Cyber Essentials Plus Readiness Checklist

⏱

Important: Time Windows

You have 90 days from your CE basic certification date to pass CE Plus. If issues are found during the audit, you have 30 days from the assessment start date to remediate — but both windows run simultaneously. If either expires before you pass, you must recertify CE basic before reattempting CE Plus, at additional cost. Have everything in this checklist confirmed before your assessment date.

Ready for CE Plus audit

0 / 26

Items confirmed

Tick each item below as you confirm it is in place for your organisation.

Area 1 ANTI-VIRUS & ENDPOINT PROTECTION

The auditor will verify that active malware protection is running on all in-scope devices. This is a live, technical check — not just a policy question. Anti-virus must be installed, active, and up to date on every device within scope on the day of assessment.

Anti-virus or endpoint protection software is installed and actively running on all in-scope devices — desktops, laptops, and serversWindows Defender, Sophos, CrowdStrike, and similar solutions are all acceptable if properly configured and active

AV signatures and definitions are updated automatically and are current at the time of assessmentManually updated definitions are not reliable — automatic updates must be enabled and verified

Real-time / on-access scanning is enabled — the protection is not in passive or monitoring-only mode

Standard users cannot disable or bypass AV protection on their devicesUser-disabled AV is an audit failure — protection must be enforced at a policy level

All device types included in scope (including any BYOD or managed devices used for work) are covered by AV protectionThe auditor will check the full scope — gaps in coverage will be identified

Area 2 ACCOUNT SEPARATION

The audit checks that user and administrator accounts are properly separated, that no shared credentials are in use, and that privileged access is tightly controlled. This is verified against live system configurations.

Every user has a unique, individual account — no shared logins or group accounts are in use for any in-scope systemShared credentials mean audit trails are unverifiable and introduce uncontrolled access risk

Administrator accounts are separate from standard user accounts — admins have a dedicated admin account and a separate standard account for everyday tasksUsing an admin account for day-to-day browsing and email is an audit failure

Standard users have only the permissions required for their role — least privilege is applied and enforcedUnnecessary access rights elevate risk and will be flagged during the audit

Accounts of staff who have left or changed roles have been disabled or removed promptly — no orphaned accounts remain activeActive accounts for former employees are a common audit finding

Area 3 PATCH MANAGEMENT (14-DAY RULE)

The auditor will verify patch currency across operating systems, applications, and firmware. All high-risk and critical patches must be applied within 14 days of release. This is checked live against installed software versions during the audit.

All high-risk and critical OS security updates are installed within 14 days of release across all in-scope devices Auto-Fail RiskThis includes Windows Update, macOS updates, and Linux package updates. Unpatched OS = audit failure

All application patches — browsers, Office suites, plugins, and third-party software — are applied within 14 days Auto-Fail RiskOutdated browsers and applications are a leading audit failure point — check every device in scope

Router and firewall firmware is patched within 14 days of critical updates being releasedAuto-update on broadband routers alone may not cover all firmware — verify manually

No end-of-life or unsupported software is in use within the assessed scopeSoftware the vendor no longer patches must be removed from scope or the network before the audit

Area 4 MOBILE DEVICES

Any mobile device — smartphone or tablet — used for work and within scope must be managed, secured, and running only software from authorised sources. Jailbroken or rooted devices are an automatic audit failure.

No mobile device within scope is jailbroken or rootedJailbroken/rooted devices remove OS security controls and will fail the audit. Remove them from scope or restore them before the assessment

Apps on in-scope mobile devices are installed only from authorised application stores — Apple App Store, Google Play Store, or a managed enterprise app catalogueSideloaded apps bypass security vetting and will be flagged. Only approved stores are permitted

Mobile OS and apps are kept up to date within the 14-day patching windowMobile devices fall under the same patch management requirements as desktops and laptops

Area 5 MALICIOUS CONTENT BLOCKING

The audit includes technical tests to verify that malicious content — such as executable downloads and malware payloads — is blocked before it can reach end-user devices. NCSC test files are used. If your filtering does not block them, the audit will record a failure.

Email filtering blocks or quarantines emails containing malicious attachments and suspicious linksMicrosoft Defender for Office 365, Google Workspace security, or equivalent must be active and configured

Executable file types (.exe, .bat, .vbs, script files) are blocked or sandboxed in email — users cannot receive and run arbitrary executables via email

Test downloads of NCSC verification files (simulated malicious executables) are blocked at the network or endpoint levelThe auditor will attempt to download test files during the assessment — if they succeed, it's a failure

Area 6 EXTERNAL VULNERABILITIES

The auditor runs an authenticated and unauthenticated vulnerability scan against all internet-facing IP addresses within scope. High and critical vulnerabilities on external-facing systems will fail the audit. Run your own pre-assessment scan and address any findings before the assessment date.

An external vulnerability scan has been run against all internet-facing IP addresses and systems within scopeTools such as Nessus, Qualys, or Tenable can be used to identify issues before the audit

No high or critical vulnerabilities are present on any externally accessible system within scopeAny unpatched high/critical CVE reachable from the internet will fail the audit

Remote access solutions — VPN portals, RDP gateways, admin interfaces — are not exposed to the internet without MFAExposed remote access without MFA is a critical audit failure and a significant real-world risk

Unnecessary internet-facing services, open ports, and externally accessible admin panels are closed or access-restrictedAny open service that cannot be justified will be queried. Reduce your external attack surface before the audit

Area 7 MULTI-FACTOR AUTHENTICATION (MFA)

MFA must be enabled on all cloud services for all users — not just administrators. Under Danzell v3.3 this is verified technically. Failure to enforce MFA where it is available is an automatic audit failure.

MFA is enabled for all users on all cloud services in use — Microsoft 365, Google Workspace, Salesforce, and any other SaaS platform within scope Auto-Fail RiskEvery user, not just admins. A single user account without MFA on an in-scope cloud service will fail the audit

MFA is enforced on all remote access connections — VPN, Remote Desktop Gateway, and any other remote access mechanism within scope Auto-Fail RiskRemote access without MFA is one of the most common CE Plus audit failures

Administrative access to cloud platforms and management consoles requires MFA — privileged accounts cannot bypass itGlobal admin, IT admin, and billing admin accounts are high-value targets — MFA is non-negotiable

MFA configuration has been tested and verified — not just enabled in settingsEnable MFA, then log in as a test user from a fresh session to confirm the MFA prompt actually appears

// What Next?

READY FOR YOUR CE PLUS AUDIT?

Our UK-based team will guide you through the audit process and confirm you're ready before booking your assessment date. No hidden charges — view pricing →

Book Audit → Build Your Quote →

Don't yet have Cyber Essentials? CE Plus requires you to hold a valid Cyber Essentials basic certificate first — you have 90 days from CE basic certification to complete CE Plus. Use the CE basic readiness checklist →

This checklist is based on the CE Plus audit requirements under Cyber Essentials v3.3 (Danzell), effective April 2026. It is provided as a self-assessment guide only — formal certification requires an independent technical audit by an IASME Approved Certification Body. For questions about your readiness, contact our team.

CYBER ESSENTIALS PLUSREADINESS CHECKLIST