Introduction
As cyber threats continue to grow in complexity, organizations are turning to certification schemes like Cyber Essentials to prove their commitment to security. While the basic Cyber Essentials certification is a great first step, many businesses aim higher with Cyber Essentials Plus. Unlike the self-assessment of the basic level, Cyber Essentials Plus involves a hands-on technical audit conducted by a certified assessor. Preparing for your Cyber Essentials Plus audit is essential for a smooth process and a successful outcome. This guide will walk you through the key steps you need to take to get ready for your Cyber Essentials Plus assessment.
Understanding Cyber Essentials Plus
Cyber Essentials Plus builds upon the five core controls of the basic Cyber Essentials framework: firewalls, secure configuration, user access control, malware protection, and patch management. The key difference is that Cyber Essentials Plus requires independent verification of these controls. The audit includes vulnerability scans, configuration checks, and user access reviews to ensure your organization’s systems meet the Cyber Essentials standard in practice—not just on paper.
Step 1: Start with Cyber Essentials
Before applying for Cyber Essentials Plus, you must first achieve the basic Cyber Essentials certification. This is a prerequisite and ensures that you already understand and apply the core security principles. Make sure your existing Cyber Essentials certification is valid and up to date before moving forward with the Plus audit.
Step 2: Conduct an Internal Gap Analysis
To prepare for the Cyber Essentials Plus audit, carry out an internal review of your current systems. Identify any weaknesses that could cause you to fail the assessment. Pay close attention to how well your devices meet Cyber Essentials requirements. Check firewall rules, antivirus configurations, access controls, and patching procedures. This proactive analysis is one of the most important parts of preparing for Cyber Essentials Plus.
Step 3: Patch All Systems
One of the most common reasons for failing Cyber Essentials Plus is outdated software. Ensure all operating systems, applications, and firmware are patched with the latest updates. Cyber Essentials requires critical updates to be applied within 14 days of release. Your audit will involve scans that detect unpatched software, so prioritize this step.
Step 4: Prepare Endpoints and Test Devices
Your assessor will need access to sample devices (typically desktops, laptops, or servers) for testing. These devices must reflect the actual security posture of your organization. Configure them according to Cyber Essentials best practices—especially regarding antivirus, user access, and local admin rights. Clean and consistent configuration across all test devices is key to passing Cyber Essentials Plus.
Step 5: Secure Remote Working Setups
If your staff works remotely, ensure their devices also meet Cyber Essentials standards. This includes secure VPN connections, updated antivirus, and limited user privileges. Remote setups are not exempt from the Cyber Essentials Plus audit, and failure to secure them could jeopardize your certification.
Step 6: Engage a Trusted Certification Body
Work with a licensed Cyber Essentials certification body experienced in conducting Plus audits. They will explain the audit process, share testing requirements, and help schedule the assessment. Good communication with your assessor ensures there are no surprises during the Cyber Essentials Plus audit.
Step 7: Run a Mock Audit (Optional but Helpful)
If time and budget allow, consider performing a mock Cyber Essentials Plus audit internally or with your IT provider. This can help identify overlooked issues and boost your chances of passing the real assessment. It’s a valuable rehearsal for understanding what to expect from the official Cyber Essentials testing process.
Conclusion
Preparing for your Cyber Essentials Plus audit doesn’t have to be overwhelming. By focusing on the core security controls, patching systems regularly, and performing internal checks, your organization can approach the audit with confidence. Remember that Cyber Essentials Plus is not just about passing a test—it’s about implementing robust, practical security measures that protect your business. Achieving this higher level of Cyber Essentials certification proves that your security practices hold up under scrutiny, giving customers, partners, and stakeholders greater confidence in your ability to defend against cyber threats.
