Achieving Cyber Essentials Plus: what the assessment actually involves

Cyber Essentials comes in two tiers. The standard certification is a verified self-assessment: you answer the questionnaire, someone reviews it, and you’re certified. Cyber Essentials Plus keeps that questionnaire and adds an independent, hands-on technical audit — an assessor actually tests your systems. It’s the tier insurers and serious financial-services clients increasingly want, because someone external has checked rather than taken your word for it.

If you run a tidy estate, Plus is very achievable. Here’s what the assessment looks like in practice.

A sample of your devices

The assessor doesn’t test everything — they test a representative sample across your device types and operating systems (Windows, macOS, mobile, and any servers in scope). The sample has to reflect your real estate, so an accurate device inventory is the starting point. If you can’t say what devices you have, you can’t pass.

Patch verification

The assessor checks that operating systems and key applications — browsers, email clients, Office, PDF readers — are supported and updated. The rule of thumb: anything “high” or “critical” must be patched within 14 days of a fix being available. Stale machines and end-of-life software are the most common reason firms fail.

Malware protection and configuration

They confirm that malware protection is present and active, and that devices are sensibly configured — no unnecessary accounts, no auto-running of untrusted files, appropriate restrictions in place.

The hands-on tests

This is what separates Plus from the basic tier. The assessor will typically:

• Send test files (benign stand-ins for malware) by email and check they’re caught or blocked.
• Test browser downloads of the same kind of files.
• Verify multi-factor authentication is enforced on cloud services and accounts.
• Run an authenticated vulnerability scan of the sample devices to confirm the patching and configuration claims hold up under inspection.

Where firms trip up

The failures are nearly always the same: an unpatched browser or PDF reader, an end-of-life Windows build, MFA missing on one cloud service, or a device that wasn’t on the inventory and quietly fell behind. None of these are hard to fix — they just need to be true consistently, not the week of the audit.

Passing first time, then staying there

The way to pass is not to cram. It’s to run the estate so the controls are simply always in place — patching on a schedule, MFA everywhere, a real inventory, malware protection enforced by policy. Then the assessment is a confirmation, not an exam.

Certification lasts twelve months, so the same discipline carries you to the next one without drama. That’s exactly how we run Cyber Essentials Plus for the estates in our care: get certified, then keep the controls true all year round.