Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

How Do I Prepare for Cyber Essentials Plus Assessment?

Quick Answer

Get patching current, enable MFA everywhere, lock down firewall rules, document your scope, and test before the assessor does. A gap analysis before booking the assessment saves time and money.

Quick answer: Get patching current, enable MFA everywhere, lock down firewall rules, document your scope, and test before the assessor does. A gap analysis before booking the assessment saves time and money.

The Preparation Checklist

1. Define your scope clearly

Know exactly what's included:

  • Every device that accesses company data
  • Every user account
  • Every external service (email, cloud apps, website)
  • Every network boundary
Common scope mistakes:
  • Forgetting mobile devices with company email
  • Missing that old PC in the warehouse
  • Ignoring personal devices used for work
  • Overlooking test/dev systems
Write it down. The assessor will test against your stated scope.

2. Patching - get current

The standard requires critical and high-severity patches within 14 days.

Check everything:

  • Windows/Mac updates
  • Third-party applications
  • Browser versions
  • Firmware on firewalls and network kit
  • Mobile device OS versions
The awkward ones:
  • That server no one touches
  • Software that doesn't auto-update
  • Legacy applications
  • Devices that haven't been online recently

3. MFA - everywhere that matters

Multi-factor authentication on:

No exceptions. "We haven't got round to that one" is a fail.

4. Firewall configuration

  • Default deny on inbound traffic
  • Only necessary ports open
  • Admin interface not exposed to internet
  • Documented rules you can explain
Review your rules. Remove anything you can't justify.

5. User access control

  • No shared accounts
  • Admin rights only where necessary
  • Leavers removed promptly
  • Documented process for access changes

6. Malware protection

  • Antivirus/EDR on all devices in scope
  • Signatures current
  • Scanning enabled
  • Not disabled by users

7. Secure configuration

  • Default passwords changed
  • Unnecessary services disabled
  • Auto-run disabled
  • Screen locks enabled

Before You Book the Assessment

Run your own checks:

  • Vulnerability scan your external systems
  • Check MFA is actually enforced (not just enabled)
  • Verify patches are installed, not just downloaded
  • Test a sample of devices against the requirements
Get a gap analysis: We check everything an assessor will check, before the real assessment. Finding problems ourselves is cheaper than failing the official assessment.

On Assessment Day

For the technical testing:

  • Assessor needs access to a sample of devices
  • They'll run vulnerability scans
  • They'll check configurations
  • They may test phishing email handling
Have someone available who can answer technical questions and provide access as needed.

What We Do

Our pre-assessment service mirrors the real assessment. We check:

  • External vulnerability scan
  • Device configuration samples
  • MFA verification
  • Patch status
  • Firewall review
You get a report of exactly what needs fixing. Fix it, then book the real assessment with confidence.

---

- find problems before the assessor does.

---

Related Questions