What a Cyber Essentials Plus Audit Actually Involves
What a Cyber Essentials Plus Audit Actually Involves
Published: April 8, 2026
Cyber Essentials and Cyber Essentials Plus are often mentioned in the same breath, but they’re meaningfully different certifications. Cyber Essentials is self-assessed — you answer a questionnaire about your controls and a certification body reviews your answers. Cyber Essentials Plus involves an auditor actually testing whether your controls work.
If you’re being asked to achieve CE Plus — by a public sector client, a large enterprise in your supply chain, or your cyber insurance provider — it helps to know what you’re walking into.
The Five Technical Controls
Both certifications are built around the same five technical control areas. Cyber Essentials Plus tests all five through active assessment:
1. Firewalls — boundary firewalls and internet gateways are configured to block unauthorised access
2. Secure configuration — devices and software are configured securely, unnecessary services removed
3. User access control — user accounts are managed, access is limited to what’s needed, admin rights are controlled
4. Malware protection — protection against malicious software on devices
5. Patch management — operating systems and software are up to date and vulnerabilities are patched promptly
The assessment tests these controls against your actual devices and environment. It’s not a paper exercise.
What the Assessment Actually Looks Like
The assessment is conducted remotely in the vast majority of cases, using a combination of automated scanning tools and manual verification. The auditor will need access to representative sample devices across your environment — typically a mix of Windows, macOS, and mobile if applicable — as well as access to your network boundary.
External vulnerability scan — the assessor scans your internet-facing infrastructure for open ports, accessible services, and known vulnerabilities. Anything exposed that shouldn’t be is a finding.
Internal device sampling — the assessor will check a sample of user devices. They’re looking at: is the OS up to date, are software patches current, is malware protection active and updated, are there unnecessary admin rights on user accounts, is the device configured securely (screensaver lock, auto-update, no unnecessary services).
User account review — they’ll look at your Active Directory or Entra ID (Azure AD) to check for unused accounts, accounts with unnecessary admin privileges, and whether your admin accounts are separate from day-to-day user accounts.
Browser configuration — browsers are specifically assessed. Extensions, default security settings, and whether browser-based malware protection is active.
The whole process typically takes half a day to a day depending on the size of your environment.
Where Businesses Fail
Having supported a number of UK businesses through CE Plus, the failure points are consistent:
Patching lag on end-user devices. The standard requires that high and critical vulnerabilities are patched within 14 days of a patch being released. Most businesses aren’t meeting this. Laptops that are rarely connected to the corporate network, personal devices used for work, and machines that haven’t been restarted in months are the typical culprits.
Admin rights on standard user accounts. This is extremely common. Users who were given admin rights to install something three years ago and still have them. Sometimes it’s the entire organisation because “it was just easier”. CE Plus will fail on this.
Unsupported software. An application that hasn’t received a security update in over a year, or is running on an end-of-life OS version, is a straight failure. This catches people out when they have legacy line-of-business software that the vendor no longer patches.
Scope creep surprises. Businesses sometimes underestimate what’s in scope. If a personal mobile phone is used to access company email or data, it’s in scope. If a contractor’s laptop connects to your network, it may be in scope. Agreeing the scope boundary clearly before assessment avoids surprises.
External exposure they didn’t know about. Open ports, misconfigured cloud services, old VPN endpoints — the external scan sometimes surfaces things the business genuinely didn’t know were there.
How to Prepare
If you’re planning to pursue CE Plus, give yourself at least six to eight weeks of preparation time — more if you know patching or access control is in a poor state.
Start with a self-assessment against the Cyber Essentials requirements document. Work through each of the five controls honestly. Where you can’t answer yes confidently, that’s where you need to focus.
Fix patching first. This is the most common failure point and the one that takes the longest to fix systematically. You need a repeatable process, not a one-off catch-up before the audit.
Audit your admin rights. Pull a full list of accounts with local admin or domain admin privileges. Anything that isn’t explicitly needed and documented should be removed before the assessment.
Check your software inventory. Identify anything running on an unsupported version. Either update it, replace it, or make a decision about scope exclusion (with appropriate compensating controls).
Agree scope in writing before the assessment starts. Be explicit about what’s included: which devices, which network segments, which cloud services.
Is It Worth It?
Aside from the contractual requirements — and CE Plus is increasingly required for UK government supply chain and some financial services clients — the process is genuinely useful. Going through it forces a structured review of controls that most businesses have never done systematically.
The businesses I’ve seen come through it well are the ones that treated preparation as an IT improvement project, not a box-ticking exercise. The ones that struggle are the ones that try to do the minimum to pass rather than fixing the underlying issues.
If you need support preparing for Cyber Essentials Plus, I offer a structured readiness assessment that works through all five control areas and produces a prioritised remediation list before you engage a certification body.