Start typing to search
  • Popular Searches
  • AI governance
  • Data privacy and the GDPR
  • PCI DSS
  • Cyber essentials
  • ISO 27001
  • SOC 2
Get a quote
GRC Wave Graphics

Cyber Essentials Plus

Cyber Essentials Plus offers everything in the standard Cyber Essentials certification – but with one key difference: a hands-on technical audit of your systems.
View pricing Get practical advice

What’s covered in the audit?

To achieve Cyber Essentials Plus, you must already hold a valid Cyber Essentials certificate. You’ll then undergo a technical assessment of the five key control areas. Each control is tested during the audit to confirm it has been implemented correctly.

Create a secure boundary between your systems and external threats.

Requirements:

  • Change default admin passwords or disable remote admin access
  • Block unauthenticated inbound connections by default
  • Prevent remote admin access from the internet unless protected by MFA or an IP whitelist
  • Document and approve all inbound rules, with business justification
  • Remove permissive rules when no longer needed
  • Use host-based firewalls on devices used on public or untrusted networks

Learn more about firewalls and gateways

Reduce risk by limiting access and disabling unnecessary features.

Requirements:

  • Remove/disable unnecessary user accounts and software
  • Change default or guessable passwords
  • Disable auto-run features that execute files without permission
  • Authenticate all users before granting access to data or systems
  • Use device locking controls for physically present users
  • In addition, physically present users must use appropriate device locking controls.

Learn more about secure configuration

 

Ensure only authorised users can access your systems – with the right level of privilege.

Requirements:

  • Have a clear account creation and approval process
  • Authenticate users with unique credentials
  • Remove accounts that are no longer needed
  • Implement MFA where available (mandatory for Cloud services)
  • Restrict administrative accounts to admin activities only
  • Remove special access privileges when not needed

Learn more about access control

 

Stop malicious software from executing or compromising your systems.
  • Anti-malware software
  • Application whitelisting
  • Sandboxing

If using anti-malware software:

  • Keep definitions updated daily
  • Auto-scan files on access (including downloads and network files)
  • Scan web pages in browsers
  • Block malicious websites unless you have documented, approved exceptions

If using application whitelisting:

  • Maintain an approved application list
  • Block installation of unsigned or invalid software

If using sandboxing:

  • Isolate code of unknown origin
  • Restrict access to sensitive resources (e.g. cameras, microphones, data stores, networks) unless explicitly allowed

Learn more about malware protection

Keep all systems and software up to date to close known vulnerabilities.

Requirements:

  • Use only licensed and supported software
  • Remove unsupported software
  • Enable automatic updates wherever possible
  • Apply patches within 14 days for:
  • Critical or high-risk vulnerabilities
  • CVSS v3 score of 7.0+
  • Any vulnerability with unknown severity

Learn more about security update management

Choose the right level of support for your organisation

Self-certification

Standard Cyber Essentials Plus certification package.

from
Get started
  • Cyber Essentials certificate
  • Cyber Essentials Plus certificate
  • Cyber insurance of up to £25,000
  • Pre-engagement consultation
  • External vulnerability scan
  • Additional retest
  • On-site/remote assessment
  • Remediation support
  • Direct communication with a technical assessor
View full product details

Most popular

Get a Little Help

Full support through the certification process with expert guidance.

from
Get started
  • Cyber Essentials certificate
  • Cyber Essentials Plus certificate
  • Cyber insurance of up to £25,000
  • Pre-engagement consultation
  • External vulnerability scan
  • Additional retest
  • On-site/remote assessment
  • Remediation support
  • 2 hours' consultancy inluded
Find out more

Get a Lot of Help

Comprehensive support for complex organisations.

from
Get started
  • Cyber Essentials certificate
  • Cyber Essentials Plus certificate
  • Cyber insurance of up to £25,000
  • Pre-engagement consultation
  • External vulnerability scan
  • Additional retest
  • On-site/remote assessment
  • Remediaition support
  • 1 day's consultancy included
Find out more

Cyber Essentials Plus FAQ

Cyber Essentials Plus is a government-backed certification scheme that helps organisations implement a strong baseline of cyber security. It is the advanced version of Cyber Essentials and requires organisations to undergo greater scrutiny of their IT infrastructure.

The advanced version of the scheme contains the same five technical controls that help prevent most common cyber attacks. The main difference is that these controls must be reviewed by an independent auditor to verify that they work as intended.

As such, Cyber Essentials Plus offers even greater reassurance to stakeholders that certified organisations are committed to effective security.

To certify to Cyber Essentials Plus, you must first hold a valid Cyber Essentials certificate. You must then select an accredited certification body, outline the parts of your organisation that are within scope and undergo a technical audit of these systems.

The test must be performed by an independent assessor, who will perform on-site tests, such as vulnerability scans, to ensure that your organisation’s technical controls are robust.

If the auditor spots any significant problems, they will inform your organisation and give you the opportunity to address them. Once they are satisfied that your controls meet the scheme’s standards, you will receive the Cyber Essentials Plus certificate.

Your organisation needs Cyber Essentials Plus if it is required by a partner in your supply chain. For example, many UK government contracts specify that organisations must be certified to win certain contracts – especially those involving sensitive information.

Cyber Essentials Plus certification demonstrates that your organisation has implemented robust defences to prevent common cyber threats. While you can use a self-assessment to certify to Cyber Essentials, the advanced version of the scheme requires you to undergo a third-party audit.

This can be invaluable to stakeholders, as it proves that your report is accurate and that your technical controls work as intended. This can enhance your reputation and give you a competitive advantage when bidding for contracts.

Yes, you are only eligible for Cyber Essentials Plus if you are already certified under the basic level of the scheme.

This is because the controls you implement are the same for Cyber Essentials and Cyber Essentials Plus. The main difference between the two certificates is that Cyber Essentials Plus comes with an extra layer of scrutiny. To certify, an independent expert will test your systems to make sure the information you gave in your Cyber Essentials self-assessment is correct and that controls work as described.

Cyber Essentials Plus. Let’s get to work.

Trust a company that has issued more than 12,000 certificates and has received a ‘World-Class’ NPS (Net Promoter Score) of +100.

IT Governance, a GRC Solutions company, is one of the founding Cyber Essentials certification bodies and remains one of the largest in the UK.

If you’re looking for guidance, practical advice or consultation, we can help.

✅ Fast, practical certification support
✅ Reduce cyber risk with essential controls
✅ Build trust and win more business