01
Verified assurance
Independent third-party audit, not self-attestation.
Cyber Essentials Plus.
Verified, not self-asserted.
Independent hands-on technical audit by a qualified assessor. The level of assurance that satisfies enterprise supply chains and regulated buyers.
What changes from CE to CE+.
Cyber Essentials is a self-assessment reviewed by an assessor. Cyber Essentials Plus is a hands-on audit. The assessor (or their team) physically tests your environment. Usually remotely. To verify each control is actually in place, not just attested.
The tests.
Internal vulnerability scan on a sample of devices, external vulnerability scan on internet-facing systems, anti-malware test (drops a benign payload, verifies it's caught), patching test (looks for missing OS & app updates), MFA test (verifies enforcement on admin accounts).
Sampling.
The assessor takes a representative sample of devices. Typically 5-15% of your fleet, weighted toward different device types and use cases. For BYOD environments, sampling and policy enforcement get extra scrutiny.
Key benefits.
02
Strengthened reputation
Higher-tier credential that procurement teams recognise.
03
Enhanced protection
Controls are actually tested, not just attested.
04
Supply-chain ready
Required by many enterprise procurement and regulated buyers.
Pre-flight. Mock-test. Assess. Maintain.
1
Pre-flight readiness
Confirm all CE controls are actually in place across a representative sample.
2
Mock-test on sample
We run the same scans the assessor will run, internally, on your fleet first.
3
Assessor visit
The IASME-accredited assessor performs the formal audit (usually remote).
4
Recertify annually
Calendar reminders, retest sample, prep evidence for the next assessor.
- Pre-flight readiness assessment.Gap analysis tuned to what the assessor will actually look for.
- Mock vulnerability scan.Internal & external scans on a sample, mirroring assessor methodology.
- Anti-malware & patching test.Verifies AV is enforcing and patches are deploying as policy.
- Liaison with the assessor.Booking, scoping, scheduling. Handled.
- Remediation support.If findings arise, we help you fix them within the 30-day grace period.
- Annual recertification reminders.Calendar, evidence refresh, assessor booking. Managed.
Backed by the right authorities.
- NCSC Cyber Essentials Plus
- IASME-accredited assessors
- NIST CSF
- NHS DSPT alignment
Frequently asked.
Who actually performs the audit?
An IASME-accredited Certification Body. There's a list on the IASME website. We project-manage the engagement and ensure they have what they need.
What's a typical reason for failure?
Missing OS or app patches on at least one sampled device, MFA not enforced for admin accounts, anti-malware not present on every device in scope. All preventable with our mock-test process.
How long is the assessment?
Anywhere from half a day to three days depending on org size, fleet complexity, and whether you have multiple sites. Most SME engagements are 1-2 days.
Does it need annual renewal?
Yes, annually. Some procurement processes need to see the most-recent certificate dated within 12 months.
We have BYOD. Does that work?
Yes. BYOD devices that access organisational data are in scope and get tested. We help establish or refine your BYOD policy so the technical controls are enforceable.