Cyber Essentials Plus
Cyber Essentials Plus offers everything in the standard Cyber Essentials certification – but with one key difference: a hands-on technical audit of your systems.
What’s covered in the audit?
To achieve Cyber Essentials Plus, you must already hold a valid Cyber Essentials certificate. You’ll then undergo a technical assessment of the five key control areas. Each control is tested during the audit to confirm it has been implemented correctly.
Create a secure boundary between your systems and external threats.
Requirements:
- Change default admin passwords or disable remote admin access
- Block unauthenticated inbound connections by default
- Prevent remote admin access from the internet unless protected by MFA or an IP whitelist
- Document and approve all inbound rules, with business justification
- Remove permissive rules when no longer needed
- Use host-based firewalls on devices used on public or untrusted networks
Reduce risk by limiting access and disabling unnecessary features.
Requirements:
- Remove/disable unnecessary user accounts and software
- Change default or guessable passwords
- Disable auto-run features that execute files without permission
- Authenticate all users before granting access to data or systems
- Use device locking controls for physically present users
- In addition, physically present users must use appropriate device locking controls.
Ensure only authorised users can access your systems – with the right level of privilege.
Requirements:
- Have a clear account creation and approval process
- Authenticate users with unique credentials
- Remove accounts that are no longer needed
- Implement MFA where available (mandatory for Cloud services)
- Restrict administrative accounts to admin activities only
- Remove special access privileges when not needed
Stop malicious software from executing or compromising your systems.
- Anti-malware software
- Application whitelisting
- Sandboxing
If using anti-malware software:
- Keep definitions updated daily
- Auto-scan files on access (including downloads and network files)
- Scan web pages in browsers
- Block malicious websites unless you have documented, approved exceptions
If using application whitelisting:
- Maintain an approved application list
- Block installation of unsigned or invalid software
If using sandboxing:
- Isolate code of unknown origin
- Restrict access to sensitive resources (e.g. cameras, microphones, data stores, networks) unless explicitly allowed
Keep all systems and software up to date to close known vulnerabilities.
Requirements:
- Use only licensed and supported software
- Remove unsupported software
- Enable automatic updates wherever possible
- Apply patches within 14 days for:
- Critical or high-risk vulnerabilities
- CVSS v3 score of 7.0+
- Any vulnerability with unknown severity
Choose the right level of support for your organisation
Cyber Essentials Plus. Let’s get to work.
Trust a company that has issued more than 12,000 certificates and has received a ‘World-Class’ NPS (Net Promoter Score) of +100.
IT Governance, a GRC Solutions company, is one of the founding Cyber Essentials certification bodies and remains one of the largest in the UK.
If you’re looking for guidance, practical advice or consultation, we can help.
✅ Fast, practical certification support
✅ Reduce cyber risk with essential controls
✅ Build trust and win more business