How to prepare for Cyber Essentials Plus
Cyber Essentials Plus is the audited version of Cyber Essentials, where an assessor tests your systems hands on rather than taking your word for it. To pass first time, get the five controls genuinely in place, remove a handful of common blockers, and give yourself four to six weeks before the assessment day. We are an appointed Cyber Essentials certification body, so this is the preparation we run with clients every week.
The short version
Cyber Essentials Plus is not a harder standard than Cyber Essentials. It is the same five controls, checked properly. The base certification is a self assessment that a certification body reviews. Plus adds an independent technical audit, where an assessor connects to a sample of your devices, runs vulnerability scans, tests your email and web filtering, and confirms that what you said in the self assessment is actually true.
That is where firms come unstuck. The self assessment is easy to pass on paper. The audit is not, because it looks at the real state of your machines. Most failures are not exotic. They are a missing update, an everyday account with admin rights, or a personal phone reading company email with no controls on it. Find and fix those before the assessor arrives, and the day itself is straightforward.
- Plus tests the same five controls as Cyber Essentials, but verifies them on your live systems.
- Most failures come from patching, admin rights, unmanaged devices, and missing multi factor authentication.
- Give yourself four to six weeks. The fixes are simple; finding them all takes a little time.
The five controls, and what each one means in practice
Cyber Essentials covers five technical control areas. For Plus, an assessor checks each one on real devices, so it helps to know what each control means once it leaves the questionnaire.
| Control | What it means | What the assessor looks for |
|---|---|---|
| Firewalls | A boundary between your devices and the internet, configured to block what should be blocked | Default passwords changed, no unnecessary services exposed, home workers covered by a firewall or properly configured device firewall |
| Secure configuration | Devices and software set up to reduce risk, not left on their out of the box defaults | Unused accounts and software removed, default passwords gone, auto run disabled, a sensible lock screen |
| Security update management | Keeping operating systems and software patched, and removing anything unsupported | High and critical updates applied within fourteen days, no end of life operating systems or software still in use |
| User access control | People have only the access they need, and admin rights are controlled and separate | No daily work in an admin account, accounts tied to real people, multi factor authentication on cloud services |
| Malware protection | Protection against malicious software on every device in scope | Anti malware active and updating, or approved application controls, on laptops, desktops, and servers |
The scope is wider than people expect
The single most common surprise is what counts as in scope. Cyber Essentials covers all the devices that connect to the internet and access your organisation's data or services. That means company laptops and desktops, but also servers, the firewall itself, your cloud services such as Microsoft 365 or Google Workspace, and any personal phones or laptops people use for work email. If a device touches company data, the assessor can ask about it. Deciding the scope honestly at the start saves a difficult conversation on the day.
What the assessor actually checks on the day
The Plus audit is a sampled, hands on test, usually run remotely now, sometimes on site. An assessor works through a representative sample of your devices and your cloud services. The exact method follows the scheme's current test specification, but in practice it covers a familiar set of checks.
- Patch and vulnerability scan. An authenticated scan of sampled devices, looking for missing high and critical updates and known vulnerabilities. Anything unpatched beyond the fourteen day window is a likely fail.
- Malware and email tests. The assessor sends a set of harmless test files and links to a real mailbox, by email and over the web, to confirm your protection catches what it should.
- Account and privilege checks. Confirmation that everyday accounts do not hold admin rights, that admin access is separated, and that multi factor authentication is enforced on cloud services and admin accounts.
- Configuration review. A look at how sampled devices are set up: lock screens, account separation, removal of unsupported software, and so on.
None of this is a trap. The assessor is confirming that the controls you described are real on the machines people use. If they are, you pass. If a sampled device is missing an update or a personal phone has no controls, that one device can hold up the whole certificate until it is fixed.
The common blockers, and how to clear them
Across the assessments we run, the same handful of issues account for most of the friction. Clear these early and the rest tends to fall into place.
- Domain admin rights for daily work. Staff, and sometimes the owner, signing in to their everyday laptop with an administrator account. This fails user access control. Give people standard accounts for daily work and separate, named admin accounts for admin tasks only.
- Unpatched VPN head ends and firewalls. The device at the edge of your network is in scope, and an unpatched VPN gateway or firewall is both a real risk and a clear fail. Confirm the firmware on every internet facing device is current and supported before the audit.
- Personal devices on Microsoft 365. A personal phone or home laptop pulling company email, with no passcode, no encryption, and no way to manage it, is in scope and usually fails. Either bring those devices under management, or block company data on unmanaged devices.
- Missing multi factor authentication. Cyber Essentials requires multi factor authentication (MFA) on cloud services and on administrative access. A surprising number of firms have it switched on for some accounts and not others. It must be enforced across the board, including admin accounts.
- Unsupported software still in use. An old operating system, an unsupported database, or a line of business application past its end of life will fail security update management. Either upgrade it, replace it, or remove it from the devices in scope.
A realistic timeline
Cyber Essentials Plus is achievable quickly, but only if you plan for the fixes rather than discovering them on the day. As a working guide, allow four to six weeks for a typical small business with no major surprises. A firm with unsupported systems or messy access can take longer, and that is worth knowing in advance.
| Stage | Typical timing | What happens |
|---|---|---|
| Gap review | Week one | Define the scope, list the devices and cloud services, and find the gaps against the five controls |
| Remediation | Weeks two to four | Fix the blockers: patching, admin rights, MFA, device management, and any unsupported software |
| Pre assessment check | Week four or five | A dry run against the audit, so nothing is a surprise on the day |
| The Plus audit | Week five or six | The assessor runs the hands on tests and issues the certificate once any final points are closed |
One practical point on sequencing. Many firms certify to base Cyber Essentials first and then take Plus, because the self assessment forces the same questions and surfaces the gaps cheaply. If you are aiming straight for Plus, treat the gap review as non negotiable. It is the step that turns the audit from a gamble into a formality.
How we approach it
We are an appointed Cyber Essentials certification body, and our founder is a certified Cyber Essentials Assessor, so we see both sides of the process. That shapes how we prepare clients. We run the gap review first, fix what needs fixing, then check the work against the real audit before the assessment day, so there are no surprises. We are not interested in getting you a certificate that does not reflect reality, because a badge that does not match your systems helps no one when an incident or a contract puts it to the test. The aim is a pass that is true, and a setup that stays passable next year.
Common questions
What is the difference between Cyber Essentials and Cyber Essentials Plus?
They cover the same five technical controls. Cyber Essentials is a self assessment that a certification body reviews. Cyber Essentials Plus adds an independent technical audit, where an assessor connects to a sample of your devices, runs vulnerability scans, and tests your email and malware protection to confirm the controls are genuinely in place. Plus carries more weight because it is verified, not self declared.
How long does Cyber Essentials Plus take to prepare for?
For a typical small business with no major surprises, allow four to six weeks. That covers a gap review to find the issues, two to three weeks of remediation to fix them, a pre assessment check, then the audit itself. A firm with unsupported systems, messy admin rights, or unmanaged personal devices can take longer, which is exactly why the gap review comes first.
Why do businesses fail Cyber Essentials Plus?
Almost always for the same few reasons: missing security updates beyond the fourteen day window, everyday accounts that hold admin rights, personal phones or laptops reading company email with no controls, missing multi factor authentication on cloud services, and unsupported software still in use. The self assessment is easy to pass on paper, but the audit checks the real state of your devices, where these gaps show up.
How much does Cyber Essentials cost?
Certification fees start at around £320 plus VAT for a micro organisation, set by IASME, the scheme's delivery partner. The figure rises with the size and complexity of your organisation, and Cyber Essentials Plus costs more because it includes an independent technical audit. Your real first year cost also depends on any remediation needed to pass, which a short gap review will tell you.
Does multi factor authentication have to be on everything for Cyber Essentials?
Cyber Essentials requires multi factor authentication on your cloud services and on all administrative access. The common mistake is enabling it for some users or some services but not others. For the audit it needs to be enforced consistently, including on admin accounts, not left optional. Switching it on everywhere in scope before the assessment removes one of the most frequent reasons for a hold up.
Are personal devices and home working in scope?
Yes. Any device that accesses your organisation's data or services is in scope, including personal phones or laptops used for work email, and home working setups. Those devices need the same controls as company kit, or company data has to be kept off them. Home workers also need a firewall, whether that is the device's own firewall configured correctly or one provided for them. Deciding this honestly at the start avoids a difficult conversation on audit day.
Want to pass Cyber Essentials Plus first time?
Tell us about your setup and your deadline. As an appointed certification body, we will run the gap review, fix the blockers, and check the work against the real audit before the day. We reply within one working day, and you will speak to an engineer, not a salesperson.