Cyber Essentials Plus Certification
Cyber Essentials Plus is required for UK government contracts over £5 million and increasingly demanded by enterprise supply chains. We are an IASME-accredited Certification Body. Transparent pricing based on your device count. Pre-assessment gap analysis included. Free re-test if initial gaps are found.
Cyber Essentials vs Cyber Essentials Plus
The scheme has two levels. Which one you need depends on your contract type and the assurance level your clients require.
Cyber Essentials
Verified by IASME Assessor
Cyber Essentials Plus
Hands-On Testing by IASME Assessor
Side-by-Side Comparison
| Capability | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment method | Self-reported questionnaire | Independent technical audit |
| Who verifies it | IASME assessor reviews answers | IASME assessor physically tests systems |
| Vulnerability scanning | No | Yes, external and internal |
| Government contracts | Up to £5M contracts | Required above £5M |
| Assurance level | Baseline | Enhanced |
| Time to certify | 1-2 weeks | 2-4 weeks |
| Typical cost | From £300 | From £3,000 |
| Best for | SMEs entering government supply chain | High-value contracts, MOD, NHS |
Choosing the wrong level means going through the process twice.
Not sure? Talk to an assessorCommon Situations We Handle Every Week
CE Plus is rarely straightforward. Here are the situations we see most often, and how we handle them.
The Government Contract Deadline
You have 90 days from contract award to provide Cyber Essentials Plus certification. We run an expedited process: scoping call within 48 hours, pre-assessment gap analysis in week one, formal audit in week two or three. Most clients with a clean infrastructure receive their certificate within three weeks of engagement.
Upgrading from Basic CE
You already hold Cyber Essentials basic and need to upgrade to Plus. The CE Plus audit must be completed within three months of your basic CE assessment. We can begin the technical audit immediately and issue your CE Plus certificate before your basic certificate expires.
Failed CE Plus Previously
If you have been through a CE Plus audit that did not go smoothly, including mis-scoped environments, unexpected failures, or delayed certificates, we can review your previous audit scope before we start. Our assessors will define boundaries explicitly before any testing begins.
Complex or Cloud Infrastructure
Your environment includes remote workers, Azure or AWS services, managed devices, and BYOD. We scope cloud services against NCSC guidance, determine what is in and out of boundary, and test accordingly. We have not failed to scope a complex environment correctly.
What We Test and How We Test It
CE Plus requires independent technical verification, not a questionnaire review. Here is exactly what our assessors examine under each of the five controls.
Five Technical Controls Audit
Independent hands-on verification of all five NCSC-mandated controls. Unlike the Cyber Essentials self-assessment, CE Plus requires an accredited assessor to physically test your systems: scanning for vulnerabilities, reviewing configurations, and validating that controls are actually in place rather than self-reported. If a control fails, you receive a remediation report and a free re-test.
Vulnerability Scanning and Configuration Review
Comprehensive external and internal vulnerability scanning identifying missing patches, insecure configurations, and exposed services. We validate firewall rulesets, assess secure baseline configurations against industry standard benchmarks, and verify security hardening across Windows, macOS, Linux, and mobile devices.
Access Control and Privilege Management
Assessment of user access controls, administrative privilege separation, MFA implementation, password policies, and account management procedures. We verify least privilege principles, RBAC, and administrative account protection against privilege escalation attacks.
Malware Protection and Endpoint Security
Verification that anti-malware protection is deployed across all devices, updated regularly, and configured to scan files and emails. We assess EDR capabilities, application whitelisting implementation, and malware incident response procedures.
Patch Management and Security Updates
Audit of patch management processes covering operating systems, applications, firmware, and third-party software. We verify compliance with the 14-day critical patch window for high and critical CVEs as required by the NCSC. We also check patch status across third-party applications, firmware, and browser extensions: common failure points in CE Plus audits.
CE Plus Requirements: The Five Controls
Every CE Plus audit independently verifies these five controls. This is what our assessors test: not a self-reported checklist, but hands-on verification against each requirement.
Boundary Firewalls and Internet Gateways
- All internet-facing services protected by a correctly configured firewall
- Inbound connections restricted to those that are necessary
- Default firewall rules reviewed and unnecessary access removed
- External-facing ports validated against approved list
Secure Configuration
- All software configured securely against industry standard security benchmarks
- Unnecessary user accounts removed from all systems
- Default passwords changed on all devices
- Unnecessary software and services disabled or removed
Access Control and User Privilege Management
- User accounts issued only to authorised individuals
- Administrative accounts separate from standard accounts
- Multi-factor authentication applied to all cloud services
- Admin account usage limited to administrative tasks only
Malware Protection
- Anti-malware installed on all in-scope devices
- Signatures updated automatically
- Regular scan schedules configured and active
- Application-based controls verified where AV is not used
Security Update Management (Patch Management)
- All software licensed and currently supported
- Critical security patches applied within 14 days of release
- Unsupported software removed from scope or isolated
- Third-party applications, firmware, and browser extensions checked
What CE Plus Adds Over Basic CE
- External vulnerability scanning of all internet-facing IPs
- Internal configuration audit on a representative sample of devices
- Hands-on verification by an IASME-accredited assessor
- Free re-test if initial failures require remediation
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Scoping Call and Gap Analysis
A scoping call within 48 hours of engagement. We review your infrastructure, define the boundary explicitly including cloud services and remote devices, and identify gaps before formal submission. Most clients with a clean infrastructure receive their certificate within three weeks of this call.
External Technical Audit
Our IASME-accredited assessors perform external vulnerability scanning, internal configuration audits, and hands-on verification of all five security controls. The audit covers firewall rule validation, privilege separation testing, anti-malware verification, patch compliance checking, and secure configuration review across all in-scope systems.
Remediation and Free Re-Test
If vulnerabilities or control deficiencies are identified, we provide a detailed remediation report with specific configuration changes, missing patches, and policy updates required. Once remediation is complete, we perform targeted re-testing at no additional cost to validate fixes before final certification approval.
Certificate and Annual Compliance
Upon successful audit completion, receive your Cyber Essentials Plus certificate valid for 12 months and inclusion in the official government certification register. We provide annual recertification preparation and advisory services for infrastructure changes impacting your certification scope.
Cyber Essentials Plus Cost
Fixed pricing based on device count and infrastructure complexity. No hidden assessor fees. We provide a written quote following a brief scoping call.
Small Organisation
Up to 50 devices, single site
From £3,000
Mid-Sized Organisation
50-250 devices, 2-3 sites
From £4,500
Complex Infrastructure
250+ devices, multi-site + cloud
From £5,000
Annual recertification is typically 20-30% less than initial certification.
Get a Fixed-Price QuoteCE Plus Confirms Your Baseline. Not Your Ceiling.
CE Plus confirms your baseline security controls meet the NCSC standard. For organisations that need to go further, or whose contracts require more than Cyber Essentials, our CREST-accredited penetration testing and ISO 27001 consultancy services provide the next level of assurance.
Explore Compliance ServicesCyber Essentials (Basic)
Self-assessment certification for standard government contracts. From £1,500.
ISO 27001 Consultancy
For organisations requiring a rigorous ISMS framework beyond CE Plus.
Penetration Testing
CREST-accredited testing across networks, applications, and cloud.
External Network Test
Deeper assurance of your external attack surface beyond CE Plus scans.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Every uncertified bid is a contract you cannot win.
Book a free scoping call. We confirm which level applies to your contract, scope your infrastructure, and provide a fixed-price quote within 48 hours. No obligation. No day-rate surprises.
Get a Fixed-Price QuoteCyber Essentials Plus: Common Questions
Pricing, certification levels, timelines, preparation, and what happens if you fail the audit.
Cyber Essentials Plus cost starts from £3,000 for all organisations with up to 50 devices and a single site. The cyber essentials plus certification cost scales with infrastructure complexity: mid-sized organisations (50-250 devices, 2-3 sites) typically pay £2,500-£3,500, and large or complex environments (250+ devices, multiple sites, cloud infrastructure) range from £3,500-£5,000+. Pricing factors include: number of IP addresses scanned, total device count, geographical distribution, and whether pre-assessment gap analysis is required. Annual recertification is typically 20-30% less than initial certification. We provide fixed-price quotes following a brief scoping call, no hidden assessor fees.
Cyber Essentials (basic or Plus) is mandatory for all UK central government contracts involving the handling of sensitive information or ICT services. Cyber Essentials Plus, which adds an independent technical audit, is specifically required for contracts above £5 million. Many local authorities, NHS trusts, and Ministry of Defence contractors specify Cyber Essentials Plus regardless of contract value. If you are unsure which level your contract requires, the safest approach is to contact the procuring body directly or assume Plus is required: the additional assurance is recognised across the full government supply chain.
Yes. Cyber Essentials Plus must be completed within three months of your Cyber Essentials assessment. You cannot complete CE Plus on a certificate that is more than three months old. If your basic Cyber Essentials certificate is current, we can move directly to the technical audit phase. If it has lapsed, you will need to complete a new Cyber Essentials self-assessment before proceeding to CE Plus. We can run both assessments consecutively to minimise the time between certifications.
The Cyber Essentials Plus audit is an independent technical assessment performed by an IASME-accredited assessor. It covers five areas: external vulnerability scanning of internet-facing systems, internal configuration review of devices and operating systems, verification of access controls and administrative privilege separation, confirmation that anti-malware protection is deployed and updated, and patch compliance checking against the 14-day critical vulnerability window. The audit is performed on a representative sample of devices, not every device in the organisation, following the NCSC-approved test specification.
The most effective preparation for a Cyber Essentials Plus audit is a pre-assessment gap analysis, where an assessor reviews your current controls against the five NCSC requirements and identifies deficiencies before the formal audit begins. Key preparation steps include: ensuring all critical patches are applied within 14 days of release, reviewing firewall rules to remove unnecessary inbound access, implementing multi-factor authentication for cloud services, separating administrative accounts from standard user accounts, and confirming that anti-malware is deployed on all in-scope devices. We include pre-assessment gap analysis in our standard CE Plus service to maximise first-time pass rates.
Cyber Essentials is a self-assessment certification where you complete a questionnaire about your security controls, verified by an assessor reviewing your answers. Cyber Essentials Plus includes everything in Cyber Essentials plus an independent external technical audit: our assessors perform hands-on vulnerability scanning, internal configuration reviews, and physical verification of security controls. Cyber Essentials Plus provides stronger assurance and is required for UK government contracts over £5 million.
The technical audit typically takes 1-2 days depending on your infrastructure scope. The full certification process from initial scoping call to certificate issuance takes 2-4 weeks. Most organisations with a clean infrastructure receive their certificate within three weeks of engagement. We offer expedited certification for urgent government contract deadlines.
Cyber Essentials Plus certificates are valid for 12 months from the issue date. You must recertify annually to maintain your certification status and remain eligible for government contracts. The certification scope must be reassessed if you make significant infrastructure changes (new offices, cloud migrations, major IT system changes) as these may introduce new vulnerabilities or expand your attack surface.
The five controls are: (1) Boundary firewalls and internet gateways: protecting network perimeter from internet threats. (2) Secure configuration: hardening operating systems and removing unnecessary functionality. (3) Access control: user authentication, password policies, and administrative privilege management. (4) Malware protection: anti-virus/anti-malware on all devices with regular updates. (5) Patch management: keeping all systems and software up-to-date with security patches applied within 14 days for critical vulnerabilities.
If critical vulnerabilities or control deficiencies are identified, certification is withheld pending remediation. We provide a detailed remediation report listing all identified issues, their severity, and specific fix actions. Common failure reasons include: missing critical patches, weak password policies, inadequate firewall rules, missing anti-malware, or excessive administrative privileges. Once you remediate the issues, we perform targeted re-testing at no additional cost within 90 days to validate fixes before issuing the certificate.