Cyber Essentials Plus is the advanced level of the UK Government-backed Cyber Essentials scheme, designed to provide independent, technical verification that your organisation’s cyber security controls are correctly implemented and effective in practice.

Unlike the Cyber Essentials self-assessment, Cyber Essentials Plus involves a hands-on technical audit performed by a certified assessor to validate your security controls across your IT environment.

What is Cyber Essentials Plus?

Cyber Essentials Plus builds on the Cyber Essentials certification by adding independent testing and validation. It confirms that your organisation is protected against a wide range of common cyber threats, including phishing attacks, malware, and exploitation of vulnerabilities.

This certification demonstrates to customers, partners, and stakeholders that security controls are not just in place—but are actively working.

How the Assessment Works

A certified assessor from an IASME-accredited certification body will conduct a remote technical audit of your systems. The assessment includes the following key stages:

1. External Vulnerability Assessment

Your public-facing IP addresses are scanned to identify vulnerabilities that could be exploited by external attackers.

2. Internal Vulnerability Assessment

A sample of user devices is tested to identify:

• Missing security updates
• Unsupported or vulnerable software
• Misconfigurations

3. Vulnerability Scanning

Your systems are assessed to ensure secure baseline configurations are in place and maintained.

4. Email and Browser Security Testing

We test your organisation’s ability to detect and block malicious:

• Emails
• Attachments
• Web content

This validates that users are protected against phishing and malware-based attacks.

5. Evidence Collection

Screenshots and technical evidence are collected throughout the assessment to demonstrate compliance.

Vulnerability Management and Remediation

Any vulnerabilities identified during the assessment are categorised using CVSS ratings:

• Critical
• High
• Medium
• Low

To achieve certification:

• All critical and high vulnerabilities must be remediated
• Issues must be resolved within 30 days

Failure to remediate within this timeframe will result in a failed assessment.

Certification Outcome

If your organisation successfully passes all assessment stages:

• You will receive a Cyber Essentials Plus certificate
• Certification is valid for 12 months
• Annual reassessment is required to maintain certification

The Five Key Security Controls

Cyber Essentials Plus verifies the effective implementation of five core technical controls:

1. Firewalls – Secure boundary between internal systems and the internet
2. Secure Configuration – Systems configured to reduce vulnerabilities
3. User Access Control – Only authorised users access systems
4. Malware Protection – Protection against viruses and malicious software
5. Security Update Management – Regular patching and updates

How to Prepare for Cyber Essentials Plus

To improve your chances of passing:

• Remove unused or unsupported software
• Ensure all devices and systems are fully updated
• Verify endpoint protection is active and effective
• Confirm least privilege access is enforced
• Ensure consistent configuration across devices

Organisations do not need to be UK-based to achieve certification.

Why Choose Cyber Essentials Plus?

Achieving Cyber Essentials Plus provides:

• Independent verification of your security controls
• Increased trust from customers and partners
• Competitive advantage in bids and tenders
• Eligibility for contracts requiring Cyber Essentials
• Clear insight into your organisation’s security posture

Frequently Asked Questions

Do we need Cyber Essentials first?

Yes. You must achieve Cyber Essentials certification before progressing to Cyber Essentials Plus.

Is the assessment remote or onsite?

Cyber Essentials Plus assessments are typically conducted remotely, depending on scope and environment.

What happens if we fail?

You will be given up to 30 days to remediate issues and re-submit evidence without full reassessment.