What Cyber Essentials Plus actually involves, the tests the assessor runs, the gotchas that fail most first-time submissions, and how to pass without a frantic week of pre-audit patching.
What CE+ is and why it matters
Cyber Essentials Plus (CE+) is the audited version of Cyber Essentials. The same five technical controls — firewalls, secure configuration, user access control, malware protection and security update management — but verified by an independent assessor running real technical tests, not just reviewing a questionnaire.
Many UK central government contracts now specify CE+ rather than basic Cyber Essentials, and an increasing number of enterprise procurement teams treat it as the minimum acceptable evidence for a UK supplier.
What the assessor actually tests
External vulnerability scan — internet-facing IPs for unpatched services
Internal authenticated scan — a sample of user devices for missing patches and end-of-life software
Email and web download test — confirms malware protection blocks known-malicious payloads
Account separation — confirms standard users cannot install software or perform admin actions
MFA verification — proves MFA is enforced, not just configured, on cloud services and admin accounts
A four-week path to passing first time
Step 1
Week 1: Inventory and freeze the scope
You can't pass CE+ on devices you don't know exist. Build the in-scope device list, map it to users, and freeze software changes a week before the audit window.
Step 2
Week 2: Patch everything older than 14 days
Run authenticated vulnerability scans yourself. Anything CVSS ≥ 7.0 published more than 14 days ago is a probable fail. Patch, upgrade or remove. Pay special attention to browsers, browser plugins, PDF readers and Office.
Step 3
Week 3: Verify MFA and account separation
Audit your cloud admin accounts (M365, Google Workspace, AWS, Azure) — every single one must enforce MFA. Verify standard user accounts cannot install applications or change system settings.
Step 4
Week 4: Pre-audit dry run
Run the same tests the assessor will run: EICAR sample over email and HTTPS, try to install software as a standard user, try to download a known-bad file. Fix anything that doesn't behave as expected.
Step 5
Audit day: be present, be honest
The assessor will need an admin to drive the device sample. Have credentials, scan windows and a quiet room ready. If something fails, fix it during the audit window rather than disputing the finding.
CE+ as a foundation for ISO 27001 and SOC 2
CE+ proves the technical baseline. ISO 27001 and SOC 2 add the management system around it — policies, risk assessment, internal audit, management review. Sequencing CE+ first means the bigger audits inherit a known-good technical baseline.
ISO-STANDARD.app ships a ready-to-adopt Cyber Essentials Plus workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
What does Cyber Essentials Plus add over basic Cyber Essentials?
An independent technical audit. The assessor performs external and internal vulnerability scans, tests a sample of user devices for missing patches and effective malware protection, and verifies that account separation and MFA are actually enforced — not just claimed in a questionnaire.
What's a typical sample size?
For most SMBs, the assessor tests a representative sample of end-user devices (typically 3–10) across operating systems and roles, plus a sample of cloud admin accounts. The exact sample is risk-based and defined by the assessor.
What are the most common CE+ fails?
Unsupported operating systems still in the device sample, missing high-severity patches older than 14 days, MFA not enforced on cloud admin accounts, locally-installed software with known critical vulnerabilities, and Office macros not restricted.
Do we need basic Cyber Essentials first?
Cyber Essentials Plus assessment must be completed within three months of a successful Cyber Essentials assessment. In practice most organisations do them back-to-back with the same certification body.