Team Bison
Book an AI Operations Audit
AI Workflows & Agents Custom Software Managed Platforms AI Operations Audit · £3,500 Blog About Contact Book an Audit →
Field note · By Liam North · 6 min read

Cyber Essentials for logistics operators: what the certification actually covers, and what it doesn’t

An honest field guide to what Cyber Essentials covers, the difference between basic and Plus, and the five things UK logistics operators should be thinking about beyond the certification box.

Cyber Essentials comes up in almost every procurement conversation we have with a UK logistics operator. It usually arrives as a single bullet on a vendor questionnaire — “Cyber Essentials certified, yes or no?” — and almost always without the surrounding context that would tell you what the answer actually means.

This is a short, honest field guide. What Cyber Essentials is, what it isn’t, what the difference between Cyber Essentials and Cyber Essentials Plus actually amounts to, and what a UK logistics operator should be thinking about beyond the certification box itself.

We hold Cyber Essentials (basic). We don’t currently hold Cyber Essentials Plus, and we’ll explain below why we treat that as a watched decision rather than a default upgrade.

What Cyber Essentials covers

Cyber Essentials is a UK government-backed certification scheme run by IASME on behalf of the National Cyber Security Centre. It’s deliberately narrow. The scheme covers five technical control areas:

  1. Firewalls and internet gateways — that you have boundary firewalls and that they’re configured sensibly.
  2. Secure configuration — that the systems on your estate aren’t running with default credentials, unnecessary services, or out-of-the-box settings that ship insecure.
  3. User access control — that administrative privileges are managed, that accounts are timely removed when people leave, that you’re not using shared logins for sensitive systems.
  4. Malware protection — that anti-malware is deployed and current on devices that need it.
  5. Security update management — that you patch within a defined window, particularly for high and critical CVEs.

That’s it. Five technical control areas, with a defined scope (you choose what’s in scope — whole organisation, a single product, a specific cloud environment) and an annual renewal.

The difference between Cyber Essentials and Cyber Essentials Plus

This is the part where confusion lives.

Cyber Essentials (basic) is a self-assessment scheme. You complete a questionnaire describing your controls against the five areas above. The assessment is reviewed by a certifying body. If it passes, you’re certified for twelve months. The integrity of the certificate depends on you answering the questionnaire honestly.

Cyber Essentials Plus is the same five control areas, but with an independent technical audit on top. An external assessor performs vulnerability scans against your in-scope systems, tests configurations on a sample of devices, and verifies that the answers you gave on the basic assessment are actually true in practice. It’s a meaningfully different level of assurance, and it costs meaningfully more.

For a logistics operator buying software from a vendor, the practical reading is:

  • Cyber Essentials says: this supplier has stated they meet a baseline.
  • Cyber Essentials Plus says: an independent assessor has verified they do.

Both have legitimate uses. Neither is a substitute for actually thinking about what data you’re handing over and how it’ll be looked after.

What Cyber Essentials does not cover

This is where most procurement questionnaires fall short — they ask “are you certified?” without asking the question that actually matters: what is in scope?

A vendor can hold Cyber Essentials for their corporate IT estate (the laptops their staff use) without the certificate covering the cloud infrastructure that runs the software product you’re buying. A vendor can be certified across the whole organisation but only annually, meaning the certificate says nothing about how they responded to a critical vulnerability disclosed nine months into the cycle.

Cyber Essentials also doesn’t say anything about:

  • The security of the software code the vendor writes (that’s a different discipline — secure development practice, code review, SAST/DAST tooling).
  • The vendor’s incident response maturity (what happens when something goes wrong).
  • The vendor’s data handling practices under GDPR or sector-specific regimes like NHS DSPT, DTAC, or maritime IMO frameworks.
  • Any third-party services the vendor uses unless they’re explicitly in scope.

For a logistics operator, those four are usually the questions that should actually be on the questionnaire.

What logistics operators specifically need to think about

Beyond the certificate itself, there are five areas that come up repeatedly when we scope work with shipping, vehicle logistics, and freight forwarding operators:

  1. Driver app endpoints. If you’ve got a mobile workforce hitting APIs from devices in vehicles or ports, those APIs are exposed to the public internet and need rate limiting, proper authentication (not embedded API keys in the app binary), and observability on traffic patterns.
  2. ePOD and inspection data integrity. If your defence in a damage claim depends on the ePOD or inspection record, the integrity of that record matters more than any certificate. Tamper-evident timestamps, immutable storage, clear audit trail.
  3. OEM and carrier integration credentials. EDI credentials, HMRC CDS tokens, carrier API keys — these tend to accumulate in inboxes, shared password managers, and developer laptops. Cyber Essentials touches the periphery of this; serious credential hygiene is its own discipline.
  4. Customer system access. If your customers grant you access to their systems (TMS, ERP, EDI gateways), you’re carrying their security risk on your estate. The certificate doesn’t reach into that risk; your contracts and your access management practices have to.
  5. Backup and recovery realism. Covered loosely under secure configuration, but the operational question — “if your production systems are unavailable for forty-eight hours, what’s the cost to your customer’s logistics chain?” — is usually bigger than Cyber Essentials addresses directly.

What we hold, and our position on CE Plus

We hold Cyber Essentials (basic), self-assessed and current. We’ve made an active decision not to pursue Cyber Essentials Plus on a default cadence. Two reasons.

One, our customer mix doesn’t require it for current contracts. UK government framework work and certain regulated procurement processes do require CE Plus; our Tier 1 customers in shipping and logistics, and our Tier 2 work in legal, medical and NHS, have not made it a contracted minimum to date.

Two, the right time to pursue CE Plus is when a specific named opportunity requires it. We review the decision annually against actual customer demand. If you’re an operator considering procuring software from us and CE Plus would be a contracted requirement, tell us in discovery — that’s exactly the named-opportunity trigger we’d use to move on it.

We don’t think the honest answer (“we hold basic; we’ll move to Plus when an opportunity needs us to”) loses us business compared with the dishonest one. It’s also the answer we’d want from a vendor we were buying from.

What to ask in your next vendor questionnaire

Three questions, in priority order:

  1. What is in scope of your Cyber Essentials certificate — corporate IT only, the product infrastructure, both?
  2. What’s your patching and vulnerability response cadence between annual recertifications?
  3. What’s your incident response process if something happens at 3am on a Saturday and we’re affected?

A vendor that can answer those three well is in a better security position than one with a CE Plus certificate and vague answers to all three.

Team Bison is the software, AI and operations consultancy within the Bison Grid Ltd group. We’ve been delivering secure-by-design builds, managed platforms, and compliance support for shipping, logistics, NHS, legal and medical customers since 2003.