Skip to content
360 Cyber Compliance

Hands-on, independently audited cyber certification

Cyber Essentials Plus

Cyber Essentials Plus adds an independent technical audit — vulnerability scans and device sampling — on top of the core Cyber Essentials assessment. It is the stronger assurance many NHS and government contracts now expect.

What you get

  • Independently verified technical controls
  • Meets higher-assurance procurement requirements
  • Remediation support before the audit
  • Often delivered remotely or hybrid

Pricing: Request a quote

What Cyber Essentials Plus is

Cyber Essentials Plus is the higher tier of the government-backed Cyber Essentials scheme, delivered by IASME on behalf of the National Cyber Security Centre (NCSC). It covers exactly the same five technical controls — firewalls, secure configuration, user access control, malware protection and security update management — but adds an important difference: your controls are checked by an independent assessor through a hands-on technical audit, rather than being confirmed only by self-assessment.

Where the core scheme asks you to describe how your systems are configured, Cyber Essentials Plus verifies it. That independent verification is what gives the Plus certificate its added weight with commissioners, clients and procurement teams. Like the core scheme, the certificate is valid for 12 months.

How it differs from core Cyber Essentials

The two tiers share the same standard; the difference is how compliance is confirmed.

Cyber EssentialsCyber Essentials Plus
Controls assessedThe same five controlsThe same five controls
MethodVerified self-assessmentSelf-assessment plus independent technical audit
Independent testingNoYes — vulnerability scans and device sampling
Assurance levelGood baselineHigher, externally verified
Certificate validity12 months12 months

A common and sensible route is to achieve core Cyber Essentials first, then move to Plus while your self-assessment is still current. Many certification bodies expect the Plus audit to follow reasonably soon after the self-assessment is passed.

Who should choose Plus

Cyber Essentials Plus makes sense when a higher, independently verified level of assurance is needed. That is often the case if:

  • A contract or tender specifically requires the Plus tier (some public-sector and NHS-linked frameworks do).
  • You handle sensitive personal or health data and want independent confirmation that your controls work in practice.
  • You want to demonstrate a stronger security posture to clients, partners or your board.
  • You are building toward ISO 27001 or IASME Cyber Assurance and want a verified technical foundation.

There is no formal exemption; the scheme is voluntary unless mandated. If your customers only ask for the core certificate, Plus is an optional step up rather than a requirement.

How the audit works

Cyber Essentials Plus adds an independent technical assessment on top of the self-assessment:

  1. Complete the self-assessment. You first meet the core Cyber Essentials standard through the questionnaire.
  2. Agree scope and sampling. The assessor works with you to define the in-scope systems and select a representative sample of devices.
  3. Vulnerability scanning. The assessor runs authenticated and unauthenticated scans to check for known vulnerabilities and missing security updates.
  4. Device sampling and testing. A sample of end-user devices is examined to confirm controls such as malware protection, configuration and account separation are genuinely in place, including tests of how devices handle malicious files and email.
  5. Remediate and confirm. If issues are found, you fix them within the assessment window; once the assessor is satisfied, the certificate is issued.

Preparing for the audit

The audit tends to surface real-world gaps, so preparation pays off. Before the assessor arrives, it helps to:

  • Confirm every in-scope device is running supported software and is fully patched
  • Check anti-malware is installed, active and up to date across the sample
  • Remove or update anything unsupported or end-of-life
  • Verify standard users are not working from administrator accounts
  • Tidy up your device inventory so scoping and sampling go smoothly
  • Confirm mobile devices and cloud services meet the same expectations

Because the audit checks live systems, there is little room for aspirational answers — the controls either work on the day or they do not.

The value of independent verification

The reason a Plus certificate carries more weight than the core scheme comes down to one word: verification. With core Cyber Essentials, a customer is trusting your own account of your controls. With Plus, an independent assessor has actually examined a sample of your live systems and confirmed the controls work in practice. For a commissioner placing vulnerable people’s data with you, or a client running due diligence before signing a contract, that difference is meaningful — it is the gap between “they say they are secure” and “an independent party has checked”. This is why some public-sector frameworks and larger clients specify Plus rather than the core certificate. If your customers are asking for evidence they can rely on rather than a self-declaration, Plus is usually the level that answers the question.

Common mistakes

  • Leaving too long between self-assessment and audit. The self-assessment should still be valid when the audit takes place.
  • Unpatched or unsupported devices in the sample. A single end-of-life machine can hold up the whole certificate.
  • Missing or misconfigured malware protection on some devices but not others.
  • Underestimating cloud and mobile scope. These are tested too, not just office laptops.
  • Not fixing issues within the window. Remediation needs to happen promptly once findings are raised.

Understanding scope and sampling

Two ideas do most of the work in a Cyber Essentials Plus assessment, and getting comfortable with them early makes the whole process smoother.

Scope is the boundary of what is being certified. In most cases the sensible choice is your whole organisation — every device, server, cloud service and user account that connects to the internet and handles your data. It is possible to certify a defined sub-set, for example a single site or business unit, but a narrow scope carries two risks: it can look weak to a customer expecting organisation-wide assurance, and it can create awkward boundaries that are hard to defend technically. If you do scope tightly, the excluded systems must be genuinely separated from the certified ones.

Sampling is how the assessor confirms your controls without examining every single device. For an organisation with, say, fifty laptops running the same build, the assessor selects a representative sample rather than testing all fifty. This keeps the audit proportionate, but it also means consistency matters: if your devices are configured and patched to the same standard, a passing sample gives confidence in the whole estate. If some machines are neglected, the sample is more likely to surface a problem. In practice, the best preparation is to make sure every in-scope device would pass, because you cannot control which ones the assessor picks.

What the technical audit typically checks

While the exact tests are set by the certification standard, the audit generally seeks to confirm, on real systems, that:

  • Devices are running supported, fully patched operating systems and applications
  • Anti-malware is present, active and current, and behaves correctly when it meets a malicious file
  • Email and web browsing do not allow common malicious content to execute unchecked
  • Account separation holds — ordinary users are not running with administrative rights
  • Firewalls and configuration match what was declared in the self-assessment
  • Cloud services and mobile devices meet the same expectations as office machines

Because these tests run against live systems, the audit rewards organisations that keep good everyday habits rather than those that prepare only in the final week.

How it relates to the other standards

Cyber Essentials Plus sits at a useful point in the wider assurance landscape:

  • It builds directly on Cyber Essentials — same controls, stronger verification.
  • It provides strong evidence for the technical assertions in the DSPT.
  • It complements the “appropriate technical measures” expected under UK GDPR.
  • It offers a verified technical baseline beneath ISO 27001 and IASME Cyber Assurance, both of which take a broader, governance-led view of security.

Unfamiliar terms such as vulnerability scan and scope are explained in our glossary.

How 360 Cyber Compliance helps

The Plus audit is where many organisations discover that a device is unpatched, a laptop is missing malware protection, or a scope decision needs revisiting. We help you get ahead of those findings so the audit is a confirmation rather than a scramble, working on a transparent fixed-fee basis with a clear delivery process.

Practically, we help you achieve or refresh core Cyber Essentials, define a sensible scope, run a pre-audit readiness review against the five controls, and address the technical gaps most likely to trip up the assessment. We coordinate closely so the self-assessment and audit line up in time, and we support you through remediation if the assessor raises anything.

We provide practical support throughout the assessment and do not promise a particular outcome — the certificate depends on your controls passing the independent audit — but our aim is to make the process predictable and well-prepared.

For many care providers and SMEs, Plus is the level a serious client or public-sector framework asks for, and it is well worth doing properly. It demonstrates not just that you say your controls are in place, but that an independent assessor has seen them working. That distinction carries real weight in a tender or a due-diligence conversation. If you are weighing up whether to start with the core certificate and add Plus later, or go straight to Plus, we are happy to talk it through so you invest once rather than twice. Get in touch to discuss moving up to the Plus tier.

What you'll receive

  • A pre-audit readiness review
  • Vulnerability findings explained in plain English
  • Remediation support to pass first time
  • Coordination with the certifying assessor
  • A clear record of the controls tested

On your own vs. with 360 Cyber Compliance

On your ownWith us
Prepare for a technical audit blindWe run a readiness review so there are no surprises
Decode vulnerability scan results yourselfWe explain and help fix each finding
Risk failing the auditWe remediate before the assessor tests

A typical timeline

  1. 1

    Weeks 1–2

    Confirm Cyber Essentials, scope and prepare devices

  2. 2

    Weeks 2–4

    Remediate vulnerabilities and misconfigurations

  3. 3

    Weeks 4–6

    Independent technical audit and certification

Indicative only — your timeline depends on your starting point, size and deadline.

Who we help with Cyber Essentials Plus

Why choose us for Cyber Essentials Plus

Care & health specialists

DSPT, CQC expectations and NHS data flows are our day job, not a sideline.

Transparent fixed-fee engagements

A clear scope and price agreed up front — no open-ended day rates.

Remote delivery, UK-wide

Almost everything is done remotely, wherever you are in the country.

Award-winning expertise

Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.

Practical, plain-English support

Clear guidance and templates throughout the assessment — no jargon.

Ongoing support

Annual renewals, surveillance audits and everyday advice after you are certified.

Frequently asked questions

Does Cyber Essentials Plus require a site visit?

Not necessarily — assessors now commonly run the technical testing remotely or hybrid, with occasional on-site work.

Do I need Cyber Essentials first?

Yes, your Cyber Essentials self-assessment must be in place before the Plus audit, usually within three months.

How is it different from Cyber Essentials?

Plus independently tests a sample of your devices with vulnerability scans, rather than relying on a self-assessment alone.

What is tested?

The same five controls, but verified hands-on — patching, malware protection, secure configuration, access control and firewalls, checked on real devices.

Can you help us pass first time?

That's the aim of the readiness review — we find and fix likely failure points before the formal audit.

Get started with Cyber Essentials Plus

Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.

  • Plain-English, jargon-free advice
  • Fixed-price quotes — no surprises
  • Delivered remotely across the UK

By submitting you agree to our privacy policy. We never share your details.