Cyber Essentials Plus – What Is it and Why Do I Need it?

Written by: David Henderson on Jul 21, 2023

An everything-you-need-to-know guide on Cyber Essentials Plus and the journey to becoming certified.

Cyber Essentials Plus is a National Cyber Security Centre certification scheme that helps organisations assess and improve their cyber security posture. It builds on the self- assessment Cyber Essentials certification and involves a more comprehensive evaluation of an organisation's security controls and systems through independent testing and verification by approved certification bodies such as Vertical Structure.

By obtaining Cyber Essentials Plus certification, organisations can demonstrate their commitment to maintaining strong cyber security measures, protecting themselves, staff and customers against the most common online threats.

What’s The Difference Between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment certification that is evaluated by a certification body such as Vertical Structure.

Cyber Essentials Plus builds on the Cyber Essentials standard. It is an advanced certification in which the main difference includes independent testing and verification of an organisation's systems including an authenticated vulnerability scan of their internal devices and a vulnerability scan of their external network.

In summary, while Cyber Essentials is based on self-assessment, Cyber Essentials Plus involves independent testing and verification. Cyber Essentials Plus provides a higher level of assurance and validation of an organisation's cybersecurity measures, making it a more rigorous certification level than Cyber Essentials.

What Are The Benefits of Becoming Certified to Cyber Essentials Plus?

Certification to Cyber Essentials Plus provides the following benefits for organisations:

  1. Strengthened cybersecurity defences: Certification ensures the implementation of effective security controls, improving overall cyber security posture.
  2. Independent validation: External certifying body conducts on-site assessments and vulnerability scans, providing an unbiased verification of cybersecurity measures.
  3. Demonstrated commitment: Certification showcases a proactive approach to cybersecurity, instilling trust and confidence among clients, partners, and stakeholders.
  4. Competitive advantage: Sets you apart from competitors, demonstrating your organization's commitment to robust cybersecurity practices.
  5. Compliance requirements: Helps meet contractual and regulatory obligations related to cybersecurity, especially when handling sensitive data.
  6. Improved reputation: Certification signifies a serious approach to cybersecurity, enhancing your organisation's reputation among customers, suppliers, and the business community.

What Is the Process of Becoming Certified to Cyber Essentials Plus?

Step 1 | Project Kick-off

Your project consultant will organise a call with you to discuss the process and formally start your certification journey. This includes briefing you on what we will need to access and provide you with several downloads that will allow us to scan your network and devices for vulnerabilities remotely.

Step 2 | Self-Assessment Questionnaire

If you haven’t completed the self-assessment questionnaire for the basic Cyber Essentials certification within the last 90 days, then you will need to complete this. This questionnaire maps out your existing cyber security. The responses given are assessed by one of our Cyber Advisors and must pass before you can proceed to the next stage.

Upon successful assessment of the SAQ (self-assessment questionnaire), we will book your Cyber Essentials Plus assessment.

Step 3 | Audits

Now it’s time to complete the audit steps. Firstly, we will select at random a sample of devices to be audited, assist with installing the required software agents on these devices and run the required vulnerability tests.

If any issues are found at this stage, these will be reported back in an easy-to-digest report. To pass Cyber Essentials Plus, any issues flagged as high or critical in this report must be fixed. The findings are rated using the Common Vulnerability Scoring System (CVSS).

In addition to scanning devices as outlined above, we will also conduct a set of 7 tests that include:

  1. Checking for multi-factor authentication on cloud accounts
  2. Checking for local admin users on the device
  3. Checking that suitable anti-virus applications are installed
  4. Checking that antivirus definitions are up to date
  5. Testing your email firewall for malware protection
  6. Testing email malware protection on sample devices
  7. Checking for privilege escalation on sample devices

Again, an easy-to-digest report will be provided to you at this stage outlining all issues that have been identified. Any issues that will prevent you from obtaining certification will be flagged as high or critical.

Step 4 | Patch & Retest

If any of the tests performed in stage 3 above flag any issues, you will be given adequate time to resolve these. Be aware that patches and fixes will need to be in place and retested within 90 days of completing the Cyber Essentials Self-Assessment Questionnaire.

Step 5 | Final Assessment Marking

The last stage! Here, we will complete our final assessment of your certification where a pass or fail will be awarded.

Should for any reason you fail to certify, you have 30 days to amend any issues and resubmit. If completed within the 30-day window, you do not need to pay again. However, if you fail to achieve certification within the 30-day window, IASME will be require you to complete the entire process over again.

Frequently Asked Questions

How long does the process take?

Certification can be achieved in as little as a few working days. However, on average, our clients usually certify within 2-3 weeks.

Certification can take no longer than 90 days from the initial project kickoff. Should you fail to complete it within this time period, you will be required to start the process from the beginning again.

If you’re in a hurry to achieve Cyber Essentials Plus and would like to pass the first time, we offer this a pre-assessment service that aims to ready your organisation for certification before the process begins. For more information, please get in touch.

What is the cost of becoming certified?

Certification starts from as little as £1,500 for micro organisations. This cost increases the larger your organisation is.

Do I need any technical expertise?

You will need to download and install software that allows us to scan your network and machines for vulnerabilities and answer the self-assessment questionnaire. If you have an IT provider, you may need them to assist in some of these tasks.

Do I need to re-certify every year?

Yes, certificates last for 12 months. However, when it comes to recertification, the second and subsequent years are typically much more straightforward that the initial certification.

Vertical Structure

As an NCSC assured service provider for Cyber Essentials and Cyber Essentials Plus, we can help your organisation achieve certification to both standards quickly and easily.

Additionally, our certification body status and in-house team of cyber advisors make Vertical Structure a fantastic choice to help you through the process.

To discuss and start your certification journey, please drop us a message, we’d love to chat.

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.