Cyber Essentials and Cyber Essentials Plus Terms and Conditions
These Terms and Conditions are also subject to the Fortis Master Terms and Conditions.
1 DEFINITIONS
1.1 The following words and expressions shall have the meanings assigned to them below and the following rules of
interpretation shall apply to this agreement:-
“Agreement” means these Terms and Conditions;
“Certificate” The certificate issued by a Certification Body to an organisation which has successfully been assessed against the Cyber Essentials Technical Standard;
“Certification Body“ means a Cyber Essentials Supplier which has been appointed by IASME to provide Certification Services, including Fortis Cyber Security Limited;
“Certification Mark“ means the Cyber Essentials Certification Mark and the Cyber Essentials Plus Certification Mark;
“IASME“ means the IASME Consortium Ltd;
“You” refers to the applicant company or other organisation seeking certification under the Scheme; Yours and Your shall be interpreted accordingly;
“Fee” means the fee payable for each assessment;
“We” refers to Fortis Cyber Security Ltd. “Us” and “Our” shall be interpreted accordingly.
“Scheme Controls” means the technical controls described in the Cyber Essentials Requirements for IT Infrastructure (https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf)
“Questionnaire” means the self-assessment questionnaire by which You will describe how you implement the Scheme Controls.
1.2 Clause and paragraph headings shall not affect the interpretation of this agreement.
1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.4 A reference to a company shall include any company, corporation, or other body corporate, wherever and however incorporated or established.
1.5 A reference to a holding company or a subsidiary means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006 [and a company shall be treated, for the purposes only of the
membership requirement contained in sections 1159(1)(b) and (c), as a member of another company even if its shares in that other company are registered in the name of:
(a) another person (or its nominee) by way of security or in connection with the taking of security; or
(b) its nominee.
For the purposes of determining whether a limited liability partnership is a subsidiary of a company or another limited liability partnership, section 1159 of the Companies Act 2006 shall be construed so that: (a) references in sections 1159(1)(a) and (c) to voting rights are to the members’ rights to vote on all or substantially all matters which are decided by a vote of the members of the limited liability partnership; and (b) the reference in section 1159(1)(b) to the right to appoint or remove a majority of its board of directors is to the right to appoint or remove members holding a majority of the voting rights.
1.7 Unless the context otherwise requires, words in the singular shall include the plural and, in the plural, shall include the singular.
1.8 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.9 This agreement shall be binding on, and ensure to the benefit of, the parties to this agreement and their respective personal representatives, successors and permitted assigns, and references to any party shall include that party’s personal representatives, successors and permitted assigns.
1.10 A reference to a statute or statutory provision is a reference to it as amended, extended, or re-enacted from time to time.
1.11 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.12 Unless the context otherwise requires, any reference to European Union law that is directly applicable or directly effective in the UK at any time is a reference to it as it applies in England and Wales from time to time including as retained, amended, extended, or re-enacted on or after exit day.
1.13 A reference to writing or written includes email.
1.14 Any obligation on a party not to do something includes an obligation not to allow that thing to be done.
1.15 Any reference to an English legal term for any action, remedy, method of judicial proceeding, legal document, legal status, court, official or any legal concept or thing shall, in respect of any jurisdiction other than England, be deemed to include a reference to that which most nearly approximates to the English legal term in that jurisdiction.
1.16 A reference to this agreement or to any other agreement or document referred to in this agreement is a reference to this agreement or such other agreement or document as varied or novated (in each case, other than in breach of the provisions of this agreement) from time to time.
1.17 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
2 ASSESSMENT
2.1 We will give You access to a Scheme self-assessment Questionnaire and will, subject to You meeting Your obligations under this agreement, assess the completed Questionnaire in accordance with the Scheme Controls.
2.2 You must complete and submit the Questionnaire within 6 months of receiving the Scheme Questionnaire. Any Questionnaire submitted after that date will not be assessed and no refund of the Fees will be due or payable to You.
2.3 You have 3 months from CE certification to achieve CE+ certification, otherwise You must complete and pay for CE assessment again and You will be charged as a new application.
2.4 You will be notified of the results of the assessment as soon as reasonably practicable after completing its assessment.
2.5 If You are successful, You will be issued with a Certificate (valid for 12 months from the date of issue);
2.6 Assessments are performed with reasonable skill and care but the results are not subject to any appeal mechanism and are made entirely at the sole and absolute discretion of IASME or the relevant Certification Body;
2.7 If You are unsuccessful in Your first assessment attempt one further assessment will be carried out free of any additional charge provided that Your resubmission is made within 48 hours of receipt of the notice that Your first assessment attempt has failed. Any further assessment attempts will be charged as a new application.
3 YOUR OBLIGATIONS
3.1 You warrant and represent that:
3.1.1 Your submitted Questionnaire is complete and accurate in all material respects and has been completed honestly and in good faith;
3.1.2 Your Scheme Questionnaire has been completed and signed by an authorised and suitably competent person of suitable seniority within Your organisation;
3.1.3 You will cooperate with Us and our permitted agents and advisers in the management and auditing of the Scheme and will in particular provide Us with access to Your records, personnel and premises for the purposes of auditing Your compliance with the terms of this agreement.
3.2 You acknowledge that the Scheme is intended to reflect the fact that certified organisations have themselves established the Security Controls set out in the Cyber Essentials Requirements for IT Infrastructure only and that receipt of a Certificate does not indicate or certify or guarantee that Your organisation is free from cyber security vulnerabilities. You acknowledge and accept that We have not warranted or represented the Scheme or certification under the Scheme as conferring any additional benefit to You.
3.3 You will comply with the Scheme Documentation and all reasonable directions made to You by Us or the by relevant Certification Body.
4 FEE
4.1 You will pay the Fee in accordance with the published fee scale and as per the quote issued to You by Fortis Cyber Security Ltd.
4.2 The issuance of the first Cyber Essentials Certificate and first Cyber Essentials Plus Certificate (if applicable) are included in the assessment fee. Any further certificates or changes to that certificate will be charged at the following rates:
-
Price per company certificate name/address change – £65.00
-
This includes up to 5 additional certificates with different Trading As/subsidiary names (if applicable)
-
If 6 or more different certificates are required, additional certificates with Trading As/subsidiary names will be charged at £20 each
-
Price per correction of a simple error on a certificate – £30.00
4.3 Unless otherwise specified, all invoices are issued by Fortis Cyber Security Ltd on the commencement of work and are due for payment by the Customer within 30 days of the of the date of the invoice.
5 SCHEME IPR AND USE OF CERTIFICATE
5.1 You will comply with the Scheme documentation and all reasonable directions made to You by Us, IASME, NCSC or the relevant Certification Body.
5.2 IASME reserves the right to rescind (without compensation to You) a Scheme Certificate that has been issued to You in error.
6 CONFIDENTIALITY
6.1 We will keep the information You submit during the assessment as confidential and protect it as we would our own confidential information. We will only use the confidential information you submit for the purposes of performing, managing, or reviewing the assessment and for the purposes of the effective management, supervision, and development of the Scheme. We may disclose Your confidential information to HM Government; and (for the purpose only of performing an assessment or managing or auditing the Scheme) to Our staff and contractors and to a Certification Body. Such disclosure will be on terms of confidentiality. We may also disclose Your information as required by law, by an order of any court or tribunal; or as required by HMRC. In the event that management of the Scheme is to be transferred to a third party we may disclose to them the confidential information You have submitted, for the purpose of ensuring the continuation of the assessment and or the Scheme.
6.2 You also agree to us publishing the name of your company and, if relevant, the scope of the assessment if you are awarded certification. You also agree to the UK Government publishing the details of your organisation and the level of certification held on IASME’s website and on NCSC’s website.
7 DATA PROTECTION
7.1 Both Parties will comply with their respective obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
7.2 You shall hold Us harmless from and against any and all claims (including reasonable and properly incurred costs and expenses) made against Us by an individual arising as a result of any loss, unauthorised disclosure of or unauthorised access to any Personal Data by the You or any of Your staff in relation to this Agreement or the Scheme.
7.3 The provisions of this Clause 7 shall apply during the continuance of this Agreement and for twelve months after the expiry or termination of this Agreement.
8 INDEMNITY
8.1 You shall indemnify Us against all liabilities, costs, expenses, damages, and losses (including but not limited to any direct, indirect, or consequential losses, loss of profit, loss of reputation and all interest, penalties, and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Us arising out of or in connection with:
(a) any breach of the warranties or representations contained in clause 3;
(b) Your breach or negligent performance or non-performance of this agreement;
(c) The enforcement of this agreement;
(d) any claim made against Us for actual or alleged infringement of a third party’s intellectual property rights arising out of or in connection with Our use of Your information for the purposes of the Scheme;
8.2 This indemnity shall not cover Us to the extent that a claim under it results from Our negligence or wilful misconduct.
8.3 Nothing in this clause shall restrict or limit Our general obligation at law to mitigate a loss We may suffer or incur as a result of an event that may give rise to a claim under this indemnity.
9 LIMITATION OF LIABILITY
9.1 We do not accept any liability to You resulting from any security breach or vulnerability in Your systems or processes either during the assessment or subsequently.
9.2 Without prejudice to the generality of clauses 9.1 and subject to clause 9.4 We shall not be liable to You whether in contract, tort (including negligence) for breach of statutory duty or otherwise arising under or in connection with this agreement for:-
-
loss of profits;
-
loss of sales or business;
-
loss of agreements or contracts;
-
loss of anticipated savings;
-
loss of or damage to goodwill;
-
loss of use or corruption of software, data or information;
-
any indirect or consequential loss.
9.3 The terms implied by sections 3 to 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from this agreement.
9.4 The limitations and exclusions on liability in this section will not apply to any liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation or for any other liability that cannot lawfully be excluded or limited.
9.5 Subject to clause 9.4, the total limit of Our liability to You whether in contract or tort is the sum equivalent to the Fees that you have paid to us in the 12 months preceding the date of Your claim against Us.
10 INADEQUACY OF DAMAGES
10.1 Without prejudice to any other rights or remedies that We may have, You acknowledge and agree that damages alone would not be an adequate remedy for any breach of the terms of this agreement by You. Accordingly, We shall be entitled to the remedies of injunction, specific performance, or other equitable relief for any threatened or actual breach of the terms of this agreement.
11 CANCELLATION, TERMINATION AND EFFECTS OF TERMINATION
11.1 We may terminate the certification process at any stage without notice to you in the event that you are in breach of any of your obligations under this agreement.
11.2 IASME may cancel Your Certificate at any time in the event that You use the Certificate or Marks in breach of the terms of the Scheme or in the event that You are in material breach of any of your other obligations under this agreement.
11.3 In the event that IASME cancels Your Certificate You will immediately cease to use it or to hold Yourself out as holding a Certificate in any other way whatsoever.
11.4 We will not be obliged to return any Fee or other payment You have made in connection with the assessment that IASME terminates or Certificate that IASME cancels under this clause 11.
11.5 Neither Termination of the assessment nor cancellation of the Certificate will prohibit Us from enforcing our other rights under this Agreement.
12 FURTHER ASSURANCE
12.1 At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
13 NO AGENCY
13.1 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
13.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
14 WAIVER
14.1 No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
15 THIRD PARTY RIGHTS
15.1 Unless it expressly states otherwise, this agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.
15.2 The rights of the parties to rescind or vary this agreement are not subject to the consent of any other person.
16 ENTIRE AGREEMENT
16.1 This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations, and understandings between them, whether written or oral, relating to its subject matter.
16.2 Each party agrees that it shall have no remedies in respect of any statement, representation, assurance, or warranty (whether made innocently or negligently) that is not set out in this agreement. Each party agrees that it shall have no claim for innocent or negligent misrepresentation [or negligent misstatement] based on any statement in this agreement.
17 SEVERANCE
17.1 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. 17.2 If any provision or part-provision of this agreement is deemed deleted under clause 17.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
18 FORCE MAJEURE
18.1 Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 12 weeks, the party not affected may terminate this agreement by giving ten days’ written notice to the affected party.
19 DISPUTE RESOLUTION
19.1 Any dispute regarding this agreement shall first be discussed between us with a view to resolving it promptly. If it cannot be resolved within 28 days then You and We hereby agree that it will be referred for alternative dispute resolution by an appropriate mediation practitioner who is a member of and subject to the rules of the Chartered Institute of Arbitrators.
20 LAW AND JURISDICTION
20.1 Each party irrevocably agrees, for the sole benefit of Us that, subject as provided below, the courts of England and Wales shall have exclusive jurisdiction over any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation. Nothing in this clause shall limit Our right to take proceedings against You in any other court of competent jurisdiction, nor shall the taking of proceedings in any one or more jurisdictions preclude the taking of proceedings in any other jurisdictions, whether concurrently or not, to the extent permitted by the law of such other jurisdiction.
21 ORDER OF PRECEDENCE
Unless expressly specified otherwise in these Terms and Conditions, if there is any inconsistency between these Terms and Conditions and the Fortis Master Terms and Conditions, these Terms and Conditions will take precedence.