Cyber Essentials Plus
Cyber Essentials Plus offers everything in the standard Cyber Essentials certification – but with one key difference: a hands-on technical audit of your systems.
This independent verification gives you a much higher level of assurance that your security controls are working as intended.
With IT Governance, certification is simple, remote and fully supported.
Get certified with expert support
Cyber Essentials checklist: What’s covered in the plus audit?
To achieve Cyber Essentials Plus, you must already hold a valid Cyber Essentials certificate. You’ll then undergo a technical assessment of the five key control areas below.
Each control is tested during the audit to confirm it has been implemented correctly.
Firewalls
Create a secure boundary between your systems and external threats.
Requirements:
- Change default admin passwords or disable remote admin access
- Block unauthenticated inbound connections by default
- Prevent remote admin access from the internet unless protected by MFA or an IP whitelist
- Document and approve all inbound rules, with business justification
- Remove permissive rules when no longer needed
- Use host-based firewalls on devices used on public or untrusted networks
Learn more about firewalls and gateways
Secure configuration
Reduce risk by limiting access and disabling unnecessary features.
Requirements:
- Remove/disable unnecessary user accounts and software
- Change default or guessable passwords
- Disable auto-run features that execute files without permission
- Authenticate all users before granting access to data or systems
- Use device locking controls for physically present users
In addition, physically present users must use appropriate device locking controls.
Learn more about secure configuration
Access control
Ensure only authorised users can access your systems – with the right level of privilege.
Requirements:
- Have a clear account creation and approval process
- Authenticate users with unique credentials
- Remove accounts that are no longer needed
- Implement MFA where available (mandatory for Cloud services)
- Restrict administrative accounts to admin activities only
- Remove special access privileges when not needed
Learn more about access control
Malware protection
Stop malicious software from executing or compromising your systems.
You must use at least one of the following:
- Anti-malware software
- Application whitelisting
- Sandboxing
If using anti-malware software:
- Keep definitions updated daily
- Auto-scan files on access (including downloads and network files)
- Scan web pages in browsers
- Block malicious websites unless you have documented, approved exceptions
If using application whitelisting:
- Maintain an approved application list
- Block installation of unsigned or invalid software
If using sandboxing:
- Isolate code of unknown origin
- Restrict access to sensitive resources (e.g. cameras, microphones, data stores, networks) unless explicitly allowed
Learn more about malware protection
Security update management
Keep all systems and software up to date to close known vulnerabilities.
Requirements:
- Use only licensed and supported software
- Remove unsupported software
- Enable automatic updates wherever possible
- Apply patches within 14 days for:
- Critical or high-risk vulnerabilities
- CVSS v3 score of 7.0+
- Any vulnerability with unknown severity
Learn more about security update management
Choose the right support level
We offer flexible service tiers to match your level of internal resource and cyber maturity:
Standard Cyber Essentials Plus certification package.
Full support through the certification process with expert guidance.
Comprehensive support for complex organisations.
Why choose Cyber Essentials Plus?
Like Cyber Essentials, this certification demonstrates that you’ve implemented five core security controls that:
- Prevent around 80% of common cyber attacks
- Strengthen supply chain security
- Support public sector and MoD contract eligibility
- Reassure customers and stakeholders
But Cyber Essentials Plus goes further – with a verified, technical audit to prove it’s all working.
Cyber Essentials Plus requirements: what’s involved in the audit?
The audit tests your in-scope systems through a series of internal and external checks:
- Internal vulnerability scans – assess patching and configuration
- On-site/remote system tests – covering Internet gateways, public-facing servers and sample user devices
- External vulnerability scan – evaluates your public-facing infrastructure
Learn more about vulnerability testing
Your path to certification: step-by-step
-
Review the requirements
Download and read the official Cyber Essentials Requirements for IT Infrastructure. You’ll need to confirm you’ve read it during your application.
-
Define your scope
Clearly identify which parts of your infrastructure are in scope for certification.
-
Complete the Self-Assessment Questionnaire (SAQ)
Ensure your systems meet the core requirements.
-
Submit for assessment
We’ll review your SAQ. If successful, you’ll receive your Cyber Essentials certificate and have three months to complete the Plus process.
-
Undergo the technical audit.
We’ll conduct all scans and tests within the three-month window.
-
Resolve any nonconformities
If issues are found, we’ll provide feedback. You have one month to resolve them and complete a reassessment.
Learn more about the Cyber Essentials Plus process
Ready to get certified?
Get expert guidance, fast turnaround and complete peace of mind with IT Governance – one of the UK’s leading Cyber Essentials certification bodies.