Cyber Essentials Plus Certification: All You Need to Know

What is Cyber Essentials Plus?

Cyber Essentials Plus is a certification scheme backed by the UK government. Its goal is to keep your organization and its data safe from cyber-attacks and breaches. The National Cyber Security Centre, or NCSC, oversees this scheme and handles documentation and policy updates.

There are two levels of certification: the regular Cyber Essentials and its bigger brother, Cyber Essentials Plus. Both come with the exact requirements. The (only) big difference? The former is a self-assessment and is easier to obtain. The latter (Cyber Essentials) offers greater assurance since it requires external auditors. 

According to its govt-backed support site, Cyber Essentials represents “the UK Government’s minimum baseline standard for cyber security for organizations of all sizes in the UK.” 

Getting Cyber Essentials is worth it, too. A study from Lancaster University found that its five technical controls keep you safe from 99% of internet-originating vulnerabilities.

What do you need for Cyber Essentials Plus?

To proceed with the Plus certification, you need to be certified with the Cyber Essentials Basic. 

Obtaining the regular Cyber Essentials is pretty straightforward. You answer questions about the state of security affairs in your organization, focusing on five key areas (controls): user access control, secure configuration, security update management, firewalls and routers, and malware protection.  

You can get certified with Cyber Essentials if you meet the control requirements. There's no independent, on-site audit here. A Cyber Essentials assessor verifies your claims and grants the certification. 

The five core controls of Cyber Essentials, Via NCSC

Questions you’d answer can look like this:

• Are accounts restricted based on roles? 

• Are devices designed to minimize vulnerabilities, such as turning off unnecessary services or default accounts?

• Are firewalls properly configured to control traffic to and from your network?

• Are anti-malware tools installed and updated on all applicable devices?

You can download sample question sets from the official site here to better understand.

Once you receive the Cyber Essentials certification, you can pursue Cyber Essentials Plus. 

Although it relies on the exact technical requirements, the Plus certification involves a hands-on technical audit conducted by a highly-trained assessor. 

The audit moves beyond self-reported compliance (needed for Cyber Essentials) and verifies, through technical testing, that your organization’s defenses are actually strong. The NCSC recommends the cybersec certification company IASME (Information Assurance for Small and Medium Enterprises) for audits.

How are Cyber Essentials and Cyber Essentials Plus different in practice?

The requirement for a third-party audit isn’t the only thing that sets the Plus certification apart from its simpler counterpart. These certifications also differ in costs, complexity, and levels of assurance. Check out these differences in the table below:

Why Do You Need Cyber Essentials Plus?

90% of cyber attacks exploit known vulnerabilities? Cyber Essentials Plus aims to protect your organization against them. 

It is not just a certification you slam on your About Page; it's a framework that embeds a security-first approach and demonstrates that your organization has implemented solid cyber security measures. 

Here are the many more of its benefits from a business standpoint.

Enhances your security assurance

Cyber Essentials Plus shows your clients, partners, and key stakeholders that you focus on security and do your best to protect your business against cybersecurity threats. 

Helps you win client trust and contracts

Most public sector clients and government agencies mandate Cyber Essentials Plus for partnerships. The certification signals that you have a strong security culture, which can be the difference between landing or losing a major contract in a competitive market.

Eliminates security-related financial risks

The average data breach cost companies $4.88 million on average in 2024. Cyber Essentials Plus minimizes the likelihood of such costly breaches and saves you millions in fines, legal fees, and downtime. The UK’s Information Commissioner’s Office (ICO) considers Cyber Essentials certifications a mitigating factor during GDPR investigations.

Reduces cyber insurance premiums 

With Cyber Essentials Plus, you pay lower premiums on cyber insurance policies. Why? Because the certification shows that you have a low-risk profile, which makes you a safer bet. Some UK-based insurance organizations offer discounts of up to 15% for Cyber Essentials Plus-certified organizations.

Helps you with cost savings on security tools

Every $1 spent on proactive cybersecurity measures saves businesses, on average, $6 in breach-related costs. Cyber Essentials Plus reduces the need for reactive security measures, like expensive forensic analysis or breach recovery tools. You save money by investing in prevention rather than the cure. 

That brings us to the question…

How To Get Your Organization Cyber Essentials Plus Certified

The steps below break down the Cyber Essentials Plus certification process to get you started. Some of these can be harder than they seem, but your certification partner or cyber advisor will do their best to help you.

Step 1: Get the Level 1 Cyber Essentials certification if you don’t already have it

It’s pretty simple to get the essential Cyber Essentials Certifications. You complete your mandatory self-assessment questionnaire, which checks how much your organization adheres to the five key cybersecurity controls.

Once you've completed this, you submit your questionnaire to the accredited body for review. You’re now prepared to seek the Cyber Essentials Plus certification for greater security assurance.

Step 2: Define the scope and make sure the prerequisites are satisfied

Next, determine which parts of your IT infrastructure to include in the assessment. 

These would typically involve:

• All devices your organization owns, like laptops, desktops, servers, and routers.

• Bring Your Own Device (BYOD) lists devices used to access company data or services (e.g., emails and cloud platforms).

• Cloud services (SaaS, PaaS, IaaS, etc.) that host organizational data.

• Third-party devices (like contractor or volunteer devices) if they access company systems or data.

For BYOD, devices must meet Cyber Essentials Controls, such as running supported OSes and having malware protection. You can exclude devices for calls or SMS unless they access data like email or instant messaging.

Pro tip: Some third-party devices, like those used by Managed Service Providers (MSPs) for remote administration, may fall out of scope but must still comply with security controls through agreements or policies. Clarify these exceptions.

Step 3: Carry out a gap analysis

Now, conduct an internal assessment of your IT systems to identify and document gaps in compliance with Cyber Essentials Plus standards. This helps prioritize remediation efforts before the actual evaluation.

Look for outdated software, unpatched vulnerabilities, misconfigured firewalls, lackluster malware protection, and weak access controls. 

Step 4: Strengthen your security stance

Make a plan to fix any security flaws or overlooked vulnerabilities found during the gap analysis.

Make sure you also:

• Update all your devices and servers with critical patches within 14 days of release. 

• Either get rid of or upgrade all end-of-life software.

• Configure your antivirus solution correctly and verify if it's working against malware.

• Review your access controls, like multi-factor authentication (MFA) for remote access.

Step 5: Choose an accredited certification body

Select a validated assessor licensed by the governing body for Cyber Essentials, IASME. 

The assessor will tell you how to prepare for the audit and determine the sample size of devices and servers for testing to fit with IASME-approved methods.

Step 6: Start the technical testing

Here it comes, at last, the technical audit. This audit will involve:

• Vulnerability scans like external scans of internet-facing IP addresses and internal scans of sampled devices and servers to identify potential weaknesses.

• Malware protection tests that verify your antivirus configurations and test how well they block malicious files.

• Configuration checks that check whether secure settings like disabling unused ports and services are applied on all devices

• Access control verification that evaluates user privileges and authentication mechanisms

Depending on your infrastructure, the assessor might conduct these tests on-site or remotely.

This is all fine, but the core of Cyber Essentials is its five technical controls. You and the assessor will also have to review each one:

Firewalls:

• Configure boundary firewalls to block unauthorized access.

• Use software firewalls for remote workers or BYOD without corporate firewalls.

Secure configuration:

• Remove unnecessary software and accounts from devices.

• Disable auto-run features and set strong passwords.

User access control:

• Restrict admin privileges to essential personnel only.

• Implement Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).

Malware protection:

• Use antivirus software with real-time scanning enabled.

• Ensure malware protection extends to all devices in the assessment scope, including BYOD.

Patch management:

• Apply high-risk security updates within 14 days of release.

• Enable automatic updates where possible to reduce human error.

Step 7: Address any non-compliance issues

Review the audit findings and prepare an action plan to address any security concerns. Look for non-compliance with required security guidelines and communicate the findings to relevant internal stakeholders. Work with them alongside your IT team to fix these vulnerabilities through actionable steps.

Once fixed, schedule a re-test with your assessor. Remediation must be completed within a specified timeframe (typically 30 days).

Step 8: Get the certification

Once you meet all the requirements, the certification body will issue your Cyber Essentials Plus certificate. The certification is valid for 12 months from the date of issuance. 

To maintain continued adherence to Cyber Essentials Plus, you will need to undergo annual future audits. It is best to prepare early to avoid headaches later!

Challenges You Might Face In Achieving Cyber Essentials Plus Certification

There’s no getting around the fact that Cyber Essentials Plus certification is a rigorous process, and you are bound to face challenges that complicate the journey to certification. 

Familiarize yourself with the most common ones; it is the first step to avoid them:

• Most organizations struggle to identify and track unmanaged devices like IoT endpoints or personal devices connected to the network. Fortunately, the solution is simple—automated asset management tools. We recommend centralized solutions that consolidate asset monitoring and have real-time discovery features.

• Devices with inconsistent security settings, such as weak passwords or unpatched vulnerabilities, fail to meet Cyber Essentials Plus requirements. The solution is to standardize endpoint configurations using specialized tools like Microsoft Intune or ManageEngine Patch Manager Plus. 

• Another big challenge is securing user-owned devices while remaining compliant. There is an obvious risk of security flaws—BYOD policies expose your organization to data leakage if employees lose their devices or fail to keep them secure. 

To avoid this, enforce BYOD policies with mandatory MFA, encryption, and endpoint protection software. Include MDM solutions to help secure personal devices that access corporate systems.

How Workwize Simplifies Cyber Essentials Plus Compliance

With cyberattacks becoming more common and disastrous every day, we don’t even need to tell you how important something like Cyber Essentials is.

Workwize is a device lifecycle management solution that lets you better control your IT infrastructure. With Workwize, you can maintain complete control over every device in your workplace, from when it enters your organization to well before it’s retired. 

Automate asset management and maintain real-time visibility into devices. See who’s using what, how, and when. Check for licenses, deploy automatic patches, and control all devices remotely with your chosen MDM. 

Is an employee no longer working, or is a device acting up? Erase it remotely at the click of a button. Workwize makes managing devices easy, and maintaining the strict levels of security that Cyber Essentials Plus mandates is super simple. 

With Workwize, you’re ready for simple yet incredibly efficient IT hardware management across all stages of their lifecycle: Procurement, Management, Deployment, Retrieval, and Decommissioning. It’s a single pane of glass to reign over all your devices and be in control like a king.

Avoid costly errors. Check out how Workwize helps administer devices and tighten their security. Book a Workwize Demo now.