The definition
What is Cyber Essentials Plus?
Cyber Essentials Plus is the audited level of the UK government's Cyber Essentials scheme. It covers the same five technical controls as the basic level, but instead of taking your word for it, an independent assessor tests a sample of your devices and proves the controls work. Certificates last twelve months.
The audit, demystified
What the assessor does on the day
Most pages explain the scheme. What actually matters when you are preparing is what happens during the assessment itself, and it comes down to four kinds of check.
Hands-on device testing
The assessor tests a representative sample of your laptops, desktops and servers, checking that what your self-assessment claimed is true on the machines themselves.
Patching and vulnerability checks
Sampled devices are scanned for missing security updates and known vulnerabilities. Unsupported software and unpatched systems are the most common reason assessments fail.
Malware and email defence tests
The assessor sends test files by email and downloads them through the browser to prove your malware protection actually blocks what it should, rather than just being installed.
Access control and MFA verification
Checks that admin accounts are separated from daily-use accounts, screen locks are enforced and multi-factor authentication is switched on for your cloud services.
Every check follows the scheme's published test specification, which is exactly what our pre-audit checklist walks you through in advance.
The five controls
What the scheme covers at both levels
Cyber Essentials, at either level, certifies five technical control areas: firewalls and internet gateways, secure configuration, security update management, user access control and malware protection. The NCSC's scheme overview sets these out in full. They are the basics that block the commodity attacks most UK businesses actually face, which is why government and enterprise buyers use the certificate as a minimum bar.
What the scheme deliberately does not cover, such as monitoring, detection and incident response, is worth knowing before you treat the certificate as an endpoint. We map those gaps for every client as part of the engagement.
A contract or tender requires it
Government frameworks and a growing number of enterprise procurement teams ask for Cyber Essentials, and increasingly the Plus level specifically, before they will award work.
You supply the MOD
Defence supply chain requirements flow Cyber Essentials obligations down to suppliers, with the audited level expected where sensitive MOD identifiable information is handled.
Your insurer or customers ask for evidence
A self-assessment is a claim; Plus is independent evidence. Insurers and security-conscious customers treat the two very differently.
You want the claim tested before an attacker tests it
The audit checks the same basics attackers probe first: unpatched software, weak access control, malware defences that exist on paper. Passing Plus means those were verified, not assumed.
Who runs the scheme
Cyber Essentials is owned by the National Cyber Security Centre and delivered by IASME, which licenses the certification bodies that carry out assessments. Your Plus audit is always performed by an IASME-licensed certification body; our role is getting you ready for it, arranging it and supporting you through it, so the certificate you receive is independently assessed rather than marked by your own adviser.
What Plus is not
Not a penetration test, and not a security strategy
The Plus audit verifies baseline controls against a fixed specification; it does not attempt to break in the way a penetration test does, and it says nothing about how you would detect or respond to an attack in progress. Treat it as the verified floor of your security, then decide what to build on top.
How it compares with ISO 27001Quick answers
Cyber Essentials Plus questions, answered
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both levels cover the same five control areas. Basic Cyber Essentials is a self-assessment questionnaire your business answers about itself; Cyber Essentials Plus adds an independent technical audit in which an assessor tests a sample of your devices and verifies the controls actually work.
What does the assessor actually check on the day?
The assessment tests sampled devices for missing patches and vulnerabilities, verifies malware protection by sending test files over email and browser downloads, and checks account separation, screen locks and multi-factor authentication on cloud services. It follows the scheme's published test specification, so nothing on the day should be a surprise.
How long does Cyber Essentials Plus take?
The audit itself typically takes a day or less for a small business. The engagement end to end, from gap analysis through remediation to certificate, usually runs two to six weeks depending on how much needs fixing. The Plus audit must also be completed within three months of your basic Cyber Essentials self-assessment.
Do I need basic Cyber Essentials before Plus?
Yes. The basic self-assessment is a prerequisite, and the Plus audit must take place within three months of it. Most businesses do both as one engagement, which is how our service is structured.
More questions answered on the full FAQ page.
Ready when you are
Find out what the audit would find in your business
A free 45 minute discovery call scopes your certification: your size band, your likely fix list and one clear price. No obligation, no hard sell.