Exciting news: British Assessment Bureau will rebrand as Amtivo in Autumn 2026! Find out more here >>

Preparing for Cyber Essentials Plus Assessment

Request a Quote

  • Accredited certifications
  • Helpful resources
  • No hidden fees
  • Trusted certification experts
Request a Quote

As anyone who’s ever run a race will know, it’s all about the preparation; as the saying goes, “if you fail to plan, you plan to fail”. The Government’s Cyber Essentials (CE) scheme is no different, especially at the Cyber Essentials PLUS (CE+) level, where more work is involved. 

This article is written for anyone who is considering CE+ for their organisation. You might be the CISO, the Head of IT, Security or Risk. In a smaller organisation, you might be the person tasked with cyber or information security. 

 

Reasons to Consider Cyber Essentials Plus Certification 

The CE scheme helps you to identify and guard against the most common cyber threats and demonstrate your commitment to cyber security. It’s also mandatory for businesses supplying products and services to Government. 

There are two levels of certification: Cyber Essentials (CE) and Cyber Essentials Plus (CE+). Obtaining CE is a prerequisite to obtaining the higher level CE+.  

CE is an independently verified self-assessment. Organisations assess themselves against five basic security controls, and a qualified assessor verifies the information provided. These controls cover: 

  • Firewalls and secure internet connections 
  • Secure configuration 
  • Access controls 
  • Malware protection  
  • Patch management  

For more information on Cyber Essentials, read our guide. 

CE+ is a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks. It involves a technical audit of the systems that are in-scope for CE by checking the CE controls have been applied as per the self-assessment. 

Obtaining CE+ is good for your organisation’s cyber security, but it’s also reassuring for your customers and demonstrates a higher level of commitment to security that’s likely to increase their confidence. 

 

The Scope of Cyber Essentials Plus Assessment 

There are a number of tests in CE+ over and above the basic CE assessment. It’s a step up in complexity and effort where failure in any one area will result in an overall failure. 

To achieve CE+, a certification body conducts a range of external and internal technical tests to validate your approach to the additional elements.  If the tests are successful, the certification body awards the CE+ certificate. IASME stipulate that CE+ should be completed within three months of obtaining CE. 

The additional tests for CE+ are: 

  • Authenticated vulnerability scanning of representative user endpoints including internet-facing servers 
  • Vulnerability scanning of external internet-facing infrastructure 
  • Password guessing of exposed authentication services 
  • Email attachment tests 
  • Browser download checks 
  • Review of mobile devices

Tests for CE+ include a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. It is recommended that other devices, such as additional servers and network hardware, are also scanned to provide a complete assessment of the infrastructure. 

Cloud services are considered out of scope where they are provided as Software as a Service (SaaS), such as Office 365. Where cloud services are used as Infrastructure as a Service (IaaS) and the customer is responsible for patching and other services such as installing software, these are considered in scope. Platform as a Service (PAAS) can be a grey area and is considered on a case-by-case basis. 

 

Best Practice Preparation 

The following tips are often considered best practice: 

  • Keep your software up to date, and don’t use unsupported software. 
  • Use suitable firewalls. 
  • Ensure any exposed services are configured with strong and hard-to-guess passwords.  
  • Make sure your patch management processes are as robust as they can be. Although meant to fix security vulnerabilities and other bugs, patching can sometimes introduce new problems or, in worst-case scenarios, server failure. All missing patches for critical or security updates more than 14 days old will result in CE+ failure.  
  • Your devices should also run with the latest version of the operating system, and all applications should be up to date. 

With any process requiring higher standards and more assessment, it follows that the potential for failure can increase with the greater level of scrutiny. However, CE+ doesn’t have to feel like a marathon, especially when you’ve done the preparation beforehand. If your organisation is looking to protect itself at this higher level and make a statement to potential customers, the extra work and investment can pay off. 

 

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.