Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
Consent Verification
NFC Verification
Business Verification
Due Diligence
Investor Verification
QES
E-Signature
AML Screening
Transaction Monitoring
PEP & RCA
Sanctions
Watchlist
Adverse Media Screening
Business AML Screening
Behavioural Biometrics
Device Fingerprinting
1:1 Authentication
Fraud Hub
MFA
Onboarding
Ongoing Monitoring
Age Assurance
Identity Verification
KYC
KYB
KYI
Workforce IAM
Candidate Verification
Compliance
Fraud prevention
Trust & safety
Global expansion
Product Managers
Compliance Officers
Fraud Analysts
Developers
Global Trust Platform
Case Management
Journey Builder
Shufti AI
Fraud Analytics
Vendor Comparison
Brand Personalisation
IDV Modes
AI Compliance Co-Pilot
OCR
Secure Capture
Deployment Options
Identity Methods
Banking
Fintech
Crypto
Gaming
Forex
Social Networks
Marketplace
Gig Economy
Payments
Ride Hailing
Adult Content
Blind Spot Audit
Deepfake Detector
Liveness Detection
Document Originality
Document Deepfake
Deepfake
Account Takeover
Synthetic Identity Fraud
Document Fraud
Impersonation Fraud
Multi-Accounting
Bonus Abuse / Promotion Abuse
Fraud Networks
Chargeback Fraud
Money Mule Activity
Party Fraud
Regulatory & Compliance Risks
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Supported Documents
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
About
Career
Press Release
Certifications
Partnership
Awards
Events & Webinar
Interactive Demo
Podcast Studio
Spotlight Studio
CERTIFICATION · CYBER ESSENTIALS / CYBER ESSENTIALS PLUS
Certified Across Both Cyber Essentials Tiers
Shufti holds Cyber Essentials and Cyber Essentials Plus, including independent technical testing against the UK government-backed cybersecurity scheme. This gives procurement and security teams clear assurance when assessing Shufti’s controls.
What Cyber Essentials Is
The UK government's Cyber Essentials scheme defines five technical control categories that protect against the most common cyber attacks. It has two tiers, one self-assessed, one independently tested. For enterprise procurement, the difference between them is the difference between a vendor's own attestation and an external assessor's verification.
Cyber Essentials (Self-Assessed)
Five control categories documented and attested by the organisation: boundary firewalls and internet gateways, secure configuration of devices and software, user access controls, malware protection, and patch management. Confirms the baseline controls are in place and documented. Shufti holds this tier.
Cyber Essentials Plus (Independently Tested)
The same five control categories, tested hands-on by an IASME Consortium-accredited certifying body: external vulnerability scans of public-facing systems, internal network testing, authenticated workstation testing, and email security validation. The assessor verifies, against live production systems, that the controls work as documented. Shufti also holds this tier.
Why It Matters
Cyber Essentials Plus is the government-recognised baseline that reduces the scope of your vendor security questionnaire on the five covered control domains. It is mandatory for UK central government contracts involving personal data. If you are procuring Shufti under a UK government framework, or require your supply chain to hold Cyber Essentials Plus, we meet that requirement at the independently tested tier.
Holding both tiers demonstrates continuity
We did not simply acquire Plus without the documented baseline that underpins it. The five control domains are evidenced at both self-assessed and independently tested levels, giving your InfoSec team a complete picture.
NCSC-backed UK government scheme
Mandatory for central government contracts involving personal data. Both tiers held, with Plus independently verified by an accredited assessor.
How Shufti Maintains IT
Shufti Cyber Essentials Plus assessment is conducted annually by an IASME Consortium-accredited certifying body. The assessment tests the live production environment, not a prepared test build. Between cycles, we maintain the same patch management cadence, access control procedures, and firewall configurations that the assessment validated.
Both certificates are available on request and can be included directly in UK procurement submissions. Certificate numbers are verifiable on the IASME certificate checker.
Certification Details
Certifying body
IASME Consortium-accredited certifying body (Plus tier), NCSC-backed scheme.
Tiers held
Cyber Essentials (self-assessed) and Cyber Essentials Plus (independently tested), both current.
Assessment type
Plus tier: hands-on technical testing of live production environment by accredited assessor.
Domains tested
Firewalls, secure configuration, access controls, malware protection, patch management.
What you get
Both certificates available on request; usable in UK procurement submissions; renewed annually.