Skip to content
360 Cyber Compliance

Example engagement — illustrative

Meeting a customer's Cyber Essentials Plus requirement

IT services SME (~40 staff) · Cyber Essentials Plus

The challenge

An SME supplier was told by a major customer that its contract renewal depended on holding Cyber Essentials Plus, which adds an independent hands-on audit on top of the self-assessment.

What we did

  • Confirmed the scope and secured the standard Cyber Essentials self-assessment as the foundation
  • Hardened endpoints — patching, malware protection and secure configuration — to survive a technical test
  • Reviewed account privileges and enforced multi-factor authentication on internet-facing services
  • Ran an internal dry run of the sampled vulnerability and malware tests before the assessor attended
  • Coordinated the independent Cyber Essentials Plus audit with an IASME-accredited assessor

The outcome

The supplier passed the independent Cyber Essentials Plus audit and retained the contract that depended on it.

Background

Cyber Essentials comes in two forms. The base level is a verified self-assessment; Cyber Essentials Plus adds an independent, hands-on technical audit in which an assessor tests a sample of your devices rather than taking your word for it. In this illustrative example, an IT services SME of around 40 staff was told by a major customer that renewing the contract now required the Plus level — a common way for larger organisations to manage supply-chain risk.

What we did

Because Cyber Essentials Plus builds on the base certification, we started there: confirming the scope and getting a solid Cyber Essentials self-assessment in place, working from the five controls described in our guide to the five Cyber Essentials controls. The difference with Plus is that these controls have to withstand an assessor’s own testing, so “mostly patched” is not good enough.

We focused on the areas the audit actually probes. Endpoints were brought up to date and kept there with reliable patching, malware protection was confirmed as active, and configurations were tightened to remove easy footholds. We reviewed account privileges so that administrator rights were the exception rather than the norm, and enforced multi-factor authentication on internet-facing services. Before the assessor attended, we ran an internal dry run mirroring the sampled vulnerability and malware tests, which caught a handful of machines that had drifted out of line — far better found by us than on audit day.

Result

The supplier passed the independent Cyber Essentials Plus audit with an IASME-accredited assessor and kept the contract that had prompted the work. Beyond the immediate renewal, it now holds a credential that shortens the security conversation with future customers.

This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.

Facing something similar?

Book a free, no-obligation readiness check and we’ll map out your options.