Preparing for Cyber Essentials Plus: what the audit actually checks

Cyber Essentials Plus is the same five-control standard as Cyber Essentials, with one important difference: an independent assessor tests your defences hands-on rather than taking your word for it. That is what makes the Plus certificate worth more to clients, insurers and public-sector buyers, and it is also why companies that breeze through the self-assessment sometimes fail the Plus audit. This guide explains what the audit checks and how to be ready before the assessor arrives.

What Plus adds over standard Cyber Essentials

Standard Cyber Essentials is a verified self-assessment: you attest that the five controls are in place and a certification body checks your answers. Cyber Essentials Plus adds a technical audit. An assessor samples your devices, attempts to confirm that malware protection and configuration are working, checks that recent security updates are applied, and tests your email and web defences against benign simulated threats.

The practical effect is that Plus rewards companies whose controls are genuinely operating and exposes companies whose self-assessment was optimistic. The certificate carries more weight precisely because it is harder to obtain.

The five control areas, and what the assessor looks for

• ·Firewalls. Boundary and host firewalls correctly configured, with no unnecessary services exposed to the internet.
• ·Secure configuration. Default passwords removed, unnecessary software and accounts disabled, and devices hardened rather than left at out-of-the-box settings.
• ·User access control. Accounts provisioned on least privilege, administrative rights restricted, and multi-factor authentication on cloud services.
• ·Malware protection. Anti-malware present and current, or application allow-listing, across the in-scope devices.
• ·Security update management. Supported software only, with high-risk and critical updates applied within the required window.

The gaps that most often cause a fail

Four issues account for most Plus failures, and all four are findable in advance:

Unsupported software still in use. An operating system or application past end-of-life is an automatic problem. Inventory first and retire or isolate anything unsupported.

Inconsistent multi-factor authentication. MFA enabled for some users or some services but not all is a frequent finding, especially on cloud admin accounts.

Missing security updates. Devices that have slipped behind on patching, often laptops that are rarely on the network, fail the update check.

An inaccurate scope. Plus tests a sample of the devices in scope. If your asset list is wrong, the assessor finds devices you did not prepare. Scope honestly and completely.

How to be ready before the assessor arrives

The work is mostly in the weeks before, not on the day. Build an accurate device and software inventory. Retire or isolate anything unsupported. Confirm MFA is on for every cloud service and every user. Run a patch sweep and fix the stragglers. Then run a pre-assessment against the five controls so the only surprises happen on your timetable, not the assessor's.

This is where doing it as part of continuous compliance pays off: the controls are kept current year-round, so renewal is routine rather than an annual scramble, and the evidence is always to hand. Certification itself is delivered through certified assessment partners; our role is to scope it, close the gaps and keep it current.

If you are weighing Cyber Essentials Plus against a broader standard, Cyber Essentials versus ISO 27001 sets out when each is the right call. To scope your own path to Plus, see the Cyber Essentials service, try the Cyber Essentials checker, or book a 30-minute call.