Assessment Terms & Conditions
Cyber Essentials and Cyber Essentials Plus
Scheme Terms and Conditions
Cyber Essentials and Cyber Essentials Plus (individually and together referred to as the Scheme) are owned by NCSC and managed for NCSC by IASME Consortium Limited who are NCSC’s exclusive Cyber Essentials Partner.
Important: Please read these carefully as they form part of the contract between you and IASME Consortium Limited.
1.1 The following words and expressions shall have the meanings assigned to them below and the following rules of interpretation shall apply to this agreement:-
|“Agreement”||means these Terms and Conditions;|
|“Branding Guidelines”||means the branding guidelines applicable (as the case may be) to use of:
as may be updated by NCSC from time to time;
|“Certificate”||The certificate issued by a Certification Body to an organisation which has successfully been assessed against the Cyber Essentials Technical Standard;|
|“Certification Body“||means a Cyber Essentials Supplier which has been appointed by IASME to provide Certification Services;|
|“Certification Mark”||means the Cyber Essentials Certification Mark and the Cyber Essentials Plus Certification Mark;|
|“Cyber Essentials Certification Mark“||means the Cyber Essentials Certification Mark as set out in Annex C|
|“Cyber Essentials Plus Certification Mark”||means the Cyber Essentials Plus Certification Mark as set out in Annex D|
|“IASME”||means the IASME Consortium Limited;|
|“You”||refers to the applicant company or other organisation seeking certification under the Scheme; Yours and Your shall be interpreted accordingly;|
|“Fee”||means the fee payable for each assessment;|
|“We”||refers to IASME or the CB as applicable. “Us” and “Our” shall be interpreted accordingly.|
|“Scheme Controls”||means the technical controls described in the Cyber Essentials Requirements for IT Infrastructure (https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure-2-1.pdf)|
|“Questionnaire”||means the self-assessment questionnaire by which You will describe how you implement the Scheme Controls.|
1.2 Clause and paragraph headings shall not affect the interpretation of this agreement.
1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 A reference to a holding company or a subsidiary means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006 [and a company shall be treated, for the purposes only of the membership requirement contained in sections 1159(1)(b) and (c), as a member of another company even if its shares in that other company are registered in the name of:
(a) another person (or its nominee) by way of security or in connection with the taking of security; or
(b) its nominee.
For the purposes of determining whether a limited liability partnership is a subsidiary of a company or another limited liability partnership, section 1159 of the Companies Act 2006 shall be construed so that: (a) references in sections 1159(1)(a) and (c) to voting rights are to the members’ rights to vote on all or substantially all matters which are decided by a vote of the members of the limited liability partnership; and (b) the reference in section 1159(1)(b) to the right to appoint or remove a majority of its board of directors is to the right to appoint or remove members holding a majority of the voting rights.
1.7 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.8 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.9 This agreement shall be binding on, and enure to the benefit of, the parties to this agreement and their respective personal representatives, successors and permitted assigns, and references to any party shall include that party’s personal representatives, successors and permitted assigns.
1.10 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
1.11 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.12 Unless the context otherwise requires, any reference to European Union law that is directly applicable or directly effective in the UK at any time is a reference to it as it applies in England and Wales from time to time including as retained, amended, extended or re-enacted on or after exit day.
1.13 A reference to writing or written includes email.
1.14 Any obligation on a party not to do something includes an obligation not to allow that thing to be done.
1.15 Any reference to an English legal term for any action, remedy, method of judicial proceeding, legal document, legal status, court, official or any legal concept or thing shall, in respect of any jurisdiction other than England, be deemed to include a reference to that which most nearly approximates to the English legal term in that jurisdiction.
1.16 A reference to this agreement or to any other agreement or document referred to in this agreement is a reference to this agreement or such other agreement or document as varied or novated (in each case, other than in breach of the provisions of this agreement) from time to time.
1.17 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
2.1 We will upon receipt of the Fees give you access to a Scheme self- assessment Questionnaire and will, subject to You meeting You obligations under this agreement, assess the completed Questionnaire in accordance with the Scheme Controls.
2.2 You must complete and submit the Questionnaire to Us within 6 months of our sending You the Scheme Questionnaire form. Any Questionnaire submitted after that date will not be assessed and no refund of the Fees will be due or payable to You.
2.2 We will notify You of the results of our assessment as soon as reasonably practicable after completing its assessment.
2.3 If You are successful, We will issue You with a Certificate (valid for 12 months from the date of issue);
2.4 We will perform its assessment with reasonable skill and care but the results are not subject to any appeal mechanism and are made entirely at Our sole and absolute discretion;
2.5 If You are unsuccessful in your first assessment attempt We will carry out one further assessment free of any additional charge provided that your resubmission is made within 48 hours of receipt of our notice that Your first assessment attempt has failed. Any further assessment attempts will be charged as a new application.
3 Your Obligations
3.1 You warrant and represent that
3.1.1 Your submitted Questionnaire is complete and accurate in all material respects and has been completed honestly and in good faith;
3.1.4 Your Scheme Questionnaire has been completed and signed by an authorised and suitably competent person of suitable seniority within Your organisation;
3.1.5 You will not do or permit to be done anything that might damage the reputation or standing of the Scheme, Us or NCSC;
3.1.6 You will cooperate with Us and our permitted agents and advisers in the management and auditing of the Scheme and will in particular provide Us with access to Your records, personnel and premises for the purposes of auditing Your compliance with the terms of this agreement.
3.2 You acknowledge that the Scheme is intended to reflect the fact that certified organisations have themselves established the Security Controls set out in the Cyber Essentials Requirements for IT Infrastructure only and that receipt of a Certificate does not indicate or certify or guarantee that Your organisation is free from cyber security vulnerabilities. You acknowledge and accept that We have not warranted or represented the Scheme or certification under the Scheme as conferring any additional benefit to You.
3.3 You will comply with the Scheme Documentation and all reasonable directions made to You by Us or the by relevant Certification Body.
3.4 You will follow the Branding Guidelines in your use of the Certification Essentials Certification Mark and / or the Cyber Essentials Plus Certification Mark
You will pay the Fee in accordance with the Our published fee scale or as advised by the Certification Body
5 Scheme IPR and Use of Certificate
5.1 You will comply with the Scheme documentation and all reasonable directions made to You by Us, NCSC or the relevant CB.
5.2 You acknowledge that any Certificate will be issued to You only upon acceptance of the terms and conditions of use including constraints on the use of the Marks, as set out in Annex C and Annex D.
6.1 We will keep the information You submit during the assessment as confidential and protect it as we would our own confidential information. We will only use the confidential information you submit for the purposes of performing, managing or reviewing the assessment and for the purposes of the effective management, supervision and development of the Scheme. We may disclose Your confidential information to HM Government; and (for the purpose only of performing an assessment or managing or auditing the Scheme) to Our staff and contractors and to a CB. Such disclosure will be on terms of confidentiality. We may also disclose Your information as required by law, by an order of any court or tribunal; or as required by HMRC. In the event that management of the Scheme is to be transferred to a third party we may disclose to them the confidential information You have submitted, for the purpose of ensuring the continuation of the assessment and or the Scheme.
6.2 You also agree to us publishing the name of your company and, if relevant, the scope of the assessment if you are awarded certification.
You also agree to the UK Government publishing the details of your organization and the level of certification held on Our website and on NCSC’s website.
7 Data Protection
7.1 Both Parties will comply with their respective obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
7.2 You shall hold Us harmless from and against any and all claims (including reasonable and properly incurred costs and expenses) made against Us by an individual arising as a result of any loss, unauthorised disclosure of or unauthorised access to any Personal Data by the You or any of Your staff in relation to this Agreement or the Scheme.
7.3 The provisions of this Clause 7 shall apply during the continuance of this Agreement and for twelve months after the expiry or termination of this Agreement.
7A.1 You shall indemnify Us against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other [reasonable] professional costs and expenses) suffered or incurred by Us arising out of or in connection with:
(a) any breach of the warranties or representations contained in clause 3;
(b) Your breach or negligent performance or non-performance of this agreement;
(c) The enforcement of this agreement;
(d) any claim made against Us for actual or alleged infringement of a third party’s intellectual property rights arising out of or in connection with Our use of Your information for the purposes of the Scheme;
7A2 This indemnity shall not cover Us to the extent that a claim under it results from Our negligence or wilful misconduct.
7A3 Nothing in this clause shall restrict or limit Our general obligation at law to mitigate a loss We may suffer or incur as a result of an event that may give rise to a claim under this indemnity.
8 Limitation of Liability
8.1 We do not accept any liability to You resulting from any security breach or vulnerability in Your systems or processes either during the assessment or subsequently.
8.2 Without prejudice to the generality of clauses 8.1 and subject to clause 8.4 We shall not be liable to You whether in contract, tort (including negligence) for breach of statutory duty or otherwise arising under or in connection with this agreement for:-
loss of profits;
- loss of sales or business;
- loss of agreements or contracts;
- loss of anticipated savings;
- loss of or damage to goodwill;
- loss of use or corruption of software, data or information;
- any indirect or consequential loss.
8.3 The terms implied by sections 3 to 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from this agreement.
8.4 The limitations and exclusions on liability in this section will not apply to any liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation or for any other liability that cannot lawfully be excluded or limited.
8.5 Subject to clause 8.4, the total limit of Our liability to You whether in contract or tort is the sum equivalent to the Fees that you have paid to us in the 12 months preceding the date of Your claim against Us.
8A Inadequacy of Damages
Without prejudice to any other rights or remedies that We may have, You acknowledge and agree that damages alone would not be an adequate remedy for any breach of the terms of this agreement by You. Accordingly, We shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this agreement.
9 Cancellation, Termination and Effects of Termination
9.1 We may terminate the certification process at any stage without notice to you in the event that you are in breach of any of your obligations under this agreement.
9.2 We may cancel Your Certificate at any time in the event that You use the Certificate or Marks in breach of the terms of the Scheme or in the event that You are in material breach of any of your other obligations under this agreement.
9.3 In the event that we cancel Your Certificate You will immediately cease to use it or to hold Yourself out as holding a Certificate in any other way whatsoever.
9.4 We will not be obliged to return any Fee or other payment You have made in connection with the assessment that we terminate or Certificate that we cancel under this clause 9.
9.5 Neither Termination of the assessment nor cancellation of the Certificate will prohibit Us from enforcing our other rights under this Agreement.
10 Further Assurance
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
11 No Agency
11.1 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
11.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
13 Third Party Rights
13.1 Unless it expressly states otherwise, this agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.
13.2 The rights of the parties to rescind or vary this agreement are not subject to the consent of any other person.
14 Entire Agreement
14.1 This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
14.2 Each party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement. Each party agrees that it shall have no claim for innocent or negligent misrepresentation [or negligent misstatement] based on any statement in this agreement.
15.1 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
15.2 If any provision or part-provision of this agreement is deemed deleted under clause 15.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
16 Force Majeure
Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 12 weeks months, the party not affected may terminate this agreement by giving 10 days’ written notice to the affected party.
17 Dispute Resolution
Any dispute regarding this agreement shall first be discussed between us with a view to resolving it promptly. If it cannot be resolved within 28 days then you and we hereby agree that will be referred for alternative dispute resolution by an appropriate mediation practitioner who is a member of and subject to the rules of the Chartered Institute of Arbitrators.
18 Law and Jurisdiction
Each party irrevocably agrees, for the sole benefit of Us that, subject as provided below, the courts of England and Wales shall have exclusive jurisdiction over any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation. Nothing in this clause shall limit Our right to take proceedings against You in any other court of competent jurisdiction, nor shall the taking of proceedings in any one or more jurisdictions preclude the taking of proceedings in any other jurisdictions, whether concurrently or not, to the extent permitted by the law of such other jurisdiction.