Why businesses fail Cyber Essentials Plus, and how to pass first time
Most Cyber Essentials Plus failures come down to a short list of fixable problems: missing security updates, everyday accounts with admin rights, unmanaged personal devices on company email, missing multi factor authentication, and unsupported software still in use. The self assessment is easy to pass on paper. The audit checks your live systems, which is where these gaps show. Find them with a gap review and close them before the assessment, and a first time pass is the normal outcome.
The short version
Cyber Essentials Plus is the audited version of Cyber Essentials. Same five controls, but an assessor verifies them on your real devices instead of trusting the questionnaire. That difference is why firms that sailed through the self assessment can still stumble on Plus. The badge on paper and the state of your machines are not always the same thing.
The good news is that failures are predictable. After running these assessments, we see the same causes again and again, and none of them is hard to fix once you know to look. The trick is finding them before the assessor does. Below are the real reasons businesses fail, and how to clear each one ahead of the audit.
- The audit tests live systems, so a clean self assessment does not guarantee a pass.
- A small number of issues cause most failures, and all of them are fixable in advance.
- A gap review and a dry run turn the assessment day from a gamble into a formality.
The real reasons businesses fail
Take these in turn. For each, here is what the assessor sees, why it fails, and how to fix it before the day.
1. Missing security updates
This is the most common failure by some distance. Cyber Essentials requires high and critical security updates to be applied within fourteen days. The Plus audit runs an authenticated vulnerability scan across a sample of your devices, and an unpatched browser, operating system, or application shows up immediately. It is rarely deliberate. A laptop that was switched off during a patch cycle, or a phone nobody manages, is enough.
How to fix it. Confirm automatic updates are on across every device in scope, including phones, and that they are actually completing. Check third party software too, because browsers, document readers, and Java style runtimes are frequent culprits. Run your own scan before the audit so you find the gaps first.
2. Everyday accounts with admin rights
Many people, owners included, do their daily work signed in as a local or domain administrator. It feels convenient, and it fails user access control. The risk is real: if malware runs in an admin session, it can do far more damage. The assessor will check whether everyday accounts hold admin rights, and whether admin access is properly separated.
How to fix it. Give everyone a standard account for day to day work. Create separate, named administrator accounts used only for admin tasks, and only when needed. This single change resolves one of the most frequent failures and genuinely lowers your risk.
3. Personal and unmanaged devices on company data
A personal phone reading company email, or a home laptop logging in to Microsoft 365, is in scope. If that device has no passcode, no encryption, no up to date protection, and no way for you to manage it, it usually fails. Firms are often caught out because they think of "their devices" as only the company laptops, and forget the phones in everyone's pockets.
How to fix it. Either bring those devices under management, with the basic controls applied and enforced, or stop company data reaching unmanaged devices in the first place. Both are valid. What is not valid is an unmanaged device with full access to company email and no controls at all.
4. Missing or partial multi factor authentication
Cyber Essentials requires multi factor authentication (MFA) on cloud services and on all administrative access. The usual failure is partial coverage: MFA is on for most staff but off for a shared mailbox, a service account, or, worst of all, an administrator account. The assessor checks that it is enforced, not merely available.
How to fix it. Enforce MFA across every cloud service and every account in scope, with no exceptions left as "we will get to it". Pay particular attention to admin and service accounts, because they are the ones an attacker most wants and the ones most often missed.
5. Unsupported software and operating systems
An operating system or application past its end of life can no longer receive security updates, so it fails security update management outright. An old server quietly running an unsupported version, a legacy line of business application, or a machine still on a retired operating system will all stop a certificate.
How to fix it. Identify anything unsupported well ahead of the audit. Upgrade it, replace it, or remove it from the devices in scope. If a legacy application genuinely cannot move yet, that is a conversation to have early, because it shapes your scope and your timeline.
6. Scope drawn too narrowly, or wrongly
Some failures are not technical at all. They come from defining the scope to leave out something that should be in it, then having the assessor find it. Cyber Essentials covers everything that connects to the internet and touches company data, so cloud services, the firewall, servers, and personal devices used for work all count. Drawing the scope to dodge a problem device does not work, because the audit looks at the real picture.
How to fix it. Map your scope honestly at the start: every device, every cloud service, every person with access. It is far better to find the awkward device in week one than to have it surface on audit day.
The pattern behind the failures
Set the list side by side and a theme appears. None of these are advanced attacks or obscure rules. They are the gap between what a busy business assumes is true and what is actually configured on its machines. The self assessment captures the assumption. The audit captures the reality.
| Failure cause | Why it fails | The fix before the audit |
|---|---|---|
| Missing updates | High and critical patches not applied within fourteen days | Confirm auto updates complete on every device, scan first |
| Admin rights for daily work | Everyday accounts hold administrator privileges | Standard accounts for work, separate named admin accounts |
| Unmanaged personal devices | Company data on devices with no controls | Manage the device, or keep company data off it |
| Partial MFA | Multi factor authentication missing on some accounts | Enforce it everywhere in scope, including admin accounts |
| Unsupported software | End of life systems can no longer be patched | Upgrade, replace, or remove from scope |
| Wrong scope | A device that should be in scope was left out | Map scope honestly at the start |
How to pass first time
Passing first time is mostly about sequence. Do the discovery before the audit, not during it.
- Start with a gap review. Define the scope, list every device and cloud service, and check each against the five controls. This is where the blockers surface, while you still have time to fix them.
- Fix the blockers properly. Patching, admin rights, MFA, device management, and unsupported software. Do the work for real, not just enough to look right on the day, because the audit tests the real thing.
- Run a dry run. Test your own devices the way the assessor will: a vulnerability scan, the email and malware checks, the account and privilege checks. Anything that fails the dry run would have failed the audit.
- Then book the assessment. By the time the assessor arrives, there should be nothing left to find. That is what a first time pass looks like.
Consider doing base Cyber Essentials first. The self assessment forces the same questions cheaply and surfaces most of the gaps, so the Plus audit becomes a confirmation rather than a discovery.
How we approach it
We are an appointed Cyber Essentials certification body, and our founder is a certified Cyber Essentials Assessor, so we prepare clients knowing exactly what the audit will test. We run the gap review, fix what needs fixing, and check the work against the real assessment before the day, so a failure is caught in week one and not on the day it counts. We are not here to hand you a certificate that does not match your systems. A pass that is true is the only kind worth having, because it is the one that holds up when a contract or an incident tests it.
Common questions
What is the most common reason for failing Cyber Essentials Plus?
Missing security updates, by some distance. Cyber Essentials requires high and critical patches to be applied within fourteen days, and the Plus audit runs a vulnerability scan that finds anything unpatched on your sampled devices. It is rarely deliberate. A laptop switched off during a patch cycle, an unmanaged phone, or out of date third party software such as a browser or document reader is usually enough to cause it.
What happens if you fail Cyber Essentials Plus?
You do not lose your money or have to start from scratch. The assessor records what failed, you fix it, and the relevant tests are repeated, usually within a set window. The certificate is issued once everything passes. The cost of a failure is mainly time and the delay to whatever deadline you were working to, which is exactly why a gap review and a dry run before the audit are worth it.
How do I make sure I pass Cyber Essentials Plus first time?
Do the discovery before the audit, not during it. Start with a gap review that maps your scope and checks every device and cloud service against the five controls. Fix the blockers properly: patching, admin rights, multi factor authentication, device management, and any unsupported software. Then run a dry run that mirrors the assessor's tests. If nothing fails the dry run, nothing should fail the audit.
How long does it take to prepare for Cyber Essentials Plus?
For a typical small business with no major surprises, allow four to six weeks. That covers a gap review, two to three weeks of remediation, a pre assessment check, then the audit. A firm with unsupported systems, admin rights to untangle, or unmanaged personal devices can take longer. The gap review comes first precisely so you know which of those you are dealing with before you book.
How much does Cyber Essentials cost?
Certification fees start at around £320 plus VAT for a micro organisation, set by IASME, the scheme's delivery partner. The figure rises with the size and complexity of your organisation, and Cyber Essentials Plus costs more because it includes an independent technical audit. Your real first year cost also depends on any remediation needed to pass, which a short gap review will tell you.
Can I do Cyber Essentials Plus without the basic Cyber Essentials first?
You complete the self assessment as part of Plus either way, so in that sense the basics are always covered. Many firms still do base Cyber Essentials first, because the self assessment forces the same questions cheaply and surfaces most of the gaps before the audit. If you go straight for Plus, treat the gap review as essential. It is the step that stops the audit becoming a discovery exercise.
Worried you might not pass?
Tell us about your setup and your deadline. As an appointed certification body, we will find the blockers in a gap review, fix them, and check the work against the real audit before the day. We reply within one working day, and you will speak to an engineer, not a salesperson.