Cyber Essentials Plus Requirements Explained

As cyber threats grow in sophistication and frequency, UK organisations are increasingly turning to the Cyber Essentials Plus certification for enhanced protection and assurance. While the standard Cyber Essentials certification focuses on self-assessed security practices, Cyber Essentials Plus takes things further with an independently verified technical assessment. If your business is considering this advanced level of certification, it’s essential to understand the Cyber Essentials Plus requirements in full detail. Here’s everything you need to know.

What Is Cyber Essentials Plus?

Cyber Essentials Plus is the more rigorous version of the UK government-backed Cyber Essentials scheme. It includes all the requirements of Cyber Essentials but adds an in-depth, hands-on technical audit carried out by an independent certification body. This assessment ensures that the declared controls are not only in place but are also operating effectively in practice.

The result is a higher level of assurance that your organisation is protected from common cyber threats.

Prerequisite: Cyber Essentials Certification

Before applying for Cyber Essentials Plus, you must have a valid Cyber Essentials certificate. This shows that you have successfully completed the self-assessment stage and met the five basic security control requirements:

1. Firewalls
2. Secure Configuration
3. User Access Control
4. Malware Protection
5. Security Update Management

These five areas are also assessed during Cyber Essentials Plus, but with technical verification instead of self-declaration.

Key Requirements of Cyber Essentials Plus

Here are the core components your organisation must comply with for Cyber Essentials Plus certification:

1. Firewall and Boundary Security

All internet-connected devices must be protected by correctly configured firewalls or routers. During assessment, your network perimeter will be tested to identify any open ports, insecure services, or misconfigurations that could allow unauthorised access.

2. Secure Device Configuration

Devices such as laptops, desktops, and mobile devices must follow secure configuration standards. This includes disabling unnecessary user accounts and services, changing default passwords, and applying encryption where required. The assessor will test several devices to ensure settings match the standards required by Cyber Essentials Plus.

3. User Access Controls

Only authorised users should have access to systems and data, and admin rights must be tightly controlled. The assessor will check whether user privileges are appropriately assigned and whether strong authentication measures are in place for access to sensitive systems.

4. Malware and Virus Protection

Devices must be protected against malicious software through antivirus tools or application whitelisting. The assessor may test your endpoint protection software to ensure it is functioning correctly and providing up-to-date threat detection.

5. Patch and Update Management

All software and firmware must be up to date, with security patches applied within 14 days of release. This is a crucial requirement of Cyber Essentials Plus, and the assessor will scan a sample of your devices to ensure there are no known unpatched vulnerabilities.

Additional Testing and Verification

Unlike standard Cyber Essentials, the Plus version involves real-world testing conducted by a qualified assessor. The following technical checks are typically included:

• Internal vulnerability scans to check for missing patches and misconfigurations.
• External scans of internet-facing IP addresses to detect open ports and vulnerabilities.
• Simulated phishing or malware delivery tests to verify email filtering and endpoint response.
• Device build reviews to ensure laptops and desktops meet security baselines.

All testing is conducted on a representative sample of devices, not your entire estate, but you must demonstrate consistent security practices across all systems.

Who Should Get Cyber Essentials Plus?

Cyber Essentials Plus is ideal for organisations that:

• Handle sensitive data or personal information.
• Work with government contracts or high-value clients.
• Need to meet higher compliance or supply chain requirements.
• Want to provide stronger cybersecurity assurance to stakeholders.

Preparing for Cyber Essentials Plus

To prepare for the Cyber Essentials Plus audit, many organisations perform an internal review or hire a consultant to help identify and fix any compliance gaps. A common strategy is to:

1. Pass the basic Cyber Essentials self-assessment.
2. Conduct internal vulnerability scans and fix findings.
3. Review endpoint configurations and update patching schedules.
4. Test antivirus and firewall systems for effectiveness.

Proper preparation significantly improves the chances of passing the assessment on the first attempt.

In conclusion, Cyber Essentials Plus provides a higher level of cybersecurity assurance through thorough technical assessment. Meeting its requirements means your organisation is not only compliant but also effectively protected against common cyber threats. By investing in Cyber Essentials Plus, you strengthen your cyber resilience, build client trust, and position your business for secure growth in an increasingly digital world.