Cyber Essentials Plus is the more advanced level of the UK government-backed Cyber Essentials scheme. While the basic Cyber Essentials certification involves a self-assessment, Cyber Essentials Plus includes an independent, hands-on technical audit of your systems by a qualified external assessor. It offers a higher level of assurance that your organization is properly protected against the most common cyber threats. Understanding the specific requirements of Cyber Essentials Plus is essential for a successful certification process.
What Is Cyber Essentials Plus?
Cyber Essentials Plus builds on the foundation of Cyber Essentials, verifying that your cybersecurity measures are not only in place but are also functioning effectively. The core controls remain the same—firewalls, secure configuration, user access control, malware protection, and patch management—but the assessment process is significantly more rigorous. Cyber Essentials Plus includes internal and external vulnerability scans, configuration testing, and simulations of real-world attack scenarios, providing a more realistic picture of your security posture.
Key Requirements of Cyber Essentials Plus
1. Firewall and Internet Gateway Security
Your organization must demonstrate that all internet-facing devices are protected by properly configured firewalls. This includes routers, software firewalls on individual devices, and cloud service access points. Cyber Essentials Plus auditors will test your boundary defenses to ensure they block unauthorized access effectively.
2. Secure Configuration of Devices
Devices such as laptops, desktops, servers, and mobile devices must be configured securely. This means disabling unnecessary services, removing unused software, and ensuring settings reduce the risk of exploitation. During the Cyber Essentials Plus audit, sample machines are reviewed to confirm secure baseline configurations are in place.
3. User Access Control
Only authorized users should have access to your systems and data, with administrative privileges limited to those who genuinely need them. Cyber Essentials Plus assessors will verify that user accounts are managed properly and that privilege escalation paths are controlled.
4. Malware Protection
Your systems must have effective malware protection mechanisms. This can include antivirus software, allowlisting, or sandboxing. The audit will involve checks to ensure malware defenses are active and up to date. In some cases, auditors may simulate malware delivery to test your system’s response.
5. Patch Management and Software Updates
Software on your systems must be fully patched and supported by the vendor. Cyber Essentials Plus requires that all critical and high-risk vulnerabilities are patched within 14 days of release. Auditors will perform vulnerability scans to detect missing updates and unsupported software.
Additional Testing Elements in Cyber Essentials Plus
- Simulated Phishing Attacks: Some assessments include controlled phishing tests to evaluate user awareness and the effectiveness of email security filters.
- In-Scope Device Testing: A selection of devices—typically laptops and desktops—are tested for compliance with all five controls.
- External Vulnerability Scan: Your external IP addresses are scanned to detect open ports, misconfigurations, or vulnerabilities.
- Internal Vulnerability Scan: Auditors perform scans inside your network to ensure your internal systems are properly patched and protected.
Scope and Network Boundary Definition
As with Cyber Essentials, defining the correct scope is critical. All systems used for day-to-day operations, especially those processing sensitive or personal data, must be included. This means remote workers, cloud services, and hybrid environments fall within scope. Your assessor will review your scoping decisions, so be honest and thorough.
Preparing for Cyber Essentials Plus
Before applying for Cyber Essentials Plus, you must first pass the basic Cyber Essentials certification. Then, take the following steps to prepare:
- Conduct an internal audit of all five security control areas.
- Remediate vulnerabilities found in earlier scans or assessments.
- Ensure user devices are secured and fully patched.
- Work with IT teams or third-party providers to implement required changes.
- Choose an accredited assessor through IASME and schedule your audit.
Why Choose Cyber Essentials Plus?
While Cyber Essentials provides valuable baseline protection, Cyber Essentials Plus offers greater assurance to clients, partners, and regulators. It can help you win contracts, reduce cyber insurance premiums, and ensure a stronger defense against evolving threats. Most importantly, it verifies that your security measures are not just theoretical—they are proven to work.
In conclusion, Cyber Essentials Plus is a powerful tool for organizations serious about cybersecurity. By meeting its requirements, you go beyond self-assessment and demonstrate that your systems have been independently tested and verified. Whether you’re aiming to strengthen customer trust, meet regulatory standards, or simply reduce risk, Cyber Essentials Plus delivers the credibility and protection your business needs in today’s threat-filled digital world.
