Cyber Essentials Plus requirements are what you need to meet to pass the hands-on checks an IASME Certification assessor performs to verify the National Cyber Security Centre CE+ controls (NCSC, Cyber Essentials Requirements v3).
The audit confirms firewalls, secure configuration, access control, malware protection and patching on sampled devices, using methods such as authenticated scans and malware simulation where specified (NCSC, Cyber Essentials overview, NCSC, Cyber Essentials resources). Cyber essentials plus requirements play a prominent role in this broader context.
Certificates are issued by IASME Certification for a 12-month period under the UK government-backed scheme (NCSC, Cyber Essentials overview). Cyber Essentials is widely referenced in UK procurement and programme guidance, with scheme management information published by the UK government (GOV.UK, Cyber Essentials management information).
- What is tested: Live checks prove firewalls, secure configuration, access control, malware protection and patching are implemented and working on real devices (NCSC Requirements v3).
- Who runs it: IASME Certification appoints assessors to test against National Cyber Security Centre requirements and issue 12-month certificates (NCSC overview).
- How it differs: Unlike self-assessed Cyber Essentials, Plus uses authenticated scanning, malware detection checks and device sampling to verify operation (NCSC resources).
- Scope matters: Only in-scope devices, users, accounts and internet gateways are tested, so define boundaries and exceptions before booking.
- Why buyers ask: Public sector and primes often require cyber essentials plus requirements to be met for supplier assurance in UK contracts (GOV.UK management information).
Table of Contents
🛡 What is Cyber Essentials Plus?
Cyber Essentials Plus is the audited, hands-on level of the UK Cyber Essentials scheme, run by IASME Certification in partnership with the National Cyber Security Centre. It verifies the five Cyber Essentials controls through live testing and is valid for 12 months.
Scheme definition and oversight
Cyber Essentials Plus certifies that an organisation’s firewalls, secure configuration, access control, malware protection and patch management are implemented and working in practice.
IASME Certification appoints approved assessors who perform on-site or remote checks against the official requirements published by the National Cyber Security Centre. The National Cyber Security Centre describes the scheme and its aims on the programme overview page (NCSC), and the testable requirements are set out in the current “Requirements for IT Infrastructure” document (NCSC).
How Plus differs from self-assessed Cyber Essentials
Cyber Essentials is a self-assessment against the five controls, verified by an assessor’s desktop review. Cyber Essentials Plus adds independent, practical tests on user devices and the network. Typical activities include authenticated vulnerability scanning, malware protection checks, tests of boundary controls and sampling of build and patch status on selected endpoints. This means Cyber Essentials Plus provides assurance that controls are both designed and operating, not just documented. Organisations often reference cyber essentials plus requirements when they need buyer assurance beyond policy.
Validity and procurement context
Cyber Essentials Plus certificates are issued by IASME Certification and typically last 12 months, after which reassessment is required to stay current. UK public sector buyers and primes sometimes require Cyber Essentials or Cyber Essentials Plus for contracts handling government information; the National Cyber Security Centre explains how the scheme supports supplier assurance (NCSC). Management information on uptake and programme delivery is maintained on GOV.UK for transparency (GOV.UK).
At CyPro, we guide organisations through scoping, readiness and audit so the assessment runs smoothly and adds value beyond the badge. See how we support end-to-end certification on our Cyber Essentials Plus service.
🗺️ Who does Cyber Essentials Plus apply to in the UK?
Cyber Essentials Plus applies to any UK organisation that chooses to certify, but it most often affects companies supplying government, regulated firms, and businesses handling personal data where buyers make it a contractual requirement.
Procurement and assurance drivers
Public sector buyers, prime contractors and larger enterprises frequently specify Cyber Essentials or Plus in tender packs to verify baseline controls. The National Cyber Security Centre’s resources explain scheme scope and how certification evidence is used in supplier assurance (NCSC resources). UK government programmes have also promoted uptake, with the Funded Cyber Essentials Programme highlighted in the NCSC Annual Review 2025. When your customers demand a pass certificate, Plus becomes de facto mandatory for doing business.
Typical size and sector fit
Small and mid-market suppliers into central and local government, health, and education commonly pursue Plus to keep bidding. Regulated sectors such as financial services and legal also request Plus to evidence baseline hygiene alongside ISO 27001 or NIST CSF. Many boards prioritise Plus because an audited pass is a simple, recognisable badge that procurement teams understand. Where procurement risk is high, buyers often treat Cyber Essentials Plus requirements as a minimum bar for endpoint, identity, patching, and boundary security.
Edge cases and when to prioritise
Managed service providers and cloud-hosting firms are frequently asked for Plus to reassure customers about device and admin control hygiene. Operational Technology environments can be in scope where IT systems interface with OT, but you should confirm scoping early using the official guidance. High-profile UK enforcement keeps pressure on boards: The Information Commissioner’s Office publicised a £14 million data breach penalty in 2025, reminding buyers to check baseline controls in their supply chain (ICO press release). At CyPro, we help decide when to pursue Plus now versus tackling broader governance or risk work first. If tenders are blocked or renewals depend on it, do Plus. If you lack basic asset, patch or MFA coverage, fix gaps rapidly, then certify.
For organisations weighing scope, our Cyber Security Audit identifies what is in and out, prioritises quick wins, and sets a clear route to a pass without slowing operations.
🗓 When does Cyber Essentials Plus come into force and how long does certification last?
Cyber Essentials Plus takes effect on the date your IASME-accredited certification body issues the certificate, and the assurance lasts 12 months from that date. Buyers that mandate Plus usually expect it to be valid on contract award and throughout the term.
- Certification timing and validity – Cyber Essentials Plus is only awarded after a successful hands-on audit and a current Cyber Essentials basic certificate. The basic certificate must be obtained within 90 days prior to the Plus test, otherwise the Plus assessment must be repeated. The Plus certificate then remains valid for one year. UK organisations should align expiry with renewal cycles so there is no gap that delays bids or renewals.
- Audit scheduling and renewal planning – Audit slots are finite, and demand spikes around public-sector tender deadlines. Booking 6 to 8 weeks ahead is common, and remediation time for findings can extend the process. We advise starting your renewal 8 to 12 weeks before expiry so you can fix non-conformities and keep cover continuous. Rising exploitation of known vulnerabilities in EMEA underlines why letting assurance lapse is risky, with Verizon’s 2025 DBIR highlighting increased system intrusion and vulnerability-related breaches. High incident volumes reported by ENISA in 2025 also support maintaining annual assurance without gaps.
- Scheme updates to watch – The National Cyber Security Centre and IASME adjust test scopes and clarifications periodically, and the requirements have continued to evolve through 2025 into 2026. Control wording changes can affect evidence, sampling and scoping. Review the latest cyber essentials plus requirements before booking, and confirm device builds, external services and malware protection align with the current version. At CyPro, we coordinate timing, scope and remediation so your certificate activates on schedule and stays valid for the full year, while avoiding rework.
For sustained compliance against Cyber Essentials Plus requirements and smoother renewals, our Cyber Security Consultants can manage the audit calendar, pre-test checks and evidence pack.
Where risk discovery is needed ahead of audit, our Cyber Risk Assessment identifies gaps early so you pass first time.
🧪 What are the core Cyber Essentials Plus requirements the audit actually tests?
Cyber Essentials Plus requirements have five control areas: Boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management. Auditors verify these controls on sampled devices and cloud services to confirm they work in practice.
At CyPro, we prepare evidence and run pre-tests so you pass first time, then keep controls tight between audits. We align preparations to the current scheme version and your actual IT environment.
How auditors test each control
- Boundary firewalls and internet gateways: Auditors run external scans against in-scope IPs, confirm inbound ports are minimised and ruled by “deny by default”, and verify admin interfaces are not exposed to the internet.
- Secure configuration: Devices are checked for default or weak settings, unnecessary services, insecure local accounts and unsupported operating systems. Build standards and configuration baselines are reviewed against the sample.
- Access control: Assessors verify Multi-Factor Authentication (MFA) on email and core cloud apps, separate admin accounts, least-privilege groups and timely joiner-mover-leaver processes. Password policy and lockout behaviour are sampled live.
- Malware protection: Anti-malware or Endpoint Detection and Response (EDR) is confirmed on endpoints. Test files are executed to check real-time detection, quarantine and update currency.
- Patch management: Authenticated vulnerability scans are run on a device sample to evidence prompt patching for high-risk CVEs, with checks that updates meet defined timeframes and that unsupported software is removed.
Why this matters: In EMEA, vulnerability-driven system intrusions have increased, underscoring why patching and configuration are scrutinised at Plus level (Verizon DBIR 2025 EMEA).
Pass and fail examples
- Firewall: Pass if only required ports are open and remote admin is restricted to VPN. Fail if RDP is exposed publicly.
- Configuration: Pass if default accounts are disabled and services hardened. Fail if SMBv1 or guest accounts are active.
- Access control: Pass if MFA is enforced for all users on email. Fail if admins share credentials or have no MFA.
- Malware protection: Pass if EDR blocks the test file. Fail if signatures are out of date or protection is missing on sample devices.
- Patch management: Pass if high-severity vulnerabilities are absent or remediated within the policy window. Fail if multiple unpatched essential CVEs are detected on sampled hosts.
Evidence and artefacts you will be asked to present
| Control area | Practical test | Evidence or artefact | Cyber Essentials Plus Requirements |
|---|---|---|---|
| Boundary firewalls | External scan and rule review | Firewall ruleset export, change logs, network diagram | CE Requirements v3.2 |
| Secure configuration | Build checks on sampled devices | Build standard, CIS or vendor baseline, hardening checklist | CE Requirements v3.2 |
| Access control | MFA and privilege validation | MFA policy export, admin account list, JML records | CE Requirements v3.2 |
| Malware protection | Live anti-malware test | EDR policy, console screenshots, update logs | CE Requirements v3.2 |
| Patch management | Authenticated vuln scan | Scan reports, patch deployment reports, asset list | CE Requirements v3.2 |
The UK government’s sector analysis of Cyber Essentials Plus requirements offers useful context for adoption drivers across industries and supply chains (GOV.UK Cyber Security Sectoral Analysis 2025).
To tighten exposure ahead of audit, consider an external view of internet-facing assets with our Cyber Attack Surface Assessment and shore up policy-to-control alignment with our Cyber Strategy and Roadmap.
Key Takeaway
Cyber Essentials Plus is a practical exam of five controls. Prepare device samples, policy exports and recent scan reports so auditors can verify that controls are both deployed and effective.
⚠️ What are the penalties of failing to meet Cyber Essentials Plus requirements?
There are no statutory fines for failing Cyber Essentials Plus requirements, but failure risks losing tenders that require certification, delaying supplier onboarding, triggering insurer scrutiny and increasing premiums. You will not receive a certificate, and you may need a remedial audit before retesting.
Public procurement and tenders
UK public sector buyers often mandate Cyber Essentials or Cyber Essentials Plus requirements in contracts.
If you fail, you usually cannot bid or will be marked non-compliant until you pass, which can remove you from competitions and frameworks. The Information Commissioner’s Office enforces UK GDPR penalties for breaches, not scheme failures, but high-profile enforcement shows the cost of weak security, which buyers increasingly factor into supplier due diligence. See enforcement examples on the ICO Actions We’ve Taken page.
Cyber insurance implications
Insurers commonly ask for Cyber Essentials controls at proposal or renewal. A failed assessment can lead to exclusions, higher deductibles, premium uplifts or binding remediation conditions. Underwriting trends reflect how attackers operate, including mass exploitation and ransomware, as described in Mandiant’s Trending Evil, so gaps against the cyber essentials plus requirements are flagged quickly. Expect follow-up questions, evidence requests and time‑bound fixes before cover is confirmed.
Audit outcomes and remediation
Failure usually results in a clear remedial action plan from the assessor.
Common next steps include urgent patching, enabling MFA, tightening EDR policies and reconfiguring exposed services. You can book a retest once evidence shows the controls work across sampled devices and cloud apps. At CyPro, we prioritise fast wins that unblock certification, then build a sustainable plan so you maintain compliance at renewal. If you need executive ownership and supplier assurance support during remediation, our Virtual CISO service can manage policies, insurer queries and buyer questionnaires.
Bottom line: The commercial and insurance consequences usually outweigh the lack of direct legal penalties. Treat a failed audit as a short, focused improvement project so you recover certification, protect pipeline and strengthen day‑to‑day security.
🧭 How does Cyber Essentials Plus compare to Cyber Essentials and ISO 27001?
Meeting the Cyber Essentials Plus requirements is a hands-on technical audit, Cyber Essentials is a self-assessed questionnaire, and ISO 27001 is a certifiable management system for security governance and continuous improvement. Pick based on assurance depth, buyer demands and your risk appetite.
Scope and assurance depth
Cyber Essentials Plus tests whether controls actually work on sampled devices and services. The National Cyber Security Centre (NCSC) describes Cyber Essentials as five controls with an audited variant that validates them in practice, see the NCSC overview. Those five areas map to common failure points that show up in real incidents, which is why buyers trust the Plus audit more than self-assessment.
ISO 27001 certifies an Information Security Management System (ISMS). This covers policies, risk assessment, internal audits, supplier due diligence and continuous improvement across the organisation. Unlike Cyber Essentials, ISO 27001 is broader and assessed over a three-year cycle with annual surveillance audits by an accredited body. For many tenders, ISO 27001 demonstrates organisational governance where Cyber Essentials proves technical hygiene.
Cyber Essentials focuses on technical baselines aligned to the current scheme requirements. The NCSC publishes the detailed control set and test conditions, including scope definition, vulnerability scanning and malware protection checks, in the Cyber Essentials Requirements for IT Infrastructure. These are the cyber essentials plus requirements your auditor will test against on the day.
When to choose each certification
Choose Cyber Essentials Plus when a buyer requires audited assurance, when you want external validation of your device and cloud configuration, or as a checkpoint before ISO 27001. Choose Cyber Essentials self-assessment when speed and entry-level assurance will satisfy procurement.
Choose ISO 27001 when you need organisation-wide governance, risk management and third-party assurance across processes and suppliers. ISO 27001 often unlocks larger FS and public sector opportunities that mandate an ISMS. Cyber Essentials Plus can complement ISO 27001 by proving control effectiveness in production.
At CyPro, we advise sequencing: Use Cyber Essentials to set baselines, pass Cyber Essentials Plus to validate the build, then implement ISO 27001 for governance and supplier assurance. Our Cyber Resilience service aligns these efforts so audits reinforce day-to-day defence, not just certificates.
🧭 How do UK organisations prepare for and pass the Cyber Essentials Plus audit?
Passing Cyber Essentials Plus requires tight scoping, remediating the five control areas, capturing evidence and proving controls work during an assessor-led test. A pre-audit internal check reduces surprises. Most failures trace to patching gaps, weak authentication or mis-scoped assets.
Step-by-step preparation checklist
- Define scope: Include all internet-connected devices, servers, cloud services and remote users within the assessment boundary. The National Cyber Security Centre (NCSC) clarifies scope in its overview (NCSC).
- Harden per the five controls: Firewalls, secure configuration, user access control, malware protection and patch management, aligned to the current requirements pack (NCSC).
- Baseline build: Use secure images, disable insecure services, enforce encryption and remove default accounts.
- Authentication: Enable MFA for cloud admin and remote access, enforce strong passwords, review privileged groups.
- Patching: Apply high severity updates within policy windows and verify with vulnerability scans.
- Evidence pack: Screenshots, config exports, AV and EDR console status, patch reports, and device inventories.
- Pre-audit test: Run authenticators, phishing simulation checks and a vulnerability scan mirroring assessor tools.
Key Takeaway
Treat the Cyber Essentials Plus requirements like a dry run of live controls: Scope carefully, fix fast, collect proof and rehearse with an internal pre-check to avoid day‑of surprises.
Common fail items and practical fixes
- Unsupported devices in scope: Retire or isolate, then prove compensating controls. Document exceptions clearly.
- Out-of-date patches: Prioritise OS and browser updates, then evidence via before-and-after scans. Most audit-day failures are patch compliance, weak MFA or insecure configs.
- Local admin sprawl: Remove standing admin rights, adopt privileged elevation tools and document RBAC reviews.
- AV or EDR not reporting: Standardise on one platform, fix update policies and show healthy coverage in the console.
- Open ports and weak TLS: Restrict inbound services, enforce HTTPS with current TLS and update cipher suites.
Suggested timeline and pre-audit checks
Four to six weeks works for most SMEs: Week 1 scope and gap check, weeks 2-3 remediation, week 4 evidence, week 5 internal pre-check, week 6 audit. The GOV.UK management data shows programme uptake and expectations across UK organisations (GOV.UK), and the formal requirement pack defines what assessors test (NCSC). Build your plan around those sources and keep changes small and verifiable.
Case Study, UK legal firm passes first time with fast remediationA UK legal firm with ~200 staff needed Cyber Essentials Plus for a public sector panel. A quick gap scan showed patch slippage on laptops, inconsistent MFA and a few exposed services in a satellite office.
At CyPro, we ran a focused pre-check, tightened admin groups, enforced MFA and closed unused ports. We aligned configs to the five controls and prepared an evidence pack, then briefed the team on audit-day steps. We supported retests and clarifications through our Cyber Essentials Plus service.
Within three weeks the firm passed first time. Patch compliance moved from 72% to 98%, and EDR coverage reached 100% of in-scope endpoints. Procurement onboarding completed on schedule and without further queries.
Practical tips from our team
At CyPro, we recommend assigning a single owner for scope control, keeping a live asset list and freezing high‑risk changes one week before audit. Map each of the cyber essentials plus requirements to one screenshot or export. Rehearsal reduces the retest cycle and accelerates certification.
❓ Frequently asked questions
Do I need Cyber Essentials Plus if I already have ISO 27001?
ISO 27001 does not automatically equal Cyber Essentials Plus. ISO 27001 sets a management system, while Cyber Essentials Plus validates that baseline technical controls work through hands‑on testing. Many UK public sector and supplier frameworks still ask for Cyber Essentials Plus. If you bid for UK government contracts, plan for both: Maintain ISO 27001 and pass the Cyber Essentials Plus audit.
How long does a Cyber Essentials Plus audit take?
Typical on‑site and technical testing takes a few hours to a full day, depending on scope and the number of devices sampled. The end‑to‑end timeline usually runs 2 to 6 weeks to allow scoping, evidence collection and any remedial fixes. Schedule early if you have contract deadlines, especially where third parties must support changes or provide access.
What evidence do auditors expect for patch management?
Auditors expect patch reports, a current endpoint inventory and dates of applied updates for a representative sample. Provide automated patching logs from tools such as MDM or SCCM, vulnerability scan results showing closed findings and an exception register for deferred patches with justification and timelines. Keep consistent, audit‑ready records, not ad‑hoc screenshots created just for the assessment.
Can a managed service provider (MSP) scope their clients into one CE Plus audit?
Each organisation must hold its own certificate. An MSP cannot group different legal entities under one Cyber Essentials Plus audit. Where an MSP operates controls, those services can be assessed within the client’s scope, with documented responsibilities, evidence access and assurance letters. Clarify contractual boundaries, ownership of endpoints and who patches, configures and monitors before booking the audit.
What are the common reasons organisations fail Cyber Essentials Plus?
Common failures include open RDP, out‑of‑support software, missing anti‑malware, weak firewall rules and unmanaged admin privileges. Remediate by disabling or restricting RDP, removing unsupported apps, enforcing centrally managed anti‑malware, default‑deny firewalls with needed allow rules and strict privilege management. Run an internal check across the five control areas and fix gaps before the assessor visits.
Contact Us
