Cyber Essentials Plus (CE+) is the enhanced certification in the UK government’s Cyber Essentials scheme. While Cyber Essentials (CE) is a self-assessment, Cyber Essentials Plus requires independent verification by a certified assessor.
Contents
🛡️ What Is Cyber Essentials Plus?
Cyber Essentials Plus is a government-backed cybersecurity certification designed to help organisations protect themselves against common cyber threats. It builds upon Cyber Essentials by adding a hands-on technical audit of your systems.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Self-assessment | ✅ | ✅ (first step) |
| External audit | ❌ | ✅ |
| Internal scan | ❌ | ✅ |
| On-site or remote technical testing | ❌ | ✅ |
| Certification body required | No | Yes |
🔍 What Is Audited in CE+?
A certified body performs vulnerability and configuration testing on:
| Component | What They Check |
|---|---|
| User devices | Patching, antivirus, user privileges, MFA |
| Boundary firewalls | Port filtering, inbound rules |
| Email & browsers | Phishing simulation, browser hardening |
| Software | Updates, unsupported apps, secure configuration |
| Accounts | Admin vs standard accounts, password controls |
✅ Requirements at a Glance
| Area | Requirement |
|---|---|
| Firewalls | Default-deny rules, admin interfaces locked down |
| Secure Configuration | No unnecessary apps/services |
| User Access Control | Separate admin accounts, MFA, strong passwords |
| Malware Protection | Real-time AV or application whitelisting |
| Patch Management | High-risk patches applied within 14 days |
🧪 CE+ Example Testing Tasks
- Scan selected devices for missing critical patches
- Verify antivirus is installed and up to date
- Confirm users don’t have unnecessary admin rights
- Attempt to access remote services with weak credentials
📜 Why Get CE+ Certified?
| Benefit | Description |
|---|---|
| Trust | Demonstrates you take cybersecurity seriously to partners, customers, NHS, MoD, etc. |
| Compliance | Often required for UK government or NHS contracts |
| Risk Reduction | Forces a review of vulnerabilities across your stack |
| Insurance Incentives | Some cyber insurance providers offer reduced rates |
📅 Validity and Renewal
- CE+ is valid for 12 months
- Annual recertification required to stay compliant
- CE must be completed before CE+ (they’re bundled in the Plus package)
💸 Cost (Approximate)
| Org Size | Cost Estimate |
|---|---|
| Small (<10 staff) | £1,500–£2,500 |
| Medium (10–250) | £2,500–£5,000 |
| Large (250+) | Custom pricing |
Prices vary depending on scope and assessment body
🧭 Tips for a Smooth Audit
- Run a mock internal scan (use tools like Nessus, Qualys, or OpenVAS)
- Clean up unused accounts and software
- Document patching timelines
- Ensure endpoint protection is consistent across devices
- Use standard builds or gold images