Cyber Essentials Plus: What It Really Tests - SureCloud

Most organisations fail Cyber Essentials Plus not because their controls are wrong — but because they've never had to prove them.

If you're preparing for CE+, or you've recently been through it and the results were uncomfortable, you're in the right place.

This post is about what Cyber Essentials Plus actually does. Not what it's supposed to do — what it does in practice, when a qualified assessor starts looking at your environment the way an attacker would.

The short version: CE+ doesn't build your security posture. It exposes whether you have one. And with the UK's regulatory direction tightening on cyber governance, that distinction matters more than ever.

Cyber Essentials Plus (CE+) is the higher-tier certification in the UK's NCSC-backed Cyber Essentials scheme. It requires an independent, hands-on technical assessment of an organisation's controls across five areas: firewalls, secure configuration, user access controls, malware protection, and patch management.

Unlike the standard Cyber Essentials certification — which is self-assessed — CE+ involves a qualified assessor verifying that the controls you've documented are actually operating in your environment. The assessment is evidence-based, not declaration-based.

Cyber Essentials Plus is widely recognised as the minimum credible baseline for UK organisations handling sensitive data or operating in supply chains that require demonstrated cyber hygiene. It does not replace a broader security strategy, but it does test whether one exists.

CE+ tests consistency, not intent. The assessment doesn't reward documented policies. It rewards environments where controls are applied uniformly, verifiably, and in line with how people actually work.

The five technical control areas haven't changed fundamentally. But how those controls are being interpreted in assessments has shifted. The scope definitions are tighter. The expectations around home working, cloud services, and identity management are more explicit. And the room to argue your way around edge cases has narrowed.

What assessors are increasingly looking for:

1. Patching — not whether a patching policy exists, but whether patches are being applied within the required timescales across all in-scope devices, including endpoints used remotely
2. Access control — whether MFA is enforced consistently, or just partially rolled out
3. Secure configuration — whether default settings have actually been changed, not just documented as a policy intent
4. Scope — whether the organisation's defined scope is accurate and defensible, or whether assets have been excluded without adequate justification

The pattern that surfaces repeatedly is not dramatic security failure. It's inconsistency — controls that work in some parts of the environment and not others. And when an assessor is looking for evidence, inconsistency is failure.

Most organisations enter a CE+ assessment confident. Policies exist. Controls are "in place." Things look fine on paper.

The discomfort usually begins when the assessor starts testing whether what's on paper reflects what's running in the environment.

Common gaps that CE+ exposes include MFA being deployed for cloud services but not extended to remote access for internal systems, patching policies that exist on paper but are not consistently met within 14 days for high severity vulnerabilities, and scope definitions that are too narrow, leaving out devices or services that should be included. It also frequently highlights a lack of evidence for control effectiveness, often because that level of proof has never previously been required.

These issues are not unusual. They tend to emerge from security programmes that have evolved over time without a stage where controls needed to be validated end to end. For many organisations, CE+ represents the first time that level of scrutiny is applied, and the gaps become visible as a result.

From experience working with organisations going through CE+, the difficulty rarely comes from the complexity of the controls themselves. More often, it stems from the process exposing areas that were never fully aligned in the first place.

The NCSC has made incremental updates to the Cyber Essentials requirements to reflect how organisations actually operate today. The most significant shifts are in scope interpretation and control expectations around modern working patterns.

What's changed in practice:

1. Home and remote working — the distinction between "home working" (device used at home) and "remote access" (device connecting to organisational infrastructure) is now more precisely defined, with different control expectations for each
2. Cloud services — cloud-hosted services are increasingly in scope, and the controls expected around them are more specific
3. Identity and authentication — the bar for MFA has been raised; partial rollout is no longer a sufficient response
4. Scope discipline — assessors are scrutinising scope definitions more carefully; organisations can no longer rely on loosely drawn boundaries

The intent is consistent with the direction of UK cyber governance more broadly. Under the UK Cyber Security and Resilience Bill, cyber security is moving from a best-practice recommendation to a legislative expectation for an expanding set of organisations. CE+ is, in effect, a rehearsal for a more demanding environment.

The organisations that get the most value from CE+ are the ones that don't treat it as a pass-or-fail event. They use the process itself — defining scope, testing controls, gathering evidence — as a mechanism to understand the real state of their environment.

That reframe changes everything about how you prepare.

Use CE+ preparation to:

1. Properly define your environment — not as a scoping exercise to minimise what's tested, but to produce an accurate map of what you actually have
2. Sense-check control consistency — audit whether controls applied in one part of the environment are applied in all of it
3. Build an evidence baseline — if you can't evidence a control for an assessor, you can't evidence it for a regulator, a board, or an incident response team
4. Identify what's missing before the assessment does — gap assessments before formal submission give you the opportunity to fix, not just disclose
   

The organisations that pass CE+ most smoothly aren't the ones with the most sophisticated security programmes. They're the ones whose day-to-day operations match their documented controls. That alignment — between policy, practice, and proof — is what CE+ is really measuring.

CE+ is a baseline, not a strategy. The NCSC has always been clear on that. It protects against the most common attack vectors. It does not constitute a complete approach to cyber risk management.

But in 2025 and beyond, the baseline has a new strategic value: it is an auditable, externally verified point of control effectiveness. That matters in the context of:

1. UK Corporate Governance Code Provision 29 — which, from financial years beginning January 2026, requires boards to declare whether internal controls operated effectively. CE+ provides verifiable evidence of control operation in one of the most scrutinised risk domains.
2. Supply chain requirements — many sectors and procurement frameworks now mandate CE+ for suppliers. Evidence of control effectiveness flows up supply chains, not just into regulatory filings.
3. Incident response and insurance — evidence of implemented controls affects both the handling of security incidents and the terms of cyber insurance. CE+ provides an auditable record.

The organisations treating CE+ as a box-ticking exercise are missing what it actually produces: a verified, dated, external assessment of whether your cyber controls work. That is a usable artefact in your GRC programme — if you build the processes to capture and maintain it.

Cyber Essentials Plus is not a hard certification. The controls it tests are not complex. What it tests is whether your controls are real — consistently applied, evidenced, and reflective of how your environment actually operates.

If the assessment feels harder than expected, that's the point. It's not the standard that's misaligned. It's the gap between what's been documented and what's been done.

The organisations that get the most from CE+ are the ones that use it to close that gap — and to build an evidence baseline that serves them beyond the certification itself. In a regulatory environment where boards are being asked to stand behind their control frameworks, that baseline has real value.

If you're preparing for CE+ or reviewing the gaps it surfaced, SureCloud's GRC platform gives you the control consistency, evidence capture, and assurance reporting you need — not just for the assessment, but for what comes after it.