Skip to main content
FORTISEU
ReferenceCyber Essentials

Cyber Essentials Plus: What You Need to Know

11 minUpdated 2026-03-18

Detailed guide to Cyber Essentials Plus covering the differences from standard Cyber Essentials, the hands-on technical verification process, additional testing requirements, decision criteria for when to pursue CE Plus, and a comprehensive preparation checklist.

Key Takeaways
  1. 1

    Cyber Essentials Plus adds independent, hands-on technical verification to the standard self-assessment, providing significantly higher assurance of control effectiveness.

  2. 2

    The most common CE Plus failure is unpatched critical or high-severity vulnerabilities exceeding the 14-day remediation window — run your own vulnerability scan before the assessment.

  3. 3

    CE Plus must be completed within three months of your standard Cyber Essentials certification, so plan both assessments as a single programme.

  4. 4

    For NIS2-regulated organisations, the independently verified evidence from CE Plus carries more weight with supervisory authorities than self-assessed certification alone.

  5. 5

    Preparation is the primary determinant of success: conduct internal vulnerability scans, configuration audits, and access control reviews before the assessor arrives.

1. Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials and Cyber Essentials Plus share the same five technical controls — firewalls, secure configuration, user access control, malware protection, and security update management — but they differ fundamentally in how compliance is verified. Standard Cyber Essentials is a verified self-assessment: you describe your controls in a questionnaire, and a Certification Body reviews your responses for consistency and completeness. Cyber Essentials Plus adds an independent, hands-on technical verification layer where a qualified assessor directly tests your systems against the five controls.

The assurance level provided by each certification reflects this difference. Cyber Essentials demonstrates that an organisation understands the five controls and has self-declared compliance. Cyber Essentials Plus demonstrates that an independent assessor has confirmed compliance through direct technical testing. This distinction matters for procurement decisions, regulatory evidence, and insurance underwriting — third parties consistently weight independently verified evidence higher than self-declarations. For organisations in supply chains serving critical infrastructure or financial services, the higher assurance of CE Plus is often a contractual requirement rather than a choice.

Importantly, Cyber Essentials Plus requires a valid Cyber Essentials certificate as a prerequisite. You cannot pursue CE Plus directly — the standard assessment must be completed first, and the CE Plus assessment must be conducted within three months of the standard certification date. This sequencing means that organisations must maintain compliance continuously throughout the period between the two assessments: any control regression between the standard certification and the CE Plus technical test will result in failure.

Cyber Essentials Plus must be completed within three months of your standard Cyber Essentials certification. Plan both assessments as a single programme to avoid timing issues.

2. The Hands-On Technical Verification Process

The CE Plus technical verification is conducted by a qualified assessor — typically a CREST or IASME-accredited security consultant — who connects to your environment and performs a structured series of tests. The assessment is not a full penetration test; it is a targeted verification of the five Cyber Essentials controls through direct observation and testing. The assessor typically requires remote access to a representative sample of your in-scope devices and network infrastructure, though on-site assessments are also conducted depending on your environment and the Certification Body's approach.

The verification process covers four primary testing activities. First, the assessor performs an external vulnerability scan of your internet-facing IP addresses and domains to identify unpatched vulnerabilities, misconfigured services, and open ports that violate the firewall control requirements. Second, the assessor selects a representative sample of internal devices — typically including Windows workstations, laptops, servers, and mobile devices — and performs authenticated scans to verify patch levels, configuration hardening, and malware protection status. Third, the assessor tests access control by reviewing user account configurations, verifying that administrative accounts are appropriately restricted, and confirming that multi-factor authentication is operational. Fourth, the assessor tests malware protection by executing benign test payloads (EICAR test files and equivalent) to verify that endpoint protection detects and blocks malicious content.

The entire technical verification typically takes one to three days depending on the size and complexity of your environment. The assessor documents findings in a structured report identifying any non-compliances. If all five controls pass the technical verification, the Certification Body issues the Cyber Essentials Plus certificate. If non-compliances are identified, you receive a remediation report and must address the findings before a re-test. Most Certification Bodies allow one re-test within a defined window (typically 30 days) without a full additional assessment fee, but this varies — confirm re-test terms before engaging your Certification Body.

3. Additional Testing Requirements

Beyond the four primary testing activities, the CE Plus assessment includes specific technical checks that go deeper than the standard self-assessment questionnaire. Vulnerability scanning is perhaps the most impactful: the assessor uses professional-grade scanning tools (Nessus, Qualys, or equivalent) to identify vulnerabilities across your external and internal attack surface. Any critical or high-severity vulnerability with a patch available for more than 14 days will result in a non-compliance finding. This is the single most common failure point in CE Plus assessments — organisations that pass the self-assessment questionnaire with honest answers about their patching process often discover that individual systems have been missed.

Configuration checks verify that devices are hardened beyond the default settings. The assessor will examine firewall rulesets for overly permissive rules, check that unnecessary services are disabled, verify that default passwords have been changed on all devices (including network equipment, printers, and IoT devices within scope), and confirm that auto-run and macro execution settings are appropriately restricted. For cloud environments, the assessor reviews security group configurations, IAM policies, and storage access controls against the same hardening principles. Organisations with hybrid environments should expect the assessor to examine both on-premises and cloud configurations.

Malware protection testing verifies not just that anti-malware software is installed and running, but that it is functionally effective. The assessor will attempt to download EICAR test files via web browser and email to verify that real-time protection intercepts known malware signatures. They will also verify that application whitelisting or sandboxing controls (if used as the primary malware protection mechanism instead of signature-based anti-malware) are correctly configured and prevent unauthorised executables from running. For mobile devices within scope, the assessor verifies that the device management platform enforces appropriate security policies including malware scanning where available.

Unpatched critical vulnerabilities older than 14 days are the most common CE Plus failure. Run your own vulnerability scan before the assessment and remediate all critical and high findings to avoid surprises on assessment day.

4. When to Pursue CE Plus vs Standard CE

The decision between standard Cyber Essentials and CE Plus should be driven by your risk profile, commercial requirements, and regulatory context. Standard CE is appropriate when your primary objective is demonstrating baseline cyber hygiene for general commercial purposes, when your clients accept self-assessed certification, and when your threat profile does not warrant independent technical verification. For many small and medium-sized enterprises in non-critical sectors, standard CE provides sufficient assurance at a proportionate cost.

CE Plus becomes the appropriate choice in several scenarios. First, when your clients or supply chain partners explicitly require it — particularly UK Government contracts involving sensitive personal data, defence supply chain participation, or critical national infrastructure supply relationships. Second, when you want to provide genuine assurance to your own management body that the five controls are not just documented but operationally effective. Self-assessment has an inherent bias: the people completing the questionnaire are often the same people responsible for the controls, creating a natural tendency to overestimate compliance. Independent verification corrects this bias. Third, when you are building toward broader certifications such as ISO 27001 — the discipline of preparing for and passing an independent technical assessment builds the organisational muscle needed for more demanding audit processes.

From an EU regulatory perspective, CE Plus is worth considering for organisations in NIS2 scope that need to demonstrate the effectiveness of their Article 21(2)(g) cyber hygiene measures. While CE Plus is not an EU regulatory requirement, the independent technical verification provides stronger evidence of control effectiveness than a self-declaration. Supervisory authorities assessing NIS2 compliance are more likely to credit an independently verified control than an internally declared one. The incremental cost of CE Plus over standard CE is typically modest — GBP 1,500 to GBP 5,000 depending on scope — and the evidentiary value for NIS2 compliance is disproportionately high relative to that cost.

If you are subject to NIS2, the independently verified evidence from CE Plus carries significantly more weight with supervisory authorities than a self-assessed Cyber Essentials certificate when demonstrating Article 21(2)(g) cyber hygiene compliance.

5. Preparation Checklist

Preparation for CE Plus should begin the moment you achieve your standard Cyber Essentials certification — you have a three-month window, and thorough preparation is the difference between a smooth assessment and an expensive re-test. Start with an internal vulnerability scan using the same class of tools the assessor will employ. Nessus Essentials (free for up to 16 IPs), OpenVAS, or your existing vulnerability management platform can identify the issues the assessor will find. Remediate all critical and high-severity vulnerabilities on every in-scope system. Do not rely on sampling — the assessor will scan your entire external surface and a representative sample of internal systems, and a single missed patch can result in failure.

Next, conduct a configuration audit across your in-scope estate. Verify that every firewall (network and host-based) has a documented ruleset with no unnecessary open ports. Check that every device has changed its default administrator password. Confirm that auto-run is disabled on all Windows devices. Verify that macro execution in Microsoft Office is restricted to trusted locations or disabled entirely. For each user account, confirm that MFA is enabled where available and that administrative privileges are restricted to dedicated admin accounts used only for administrative tasks. Document the results of this audit — the evidence will support your assessment responses and help resolve any assessor queries quickly.

Finally, prepare your environment for the assessment day itself. Ensure the assessor has the connectivity and credentials required for authenticated scanning — delays in access provisioning consume assessment time without producing results. Brief your IT team on the assessment scope and process so they can respond to assessor questions without delay. Prepare a scope document listing all in-scope networks, IP ranges, devices, cloud services, and user populations so the assessor can plan their sampling strategy efficiently. Have your standard Cyber Essentials questionnaire responses available for reference — the CE Plus assessor will use your self-assessment as the starting point for their technical verification, and consistency between your declared controls and the observed reality is essential.

Frequently Asked Questions

How much does Cyber Essentials Plus cost?

The cost of Cyber Essentials Plus varies by organisation size, scope complexity, and Certification Body, but typical fees range from GBP 1,500 for small organisations with simple environments to GBP 5,000 or more for larger organisations with complex, hybrid environments. This is in addition to the standard Cyber Essentials assessment fee. The total cost should also account for any pre-assessment remediation work, internal preparation time, and potential re-test fees if non-compliances are identified during the technical verification.

How long does the CE Plus technical assessment take?

The technical verification typically takes one to three days of assessor time, depending on the scope and complexity of your environment. Small organisations with a single office and limited IT infrastructure may complete the assessment in a single day. Larger organisations with multiple sites, cloud environments, and diverse device estates should expect two to three days. The elapsed time from engagement to certificate issuance is typically two to four weeks, including scheduling, the assessment itself, and the Certification Body's review and issuance process.

What tools does the CE Plus assessor use?

CE Plus assessors use professional-grade vulnerability scanning tools such as Nessus, Qualys, or Tenable for both external and internal scanning. They may use additional tools for specific checks: configuration auditing utilities, port scanners (Nmap), and malware detection test files (EICAR standard anti-malware test file). The specific toolset varies by assessor and Certification Body, but all tools must be capable of identifying vulnerabilities to the level required by the Cyber Essentials technical standard. Assessors do not use exploit frameworks or attempt to breach systems — the assessment verifies control presence and configuration, not penetration resistance.

Can we fail CE Plus but keep our standard Cyber Essentials?

Yes. Standard Cyber Essentials and Cyber Essentials Plus are separate certifications. If you fail the CE Plus technical verification, your standard Cyber Essentials certificate remains valid until its expiry date. However, a CE Plus failure should be treated as a serious signal: it means that your self-assessed controls are not operationally effective, which undermines the value of the standard certificate even though it technically remains current. Use the CE Plus failure report as a remediation roadmap and pursue re-assessment once the identified gaps are closed.

Related Guides
Implementation

Cyber Essentials Certification: A Complete Guide

12 min · Cyber Essentials, NIS2

Checklist

ISO 27001 Compliance Checklist

13 min · ISO 27001

Implementation

How to Write an Information Security Policy

12 min · NIS2, DORA, ISO 27001

Implementation

How to Create an Incident Response Plan

15 min · NIS2, DORA, ISO 27001

Ready to Operationalise This?

Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.

Create Account Schedule Demo