Cyber Essentials, the defence baseline
Certified directly by us as an IASME Certification Body. The minimum the Cyber Security Model expects, renewed every 12 months.
If your contract carries DEFCON 658, the Cyber Security Model applies to you, and it flows down to every supplier beneath you. We get defence suppliers ready: Cyber Essentials, Cyber Essentials Plus and the technical evidence the MOD expects. From an IASME Certification Body that has certified UK organisations since the scheme launched in 2014.
Prefer email? hello@layer7.uk
A defence contract carrying DEFCON 658 triggers the MOD's Cyber Security Model. The MOD runs a Risk Assessment that assigns your contract a Cyber Risk Profile. You then have to meet the controls in Def Stan 05-138 for that level, and evidence it through a Supplier Assurance Questionnaire on the Supplier Cyber Protection Service.
The requirement does not stop at the prime. DEFCON 658 flows down through every tier of the supply chain. If you sit beneath a prime on a defence programme, it reaches you.
The model moved to CSMv4 for new contracts from December 2025, with Def Stan 05-138 Issue 4. Cyber Essentials is the baseline at the lower levels. Cyber Essentials Plus is required at the higher risk levels.
A new Defence Cyber Certification scheme adds independent, evidence-based certification on top of the self-assessed questionnaire. It is built on Cyber Essentials at every level.
Certified directly by us as an IASME Certification Body. The minimum the Cyber Security Model expects, renewed every 12 months.
The hands-on, independently audited tier required at higher Cyber Risk Profiles. We test your live systems, not just your answers.
We help you read your Risk Assessment, scope the controls in Def Stan 05-138, and complete the Supplier Assurance Questionnaire with evidence behind it.
CREST and Cyber Scheme qualified testing to prove the technical controls a defence buyer will scrutinise.
Flow the same bar down to your own subcontractors, the way DEFCON 658 expects.
The new independent, evidence-based scheme is built on Cyber Essentials at every level. We get the baseline solid and ready you for certification beyond the questionnaire.
We have certified UK organisations to Cyber Essentials since the scheme launched in 2014, one of the longest-standing certification bodies in the country. We deliver to public sector and defence-grade clients, with in-house CREST and Cyber Scheme qualified testers, so the controls are tested, not just claimed. We cut through the acronyms, DEFCON 658, CSMv4, Def Stan 05-138, SAQ, so you know exactly what your contract requires and what it does not.
The North East has a real defence base, from manufacturing on Tyneside to engineering across the region, and a growing cluster of SMEs winning defence work. We help suppliers across the region get and stay compliant. Local when you want us on site, remote when that is faster.
DEFCON 658 is the contract condition that applies the MOD's Cyber Security Model to a defence contract. It sets the cyber-security terms and flows down through every tier of the supply chain, so it can reach you even as a subcontractor.
It depends on the Cyber Risk Profile the MOD assigns to your contract. Cyber Essentials is the baseline at the lower levels. Cyber Essentials Plus, the independently audited tier, is required at the higher levels. We help you work out which applies and get you there.
The Cyber Security Model is how the MOD protects information across its supply chain. The MOD assesses each contract's risk, assigns a profile, and expects suppliers to meet the matching controls in Def Stan 05-138. The model moved to CSMv4, with Def Stan 05-138 Issue 4, for new contracts from December 2025.
The Supplier Assurance Questionnaire is how you evidence your compliance against the controls for your assigned risk profile. It is completed and submitted through the MOD's Supplier Cyber Protection Service. We help you complete it with real evidence behind every answer.
Defence Cyber Certification is a newer scheme that adds independent, evidence-based certification against the Cyber Security Model, rather than self-assessment. It is built on Cyber Essentials at every level.
Yes. We are North East based and certify organisations across the region and the wider UK, on site or fully remotely.
Prefer email? hello@layer7.uk