The Cyber Resilience Pledge is really about your suppliers
A procurement questionnaire is about to land in your inbox. One of your larger customers will ask whether you hold Cyber Essentials, and they will want an answer before they renew your contract. If that sounds like scaremongering, look at what happened on Tuesday last week.
On 7 July, at 10 Downing Street, the government launched the Cyber Resilience Pledge. More than 60 firms signed up on day one, including Marks & Spencer, Nationwide, ITV, Microsoft UK, and Cloudflare. It is voluntary. It is aimed at medium and large organisations. On the face of it, it has nothing to do with a small supplier. Read the three commitments, though, and the third one points straight at you.
What the Pledge actually asks
Signatories commit to three things. First, board-level oversight of resilience, treating security as a business risk rather than an IT problem. Second, using National Cyber Security Centre (NCSC) guidance. Third, and this is the one that matters for smaller firms, Cyber Essentials certification across their supply chain.
That third ask is how a voluntary pledge for big firms turns into a hard requirement for small ones. A large signatory cannot make its whole supply chain certified by wishing it. It does so through procurement: new contract clauses, renewal conditions, and the questionnaire that asks whether you hold Cyber Essentials before it asks about anything else. Once a customer has signed a public pledge to certify its supply chain, the certification stops being a nice-to-have and becomes a condition of doing business.
The Pledge sits inside the government's National Cyber Action Plan, and it runs alongside the Cyber Security and Resilience Bill, which we covered separately. That Bill already places supply chain duties on organisations in regulated sectors. The Pledge extends the same pressure into the voluntary, commercial world. The direction of travel is one thing: security expectations flowing downhill, from large customers to their smaller suppliers.
Why the timing is not an accident
The government put some figures behind the launch, and they are worth knowing. Over 5 million crimes were committed against UK firms last year, which works out at roughly one every six seconds. The NCSC handled 204 nationally significant incidents in the year to September, up from 89 the year before. The average cost of a significant attack on a single UK business now sits at almost £195,000. Across all organisations, the annual bill is estimated at £14.7 billion.
Technology Secretary Liz Kendall put it plainly at the launch: "By signing this Pledge, they are showing that cyber resilience is no longer just an IT issue, it is a business-level responsibility." When the largest firms accept that framing, they push it down to everyone they buy from. That is the point of the exercise.
Coverage of the launch was not all glowing. The Record noted that only a handful of top firms had signed, and questioned how deep the blue-chip commitment really ran. Fair enough. But the number of signatories on day one matters less than the mechanism. It only takes one of your customers to sign for the questionnaire to reach you.
A certificate is not the same as security
Here is the part worth saying out loud, because the Pledge will not say it for you. Cyber Essentials is a floor, not a governance framework. It checks five technical controls, once a year, and for the basic version you assess yourself. That is genuinely useful, and for a small firm it is the right place to start. It is not a description of how you manage data risk day to day, and it was never meant to be.
The danger in a scheme that names one certificate is that the certificate becomes the whole answer. A supply chain full of firms passing Cyber Essentials once a year, then filing it away, is not the same as a supply chain that governs its risks. The certificate can quietly turn into a box ticked to win the contract, which is the opposite of what the Pledge is trying to achieve.
It helps to be clear that Cyber Essentials and ISO 27001 are different things, not two rungs of the same ladder. ISO 27001 is an information security management system: a risk-based framework for how an organisation identifies, owns, and reviews its security risks over time, audited by an external body. Plenty of ISO 27001 firms operate well above what Cyber Essentials, or its audited Plus variant, ever checks. If you already run a real management system, you do not need to bolt Cyber Essentials on top to be secure. You may still get asked for it, because it is the name on the questionnaire, and that is the thing to watch: a partial technical certificate being treated as the measure of whether a supplier can be trusted with data.
What to do this quarter
Get Cyber Essentials in place if you do not already govern security properly, and do it before a customer makes it a contract condition. On your own timetable it is cheaper, calmer, and better for the relationship than scrambling in a fortnight because a renewal is blocked on it. It costs around £350 to certify, and most small firms can prepare in a few weeks. We wrote a plain-English walkthrough in what Cyber Essentials actually involves, including what it does and does not prove.
If you already hold Cyber Essentials, check the renewal date so it is still valid when the questionnaire arrives. If you already run ISO 27001 or an equivalent management system, say so plainly when asked, and do not assume you need a lesser certificate as well. Either way, if you supply anyone large enough to have signed the Pledge, assume the question is coming, and treat it as a prompt to look at how you actually manage risk, not just which certificate you can produce.
How Steelwise can help
Working out whether you need a certificate, a proper management system, or both, and where your supply chain actually leaves you exposed, is the kind of practical work we do with smaller firms. Get in touch.