scope. There is no separate “Cyber Essentials checker” tool; the IASME register is the only authoritative UK source.
Search the official IASME register
The authoritative list of valid certificates is maintained by IASME for the NCSC. Click below to open the official search in a new tab — type a company name or certificate reference number to verify.
How to check if a company has Cyber Essentials
The IASME register only shows certificates issued in the last 12 months — certificates expire annually and drop off when the holder doesn’t renew. Follow these four steps to verify any UK organisation.
Open the IASME register
Use the link above. The official URL is iasme.co.uk/cyber-essentials/ncsc-certificate-search — bookmark it for repeat checks.
Search by name or certificate ref
Type the exact registered company name. If you have it, the certificate reference number is more reliable — trading names, parent companies and abbreviations can hide a valid certificate.
Expand the result
Click the + icon to reveal the full certificate detail: level (CE or CE Plus), issue date, expiry date, scope and the assessor body that signed it off.
Check four things
(1) Level matches the requirement; (2) expiry date is in the future; (3) scope covers the part of the business you’re contracting; (4) the certificate reference matches anything they’ve sent you.
What the search results mean
Every entry in the IASME register has the same fields. Here’s how to read them and what to flag during supplier due diligence.
| Field | What it means | What to check |
|---|---|---|
| Company Name | The legal entity the certificate was issued to. | Match it to the entity on the contract or invoice. Trading names won’t appear if certified under a parent company. |
| Certificate Reference | Unique identifier (e.g. CE-2026-1234567). Issued by IASME at the point of certification. | Most reliable way to verify — ask the supplier for it directly and search by reference. |
| Certificate Level | Cyber Essentials (self-assessment, IASME-marked) or Cyber Essentials Plus (independent technical audit). | For UK government, MoD, NHS and most enterprise contracts you specifically need CE Plus. |
| Certification Date | The day the certificate was issued. | Confirms how long they’ve been certified. CE Plus year-on-year is a stronger signal than first-time CE. |
| Certification Expiry | Always 12 months after issue. Certificates do not auto-renew. | If expiry is <30 days away, ask the supplier when they will recertify. If it’s in the past, the certificate is no longer valid. |
| Score | Numerical score from the assessor (CE Plus only). | Higher is better, but pass/fail is the binding outcome. |
| Scope | The part of the business the certificate covers (whole-org, division, specific systems). | Critical: "Whole organisation" is the gold standard. A narrow scope may exclude the team or system you’re contracting. |
What if the search returns nothing?
No result doesn’t always mean “not certified”. Five common reasons:
- The certificate has expired (12-month lifespan, no auto-renewal).
- They’re certified under a different legal name — ask for the entity on the certificate.
- Different spelling, abbreviation or punctuation in the company name.
- Their certificate is more than 12 months old and they haven’t renewed.
- They never held a certificate — or it was withdrawn.
Always ask the supplier for the certificate reference number and search by that — it removes every ambiguity.
Free supplier due-diligence checklist
- Got the supplier’s certificate reference number?
- Verified the entity name matches your contract?
- Confirmed Level (CE or CE Plus) matches your contract requirement?
- Expiry date is > 30 days in the future?
- Scope covers the team / systems you’re contracting?
- If due to expire, asked when they’ll recertify?
- For high-risk suppliers: requested a copy of their certificate PDF?
- Stored screenshot / PDF in your supplier file with the date you verified?
Cyber Essentials verification — FAQs
Common questions from procurement teams, security managers and contract owners verifying suppliers’ Cyber Essentials status.
How do I check if a company has Cyber Essentials?
Is the IASME register the only official source for Cyber Essentials verification?
Can I verify a Cyber Essentials certificate by certificate number alone?
How long is a Cyber Essentials certificate valid?
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
What if a supplier’s scope is “not whole organisation”?
Can I bulk-verify a list of suppliers?
I need to get our own organisation Cyber Essentials certified — what now?
Need to get certified yourself?
If your supplier-due-diligence audit just made you realise your own business needs Cyber Essentials, we can have you fully certified in 4–6 weeks. Fixed-price, fully managed, with the £25k cyber-liability insurance included.
Get my Cyber Essentials quote →