Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

Cyber Essentials Plus Preparation Guide

Achieving Verified Cyber Security Certification

19 min read January 2026

Achieving Verified Cyber Security Certification

A practical guide to preparing for and passing Cyber Essentials Plus assessment

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • What Is Cyber Essentials Plus?
  • The Five Controls
  • CE vs CE+ : What's Different
  • The Assessment Process
  • Preparing Your Environment
  • Control 1: Firewalls
  • Control 2: Secure Configuration
  • Control 3: User Access Control
  • Control 4: Malware Protection
  • Control 5: Patch Management
  • Common Failure Points
  • Pre-Assessment Checklist
  • Assessment Day
  • After Certification
  • How DSC Can Help

1. Executive Summary

Cyber Essentials Plus (CE+) is the verified version of the UK Government's Cyber Essentials scheme. While basic Cyber Essentials is a self-assessment, CE+ involves independent technical testing of your systems.

Why CE+ matters:

  • Required for many defence contracts
  • Increasingly required by aerospace and regulated sector customers
  • Demonstrates verified security controls
  • Government-backed certification
  • Provides higher assurance than self-assessment

The five controls:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

What the assessment involves:

  • External vulnerability scan
  • Internal vulnerability assessment
  • Device configuration checks
  • Policy and evidence review
  • Assessor verification of controls

Key success factors:

  • Prepare thoroughly before assessment
  • Patch everything (especially critical/high vulnerabilities)
  • Remove unsupported software
  • Implement MFA
  • No admin rights for standard users
  • Test your own environment first

2. What Is Cyber Essentials Plus?

Background

Cyber Essentials is a UK Government-backed scheme that helps organisations protect against common cyber attacks. It was launched in 2014 and is managed by the National Cyber Security Centre (NCSC).

The scheme has two levels:

Cyber Essentials (CE):

  • Self-assessment questionnaire
  • Verified by certification body review
  • Lower assurance

Cyber Essentials Plus (CE+):

  • Same controls as CE
  • Independent technical verification
  • Assessor tests your actual systems
  • Higher assurance

Why CE+ Exists

Self-assessment has limitations:

  • Organisations may misunderstand questions
  • Self-reporting can be optimistic
  • No verification of actual implementation
  • Easy to tick boxes without real compliance

CE+ addresses this through hands-on technical assessment.

Who Needs CE+

Defence supply chain:

  • Often mandatory for MOD contracts
  • Required by defence primes for suppliers
  • DEFCON 658 references Cyber Essentials

Aerospace:

  • Major OEMs requiring supplier certification
  • Airport operators assessing supply chain

Government:

  • Many central government contracts require CE+
  • Local government increasingly adopting

Regulated industries:

  • Customers in finance, health, CNI
  • Supply chain requirements flowing down

Anyone wanting higher assurance:

  • CE+ demonstrates verified controls
  • Builds customer confidence
  • Competitive differentiator

Validity

CE+ certificates are valid for 12 months. You must recertify annually to maintain certification.

3. The Five Controls

Cyber Essentials is built around five technical control themes. These same controls apply to both CE and CE+.

Control 1: Firewalls

Purpose: Protect your network boundary from unauthorised access.

Key requirements:

  • Firewall or equivalent boundary protection
  • Default deny for inbound connections
  • Firewall rules documented and reviewed
  • No unnecessary services exposed
  • Home/remote workers' devices protected

Control 2: Secure Configuration

Purpose: Ensure devices are configured securely, reducing attack surface.

Key requirements:

  • Default passwords changed
  • Unnecessary accounts removed/disabled
  • Unnecessary software removed
  • Auto-run disabled
  • Password/screen lock enabled

Control 3: User Access Control

Purpose: Control who can access what, using principle of least privilege.

Key requirements:

  • Unique user accounts (no shared accounts)
  • Admin accounts only for admin tasks
  • Standard users don't have admin rights
  • Account creation/deletion process
  • MFA for cloud services and remote access

Control 4: Malware Protection

Purpose: Protect against malicious software.

Key requirements:

  • Anti-malware on all in-scope devices
  • Anti-malware regularly updated
  • Real-time scanning enabled
  • Or application control/sandboxing as alternative

Control 5: Patch Management

Purpose: Keep software up to date to fix known vulnerabilities.

Key requirements:

  • All software licensed and supported
  • Critical/high patches within 14 days
  • Automatic updates where possible
  • Unsupported software removed or risk-accepted out of scope

4. CE vs CE+: What's Different

Certification Process

Aspect Cyber Essentials Cyber Essentials Plus
Assessment method Self-assessment questionnaire Technical testing by assessor
Verification Review of questionnaire answers Hands-on testing of systems
Duration Hours to complete questionnaire 1-2 days on-site/remote assessment
Evidence Self-reported Verified by assessor
Cost Lower (typically £300-500) Higher (typically £1,500-3,000+)

What Gets Tested

CE (Self-Assessment):

  • You answer questions about your controls
  • Certification body reviews your answers
  • No technical verification

CE+ (Technical Assessment):

  • External vulnerability scan of your IP addresses
  • Internal vulnerability scan of sample devices
  • Configuration review of sample devices
  • Verification of policy implementation
  • Evidence collection by assessor

Assurance Level

CE: You say you have controls → Certificate issued based on your answers

CE+: Assessor verifies you have controls → Certificate issued based on verified evidence

CE+ provides significantly higher assurance because claims are tested.

Prerequisites

To achieve CE+, you must:

  • First achieve Cyber Essentials (CE)
  • Then undergo CE+ assessment within 3 months of CE

You cannot skip CE and go straight to CE+.

5. The Assessment Process

Step 1: Achieve Cyber Essentials

Before CE+ assessment:

  • Complete CE self-assessment questionnaire
  • Submit to certification body
  • Receive CE certificate
  • CE+ must be completed within 3 months

Step 2: Scope Definition

Work with your assessor to define scope:

In scope (typically):

  • All devices that access organisational data
  • Servers, desktops, laptops, mobiles, tablets
  • Network infrastructure
  • Cloud services
  • Remote workers' devices

Can be excluded:

  • Air-gapped systems (with justification)
  • Devices with no access to organisational data
  • BYOD if strictly controlled

Important: Scope must match your CE scope.

Step 3: External Vulnerability Scan

The assessor (or their scanning partner) scans your external IP addresses:

  • All public-facing IP addresses in scope
  • Looking for vulnerabilities, open ports, services
  • Results categorised by severity

Pass criteria:

  • No critical or high vulnerabilities
  • All services intentionally exposed and necessary
  • Default credentials not in use

Step 4: On-Site/Remote Assessment

The assessor tests a sample of devices:

Sample typically includes:

  • Servers (different types/roles)
  • Desktops/laptops (different users/roles)
  • Mobile devices
  • Network devices
  • One device per "build type"

What they check:

  • Patch levels
  • Configuration settings
  • Anti-malware status
  • Admin rights
  • Password policies
  • Encryption status

Step 5: Evidence Review

The assessor verifies:

  • Policies exist and are implemented
  • Processes are followed
  • Evidence supports CE questionnaire answers
  • Controls are consistently applied

Step 6: Findings and Remediation

If issues are found:

Minor issues:

  • May be remediated during assessment
  • Retest specific items
  • Certificate can still be issued

Major issues:

  • Assessment fails
  • Remediation required
  • Reassessment scheduled
  • Additional cost typically applies

Step 7: Certification

If assessment passes:

  • Assessor submits results
  • Certification body reviews
  • CE+ certificate issued
  • Valid for 12 months

6. Preparing Your Environment

Pre-Assessment Activities

Weeks 4-6 before assessment:

  • Confirm scope with assessor
  • Document all in-scope systems
  • Run your own vulnerability scans
  • Identify and plan remediation

Weeks 2-4 before assessment:

  • Apply all critical and high patches
  • Remove or replace unsupported software
  • Fix configuration issues
  • Address vulnerability scan findings

Week before assessment:

  • Final vulnerability scan
  • Verify all remediations
  • Prepare evidence and documentation
  • Brief relevant staff

Document Your Environment

Create/update:

  • Network diagram showing scope
  • Asset inventory of in-scope devices
  • IP address list for external scanning
  • List of software in use
  • User account list with roles

Identify:

  • All device types and operating systems
  • All cloud services in use
  • Remote access methods
  • Mobile device management approach

Run Your Own Scans

External scan:

  • Use same tools assessor will use (e.g., Qualys, Nessus)
  • Scan all external IP addresses
  • Review results for vulnerabilities
  • Plan remediation

Internal scan:

  • Scan sample devices
  • Check patch levels
  • Identify vulnerable software
  • Verify configuration

Common Pre-Assessment Fixes

Finding Fix
Missing patches Apply patches, enable auto-update
Unsupported software Remove or update
Critical vulnerabilities Patch or mitigate
Default passwords Change immediately
Unnecessary services Disable or remove
Admin rights for users Remove, create separate admin accounts
Missing anti-malware Deploy EDR/AV
No MFA on cloud services Enable MFA

7. Control 1: Firewalls

What Assessors Look For

Boundary protection:

  • Firewall present between internet and internal network
  • Default deny for inbound connections
  • Only necessary services exposed

Configuration:

  • Firewall rules documented
  • Rules reviewed and justified
  • No "any any" rules (or justified)
  • Default passwords changed

Remote/home workers:

  • Software firewall on devices
  • Enabled and configured
  • Protecting devices outside office

Preparing for Assessment

External scan preparation:

  • Know all your external IP addresses
  • Document intentionally exposed services
  • Ensure only necessary ports are open
  • Remove or close unnecessary services
  • Update firmware/software on perimeter devices

Internal review:

  • Document firewall rules
  • Review and remove unnecessary rules
  • Ensure rules are justified
  • Check for default credentials
  • Verify logging is enabled

Remote workers:

  • Verify software firewall enabled on all laptops
  • Check firewall is not disabled by users
  • Confirm settings via MDM or spot-check

Common Firewall Failures

Issue Solution
Unnecessary ports open Close or document justification
Services with vulnerabilities Patch or disable service
Default credentials on firewall Change immediately
No software firewall on laptops Enable Windows Firewall or equivalent
Rules not documented Document all rules with justification

8. Control 2: Secure Configuration

What Assessors Look For

Default settings changed:

  • Default/vendor passwords changed
  • Unnecessary default accounts disabled
  • Default services disabled

Attack surface reduced:

  • Unnecessary software removed
  • Auto-run/auto-play disabled
  • Only required accounts present
  • Screen lock enabled

Device security:

  • Boot password or encryption (laptops)
  • BIOS/UEFI password where applicable
  • Secure configuration baseline

Preparing for Assessment

Account cleanup:

  • Remove/disable guest accounts
  • Remove/disable unnecessary accounts
  • Rename or disable default admin accounts
  • Audit local admin accounts

Software cleanup:

  • Remove unused software
  • Remove demo/trial software
  • Update or remove browser plugins
  • Standardise installed software

Configuration hardening:

  • Disable auto-run for removable media
  • Enable screen lock (15 minutes max)
  • Set password complexity requirements
  • Enable boot security (laptops)

Common Secure Configuration Failures

Issue Solution
Guest account enabled Disable guest account
Default admin account active Rename or disable
Auto-run enabled Disable via Group Policy
No screen lock Configure screen lock policy
Unnecessary software installed Remove unused applications
Browser auto-fill for passwords Disable or use password manager

9. Control 3: User Access Control

What Assessors Look For

Account management:

  • Unique accounts per user (no shared accounts)
  • Account creation process
  • Leavers' access removed
  • Account list maintained

Privilege management:

  • Standard users don't have admin rights
  • Admin accounts used only for admin tasks
  • Separate admin accounts for IT staff
  • Privileged access justified

Authentication:

  • MFA for cloud services
  • MFA for remote access
  • Strong password policy
  • Account lockout enabled

Preparing for Assessment

Account audit:

  • List all user accounts
  • Identify and remove shared accounts
  • Review admin rights
  • Remove unnecessary admin access

Privilege cleanup:

  • Remove admin rights from standard users
  • Create separate admin accounts for IT
  • Document who has admin rights and why
  • Implement "admin when needed" approach

MFA implementation:

  • Enable MFA on Microsoft 365
  • Enable MFA on cloud services
  • Enable MFA for VPN/remote access
  • Document MFA deployment

Password policy:

  • Minimum 12 characters (or 8 with complexity)
  • Account lockout after failed attempts
  • Password change if compromise suspected

Common User Access Control Failures

Issue Solution
Shared accounts in use Create individual accounts
Users with admin rights Remove admin rights, use separate admin accounts
No MFA on Microsoft 365 Enable MFA for all users
No MFA on VPN Enable MFA for remote access
Weak password policy Enforce 12+ characters or complexity
No account lockout Enable lockout after 5-10 failed attempts
Leavers still have access Review and remove immediately

10. Control 4: Malware Protection

What Assessors Look For

Coverage:

  • Anti-malware on all in-scope devices
  • Servers, desktops, laptops covered
  • Mobile devices protected (if in scope)

Configuration:

  • Real-time scanning enabled
  • Regular definition updates
  • On-access scanning enabled
  • Automatic scanning scheduled

Alternative approaches:

  • Application allowlisting (instead of AV)
  • Sandboxing (for specific scenarios)
  • Must be properly implemented

Preparing for Assessment

Deployment check:

  • Verify AV/EDR on all in-scope devices
  • Check for gaps in coverage
  • Deploy to any unprotected devices

Configuration check:

  • Real-time protection enabled
  • Definition updates automatic
  • Scan settings appropriate
  • Not disabled by users

Evidence preparation:

  • Central management console access
  • Deployment reports
  • Definition update status
  • Scan results

Common Malware Protection Failures

Issue Solution
Devices without AV Deploy anti-malware immediately
Outdated definitions Enable automatic updates
Real-time scanning disabled Re-enable and prevent user override
Users can disable AV Enforce via policy/MDM
No protection on servers Deploy server AV/EDR

11. Control 5: Patch Management

What Assessors Look For

Software support:

  • All software is licensed and supported
  • No end-of-life operating systems
  • No unsupported applications

Patching:

  • Critical/high vulnerabilities patched within 14 days
  • Regular patching cycle
  • Automatic updates where possible

Documentation:

  • Patch management process
  • Evidence of patch status
  • Handling of unsupported software

The 14-Day Rule

Cyber Essentials requires:

> Critical and high-severity patches must be applied within 14 days of release

This is the most common cause of CE+ failure.

What counts:

  • Operating system patches
  • Application patches (Office, browsers, etc.)
  • Firmware updates (if vulnerability disclosed)
  • Third-party software patches

Preparing for Assessment

Patch audit:

  • Scan all devices for patch status
  • Identify missing patches
  • Prioritise critical and high
  • Plan remediation

Unsupported software:

  • Identify any unsupported OS/applications
  • Remove or replace if possible
  • If can't remove: document, risk-accept, isolate, and potentially exclude from scope

Patching process:

  • Implement regular patching cycle
  • Enable automatic updates where possible
  • Monitor for new critical patches
  • Document patch management approach

Common Patch Management Failures

Issue Solution
Missing critical patches Apply immediately
Unsupported Windows (7, 8, Server 2012) Upgrade or remove from scope
Outdated Java/Flash/etc. Remove or update
Third-party apps unpatched Update or remove
No patch management process Implement and document
Patches older than 14 days Apply and improve process

Handling Unsupported Software

If you have software that cannot be updated:

Option 1: Remove from scope

  • Physically or logically isolate
  • No access to organisational data
  • Documented risk acceptance

Option 2: Replace

  • Migrate to supported alternative
  • Decommission unsupported system

Option 3: Risk accept (with controls)

  • Document business justification
  • Implement compensating controls
  • Network segmentation
  • Enhanced monitoring
  • This may still cause issues at assessment

12. Common Failure Points

Top Reasons for CE+ Failure

1. Missing patches (most common)

  • Critical/high patches not applied within 14 days
  • Typically Windows updates or third-party software
  • Java, Adobe, browsers are common culprits

2. Unsupported software

  • Windows 7, Windows 8, Server 2008/2012
  • Legacy applications
  • End-of-life software

3. Users with admin rights

  • Standard users having local admin
  • Assessors will check and fail this

4. No MFA

  • Cloud services without MFA
  • Remote access without MFA
  • Microsoft 365 is critical

5. External vulnerabilities

  • Critical/high findings on external scan
  • Exposed services with known vulnerabilities
  • Default credentials

6. Missing anti-malware

  • Devices without AV/EDR
  • Definitions out of date
  • Real-time scanning disabled

7. Shared accounts

  • Generic accounts used by multiple people
  • No individual accountability

8. Poor preparation

  • Not running pre-assessment scans
  • Issues discovered during assessment
  • Insufficient time to remediate

How to Avoid Failure

  • Run your own scans first - External and internal
  • Fix everything before assessment - Don't hope issues won't be found
  • Patch aggressively - Apply all patches, not just critical
  • Remove admin rights - This is non-negotiable
  • Implement MFA - Essential for cloud and remote access
  • Remove unsupported software - Or properly exclude from scope
  • Prepare evidence - Know what you'll be asked
  • Brief your team - Assessor will ask questions

13. Pre-Assessment Checklist

4-6 Weeks Before

Scope:

  • Scope agreed with assessor
  • All in-scope systems documented
  • Network diagram current
  • Asset inventory complete

Scanning:

  • External vulnerability scan completed
  • Critical/high vulnerabilities identified
  • Internal scan of sample devices
  • Remediation plan created

2-4 Weeks Before

Remediation:

  • All critical/high patches applied
  • Unsupported software removed/replaced
  • Admin rights removed from standard users
  • MFA enabled on cloud services
  • MFA enabled on remote access
  • Shared accounts eliminated
  • Anti-malware deployed to all devices

Configuration:

  • Default passwords changed
  • Unnecessary accounts disabled
  • Screen lock enabled
  • Auto-run disabled
  • Firewall rules reviewed

1 Week Before

Final verification:

  • Final external scan completed
  • Final internal scan of sample devices
  • All findings addressed
  • Evidence gathered

Documentation:

  • Policies available for review
  • User account list current
  • Admin account justifications documented
  • Patch status evidence ready

Logistics:

  • Assessment date confirmed
  • Access arranged for assessor
  • Key contacts briefed
  • Sample devices identified and available

Day Before

  • Final patch check
  • All sample devices accessible
  • Evidence pack prepared
  • Assessment contact details confirmed
  • Any last-minute issues addressed

14. Assessment Day

What to Expect

Duration: Typically 1 day (can vary with scope size)

Activities:

  • External scan review (may be done before)
  • Internal scanning and testing
  • Device configuration checks
  • Evidence and policy review
  • Questions and clarifications
  • Findings discussion

Assessor Access

The assessor will need:

  • Network access for internal scanning
  • Access to sample devices (physical or remote)
  • Admin access to check configurations
  • Access to management consoles (AV, patching, etc.)
  • Policy documents

Prepare:

  • Test accounts with appropriate access
  • Remote access if assessment is remote
  • Access to relevant admin consoles
  • Physical access if on-site

During the Assessment

Be available:

  • Designated contact for assessor
  • Technical resource to answer questions
  • Access to systems as needed

Be helpful:

  • Provide information promptly
  • Answer honestly
  • Don't hide issues

Don't:

  • Make changes during assessment (unless fixing minor issues)
  • Argue about findings
  • Provide false information

If Issues Are Found

Minor issues:

  • May be fixable during assessment
  • Assessor may retest
  • Certificate can still be issued

Major issues:

  • Assessment fails
  • Agree remediation approach
  • Schedule reassessment
  • Address root cause

Stay calm:

  • Issues can be fixed
  • Reassessment is possible
  • Learn from findings

15. After Certification

Certificate Validity

CE+ certificates are valid for 12 months.

Maintaining Compliance

Continuous activities:

  • Keep patching within 14 days
  • Maintain MFA
  • Keep anti-malware current
  • No drift on admin rights
  • Monitor for new unsupported software

Regular reviews:

  • Monthly patch status check
  • Quarterly access review
  • Annual policy review

Planning Recertification

3 months before expiry:

  • Schedule recertification assessment
  • Run preparation scans
  • Address any drift

1 month before:

  • Final preparation
  • Address all findings
  • Confirm assessment date

Using Your Certification

Certificate usage:

  • Display badge on website
  • Reference in tenders/bids
  • Share with customers
  • Include in marketing materials

Certificate verification:

  • Customers can verify via IASME portal
  • Provide certificate copy on request

16. How DSC Can Help

Dead Simple Computing helps organisations achieve and maintain Cyber Essentials Plus certification.

CE+ Preparation

Readiness assessment:

  • Gap analysis against CE+ requirements
  • Vulnerability scanning (external and internal)
  • Configuration review
  • Remediation roadmap

Remediation support:

  • Patching support
  • Configuration hardening
  • MFA implementation
  • Policy development

Pre-assessment scan:

  • Final verification before assessment
  • Identify any remaining issues
  • Ensure assessment readiness

Managed Services

Compliance-Ready IT:

  • Managed IT that maintains CE+ compliance
  • Patching managed to 14-day requirement
  • Security configuration maintained
  • Evidence and reporting as standard

Security services:

  • EDR/anti-malware deployment and management
  • Vulnerability management
  • Security monitoring

Certification Support

Assessment coordination:

  • Liaise with certification body
  • Scope definition support
  • Assessment day support

Remediation during assessment:

  • Support fixing issues found
  • Rapid remediation of minor findings

Ongoing Compliance

Compliance maintenance:

  • Monitor for drift
  • Monthly compliance checks
  • Recertification preparation

Contact us:

Resources

Official Sources

NCSC Cyber Essentials:

ncsc.gov.uk/cyberessentials

IASME (Certification Body):

iasme.co.uk

Cyber Essentials Requirements:

Published by NCSC, available on their website

Finding an Assessor

CE+ assessments must be conducted by licensed assessors. IASME maintains a list of certification bodies.

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 to help organisations prepare for Cyber Essentials Plus certification.

Cyber Essentials requirements are updated periodically. Check NCSC for current requirements.

© 2026 Dead Simple Computing Ltd. All rights reserved.

Related Guides

Compliance CAF Self-Assessment Guide Compliance ISO 27001 Gap Assessment Guide