The definition

What is Cyber Essentials Plus?

Cyber Essentials Plus is the audited level of the UK government's Cyber Essentials scheme. It covers the same five technical controls as the basic level, but instead of taking your word for it, an independent assessor tests a sample of your devices and proves the controls work. Certificates last twelve months.

The audit, demystified

What the assessor does on the day

Most pages explain the scheme. What actually matters when you are preparing is what happens during the assessment itself, and it comes down to four kinds of check.

3D illustration of hands-on device testing

Hands-on device testing

The assessor tests a representative sample of your laptops, desktops and servers, checking that what your self-assessment claimed is true on the machines themselves.

3D illustration of patching and vulnerability checks

Patching and vulnerability checks

Sampled devices are scanned for missing security updates and known vulnerabilities. Unsupported software and unpatched systems are the most common reason assessments fail.

3D illustration of malware and email defence tests

Malware and email defence tests

The assessor sends test files by email and downloads them through the browser to prove your malware protection actually blocks what it should, rather than just being installed.

3D illustration of access control and MFA verification

Access control and MFA verification

Checks that admin accounts are separated from daily-use accounts, screen locks are enforced and multi-factor authentication is switched on for your cloud services.

Every check follows the scheme's published test specification, which is exactly what our pre-audit checklist walks you through in advance.

The five controls

What the scheme covers at both levels

Cyber Essentials, at either level, certifies five technical control areas: firewalls and internet gateways, secure configuration, security update management, user access control and malware protection. The NCSC's scheme overview sets these out in full. They are the basics that block the commodity attacks most UK businesses actually face, which is why government and enterprise buyers use the certificate as a minimum bar.

What the scheme deliberately does not cover, such as monitoring, detection and incident response, is worth knowing before you treat the certificate as an endpoint. We map those gaps for every client as part of the engagement.

A contract or tender requires it

Government frameworks and a growing number of enterprise procurement teams ask for Cyber Essentials, and increasingly the Plus level specifically, before they will award work.

You supply the MOD

Defence supply chain requirements flow Cyber Essentials obligations down to suppliers, with the audited level expected where sensitive MOD identifiable information is handled.

Your insurer or customers ask for evidence

A self-assessment is a claim; Plus is independent evidence. Insurers and security-conscious customers treat the two very differently.

You want the claim tested before an attacker tests it

The audit checks the same basics attackers probe first: unpatched software, weak access control, malware defences that exist on paper. Passing Plus means those were verified, not assumed.

Who runs the scheme

Cyber Essentials is owned by the National Cyber Security Centre and delivered by IASME, which licenses the certification bodies that carry out assessments. Your Plus audit is always performed by an IASME-licensed certification body; our role is getting you ready for it, arranging it and supporting you through it, so the certificate you receive is independently assessed rather than marked by your own adviser.

What Plus is not

Not a penetration test, and not a security strategy

The Plus audit verifies baseline controls against a fixed specification; it does not attempt to break in the way a penetration test does, and it says nothing about how you would detect or respond to an attack in progress. Treat it as the verified floor of your security, then decide what to build on top.

How it compares with ISO 27001

Quick answers

Cyber Essentials Plus questions, answered

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both levels cover the same five control areas. Basic Cyber Essentials is a self-assessment questionnaire your business answers about itself; Cyber Essentials Plus adds an independent technical audit in which an assessor tests a sample of your devices and verifies the controls actually work.

The full comparison

What does the assessor actually check on the day?

The assessment tests sampled devices for missing patches and vulnerabilities, verifies malware protection by sending test files over email and browser downloads, and checks account separation, screen locks and multi-factor authentication on cloud services. It follows the scheme's published test specification, so nothing on the day should be a surprise.

Prepare with the checklist

How long does Cyber Essentials Plus take?

The audit itself typically takes a day or less for a small business. The engagement end to end, from gap analysis through remediation to certificate, usually runs two to six weeks depending on how much needs fixing. The Plus audit must also be completed within three months of your basic Cyber Essentials self-assessment.

See the full timeline

Do I need basic Cyber Essentials before Plus?

Yes. The basic self-assessment is a prerequisite, and the Plus audit must take place within three months of it. Most businesses do both as one engagement, which is how our service is structured.

Basic Cyber Essentials, explained

More questions answered on the full FAQ page.

3D rocket illustration for booking a free certification discovery call

Ready when you are

Find out what the audit would find in your business

A free 45 minute discovery call scopes your certification: your size band, your likely fix list and one clear price. No obligation, no hard sell.