// Verified Certification

CYBER ESSENTIALS
PLUS

The independently verified level of Cyber Essentials — a third-party technical audit confirming your security controls are correctly implemented. Preferred by government supply chains and enterprise clients.

Get Certified Today → Standard CE
✓ IASME Approved Certification Body

All prices include the IASME certification fee — you certify directly with us, with no middlemen and no hidden costs. View full pricing →

+
Independent Technical Audit
100%
Remote Assessment
1yr
Certificate Validity
IASME Approved Body
// What Is CE Plus

CYBER ESSENTIALS PLUS EXPLAINED

Cyber Essentials Plus is the higher level of the Cyber Essentials scheme. While standard Cyber Essentials uses a self-assessment questionnaire, Plus requires an independent technical audit carried out by an approved assessor.

Our assessors remotely verify that your five security controls are correctly and effectively implemented — not just ticked on a form.

Who Requires CE Plus?

  • MOD and central government supply chain contracts
  • Organisations handling classified or sensitive data
  • Enterprise clients requiring independent verification
  • Businesses seeking a higher level of cyber assurance
  • Organisations working toward Cyber Essentials Plus as a stepping stone to ISO 27001

CE vs CE Plus

  • Cyber Essentials: self-assessed questionnaire
  • Cyber Essentials Plus: independent technical verification
  • Both: IASME-issued certificate, 12-month validity
  • Plus: higher assurance, preferred for enterprise and government

WHAT THE AUDIT COVERS

Our remote technical audit verifies all five Cyber Essentials controls are correctly implemented across your devices, systems and network.

  • 💻

    DEVICE TESTING

    We test a sample of in-scope devices — typically around 10% — including laptops, desktops and mobile, to verify configuration and patch status.

  • 🌐

    NETWORK SCANNING

    External vulnerability scanning of your internet-facing systems and boundary controls.

  • 📧

    MALWARE SIMULATION

    Safe simulated malware testing to verify your protection is working correctly.

  • 📋

    EVIDENCE REVIEW

    Review of configuration evidence and security policies to support questionnaire responses.

// The Process

HOW CE PLUS WORKS

1

CE FIRST

Complete Cyber Essentials self-assessment as the foundation for Plus. Use our CE readiness checklist to verify your controls before you submit.

2

PREPARE

We provide an audit readiness checklist covering the seven control areas the audit will test. You confirm each is in place before the assessment date.

3

AUDIT

Remote technical assessment by our IASME-approved assessor across your systems.

4

CERTIFIED

CE Plus certificate issued, listed on the NCSC public register.

// Step by Step

YOUR CE PLUS JOURNEY

Six clear, manageable steps from booking to certification.

1

BOOKING YOUR AUDIT

Complete our online enquiry form and a member of our team will be in touch to schedule your assessment at a time that suits your business.

2

VULNERABILITY SCANNING & PREPARATION

A core element of the CE Plus audit is the vulnerability assessment. How your systems are scanned depends on your existing tooling:

No PCI-DSS approved scanner: We will grant you access to our secure cloud agent for the duration of your audit.
Existing PCI-DSS approved scanner: Simply inform our audit support team — you may not need to install our cloud agent.
3

DOCUMENTATION YOU MUST PROVIDE

Accurate documentation is vital — your audit sample is selected directly from this information. Before we begin, you will need to submit:

  • An up-to-date asset list (which must be kept current throughout the process)
  • A signed Audit Authorisation Form, including all external IP addresses that require scanning
4

DEVICE SAMPLING

No sooner than three days before your assessment, we will confirm the final sample of devices to be audited — typically around 10% of in-scope devices, with a minimum of one device per operating system type in use.

Important: Devices are selected strictly by the auditor to ensure an accurate, representative sample of your environment. You cannot select your own devices for assessment.

Your responsibilities:

  • Confirm availability — ensure all sampled devices will be online and accessible during the audit appointment
  • Notify us immediately — if a selected device becomes unavailable, let us know straight away so we can choose an alternative
5

WHAT TO EXPECT ON AUDIT DAY

Your audit combines automated scans and live verification checks conducted via screen sharing, across four phases:

Phase 1 — Vulnerability Scanning

  • Internal scans: Credentialed patch audit scan of sampled devices via our cloud agent or your approved PCI-DSS scanner
  • External scans: Vulnerability scan of your publicly facing IP addresses and services

Phase 2 — User Device Security Tests

Real user email addresses must be used — generic or test accounts are not permitted. We will:

  • Test how devices process and handle email attachments
  • Test how devices handle file downloads from controlled, safe test websites

Phase 3 — Endpoint & Mobile Protection

  • Verify installation, configuration, and effectiveness of antivirus software
  • Perform iOS and mobile security checks (if mobile devices are within your audit scope)

Phase 4 — Access Control & Authentication

  • MFA tests across all listed cloud services
  • Confirm MFA is actively enabled for both administrator and standard user accounts
  • Verify strict separation between admin and standard user roles
6

AFTER YOUR AUDIT APPOINTMENT

It is entirely normal to have a few outstanding actions after the live assessment — this does not mean you have failed. Common post-audit tasks include:

  • Remediating any newly discovered vulnerabilities
  • Submitting additional evidence (such as screenshots of specific mobile configurations)

Your dedicated auditor will clearly outline exactly what is required, how to submit your evidence, and the deadline for completion.

// Audit Readiness

CE PLUS READINESS CHECKLIST

The CE Plus audit is a hands-on technical test — not a questionnaire. Seven control areas are assessed live against your systems. Use our interactive checklist to confirm everything is in place before your assessment date.

01 Antivirus & Endpoint Protection
02 Account Separation
03 Patch Management (14-day rule)
04 Mobile Devices
05 Malicious Content Blocking
06 External Vulnerabilities
07 MFA (all cloud services, all users)
CONFIRM YOUR READINESS

Use our free interactive checklist — 30 items across all seven audit areas with a live progress score. Tick off each item as you confirm it is in place.

Open Checklist →
Important: If any of these areas are not in place before the audit, issues will be identified during the technical assessment. You have 30 days from the assessment start date to remediate — within the 90-day window from your CE basic certification date. Both windows run simultaneously, so there is very little margin for last-minute fixes.
// Transparent Pricing

CE PLUS PRICING

Fixed prices based on organisation size. IASME certification fee included. No hidden charges.

Pricing is based on your organisation size and is always transparent — no hidden fees. View our full pricing breakdown including Cyber Essentials, CE Plus, DCC Level 0 and penetration testing.

Build Your Quote → Get a Fixed Quote
// FAQ

COMMON QUESTIONS

// Getting Started
Yes — Cyber Essentials Plus builds on top of Cyber Essentials. You must hold a valid Cyber Essentials self-assessment before the Plus technical audit can take place. Once your CE basic certification is confirmed, you have 90 days (3 months) from that certification date to complete and pass CE Plus. If CE Plus is not passed within 90 days, the Plus application closes and you will need to re-certify at CE basic level before restarting — incurring an additional certification cost. In practice, both can be completed as part of the same engagement with us to keep the process as efficient as possible.
Cyber Essentials is self-assessed — you complete a questionnaire that is reviewed by your Certification Body. Cyber Essentials Plus adds an independent technical audit where an approved assessor actively tests your systems to verify the controls are correctly implemented, not just documented. Plus provides a significantly higher level of assurance and is required for some government and enterprise contracts. Learn about standard CE →
CE Plus is typically required for MOD supply chain contracts involving sensitive or classified data, certain NHS and public sector frameworks, and enterprise clients requiring independent technical verification rather than self-assessment. If your contract tender specifies CE Plus or an independent technical audit, standard CE alone will not be sufficient. If you are unsure what your contract requires, our team can advise.
// The Audit
The CE Plus audit is a hands-on technical assessment conducted remotely by our IASME-approved assessors. It includes: external vulnerability scanning of your internet-facing systems, internal vulnerability scanning of a sample of in-scope devices (typically around 10%), checks on email and web browser configuration, and active verification that controls such as patching, malware protection, and access control are correctly implemented — not just documented. The audit typically takes a few hours depending on the size and complexity of your environment.
The technical audit itself typically takes a few hours to a day depending on scope and environment size. Combined with the Cyber Essentials self-assessment that precedes it, the full CE Plus process usually takes one to three weeks. Bear in mind that once CE basic is certified, you have 90 days (3 months) to complete and pass CE Plus — so it is important not to let the process stall once you have started. If the 90-day window expires, you will need to re-certify at CE basic level before restarting. We work to your timeline and can accommodate urgent certification needs.
If the audit identifies controls that are not correctly implemented, you will receive specific, actionable feedback on what needs to change. You have 30 days from the date the CE Plus assessment started to remediate those issues and have the relevant checks revisited. This remediation window sits within the broader 90-day window from your CE basic certification date — so both constraints apply at the same time. If either window expires before you pass CE Plus, your Plus application closes and you will need to re-certify at CE basic level before restarting — which incurs an additional cost. Our team will support you through remediation as efficiently as possible to protect both windows.
Gap analysis — reviewing your controls against CE Plus requirements and identifying any issues before the formal audit begins — can be included in your assessment fee. Simply let us know when you get in touch and we will factor this into your quote. There is no obligation to take it up, but many clients find it useful if they are unsure whether their environment is fully ready for the technical audit.
// Certification & Beyond
Cyber Essentials Plus certificates are valid for 12 months from the date of certification. Annual renewal is required to maintain certified status, which is important for ongoing government contracts and supply chain requirements. We can help manage your renewal cycle to avoid any gaps in certification.
Yes — CE Plus establishes well-documented, independently verified security controls, which provides a strong foundation for an ISO 27001 implementation. ISO 27001 is considerably broader in scope, covering governance, risk management, and organisational policies as well as technical controls — but CE Plus ensures your core technical controls are verified and working before you tackle the full management system requirements.

READY FOR CYBER ESSENTIALS PLUS?

Get independently verified. Talk to our UK-based team today — no jargon, no hard sell.

Start Your Certification → Standard CE Instead Build Your Quote →
// Blog & Guides

LATEST INSIGHTS

View All Articles →
New Cyber Essentials · 8 min

CYBER ESSENTIALS DANZELL 2026: WHAT HAS CHANGED

New auto-fail MFA rules and cloud scoping changes are now live. Complete guide from an IASME Approved Body.

 Cyber Essentials · 5 min

WHAT IS CYBER ESSENTIALS? A PLAIN-ENGLISH GUIDE

Everything UK businesses need to know about the Government-backed Cyber Essentials scheme.

 DCC Level 0 · 7 min

DCC LEVEL 0 EXPLAINED: WHAT MOD SUPPLIERS NEED TO KNOW

A clear breakdown of Defence Cyber Certification Level 0 and how to get certified.

 Pen Testing · 6 min

VULNERABILITY SCAN VS PENETRATION TEST: THE DIFFERENCE

Automated scanning and manual pen testing are not the same. Here is why it matters.
// Get In Touch

GET CERTIFIED TODAY

Fill in the form and we'll be in touch shortly. No jargon, no hard sell.