Cyber Essentials Plus: What It Is, What It Costs

1. CE+ requires an IASME-approved assessor to technically verify that the five controls described in the self-assessment actually exist and function as stated.
2. Mandatory: CE+ is required for MOD contracts involving personal data or certain classified information, and may be required for other higher-risk government contracts.
3. The CE+ assessment must be completed within three months of standard CE certification. If the window lapses, standard CE must be renewed before CE+ can proceed.
4. Common CE+ failure points: unpatched software, unsupported software, default credentials, firewall misconfiguration, and MFA not enforced on internet-facing accounts.
5. CE+ costs from £1,500 to £5,000 or more depending on scope, device count, and whether remediation retesting adds assessor time.

Cyber Essentials, launched in 2014 and now administered by the IASME Consortium under NCSC oversight, was designed to address a specific problem: most cyber incidents affecting organisations trace back to a small set of well-understood, preventable vulnerabilities. The scheme's five technical controls (firewalls, secure configuration, user access control, malware protection, and patch management) address the attack vectors responsible for the majority of commodity threats.

Standard Cyber Essentials certification works through self-assessment: an organisation answers the Montpellier questionnaire, attesting that its controls meet the scheme requirements. An Assured Service Provider (ASP) reviews the submission for internal consistency and clarity. Certification at this level is based on the organisation's attestation, with no independent technical testing of the actual systems.

CE+ closes that gap. It requires an IASME-approved assessor to technically verify that the controls described in the self-assessment actually exist and function as stated. For organisations in government supply chains, regulated sectors, or those handling particularly sensitive data, that independent verification is the meaningful

CE and CE+ assess the same five technical controls. The difference is in how: standard CE relies on self-assessment; CE+ requires independent technical verification of the controls declared.

Standard Cyber Essentials: What You Self-Certify

In a standard CE assessment, the organisation completes the Montpellier questionnaire, describing its controls configuration. The ASP reviews the submission for internal consistency. If it's satisfactory, certification is issued. There's no independent technical testing of the actual systems.

Cyber Essentials Plus: What the Assessor Verifies

In a CE+ assessment, an IASME-approved assessor conducts the following technical activities on the organisation's systems within scope:

1. External vulnerability scanning: the assessor scans the organisation's internet-facing infrastructure from outside the network to identify vulnerabilities, open ports, and exposed services that the self-assessment should have addressed.
2. Internal vulnerability scanning: scanning is conducted from inside the network to verify the patching status of in-scope devices and confirm that internal configurations match what was declared.
3. Configuration checks: the assessor verifies device configurations (firewall rules, user account settings, and security software deployment) against CE requirements on a sample of devices.
4. Malware protection testing: the assessor tests whether in-scope devices detect and block malware in the way the organisation's controls submission claimed.
5. Phishing and browser-based threat testing: sample testing verifies that users cannot inadvertently execute malicious code delivered via simulated phishing emails or browser-delivered payloads.

The assessor produces a technical report. Where no failures are found, CE+ certification is issued. Where failures are found, the organisation must remediate before certification is granted; the process allows for remediation and retest within the three-month window.

Mandatory: MOD and Central Government Supply Chains

CE+ is mandatory for Ministry of Defence (MOD) contracts that involve personal data or where the contract is assessed as requiring a higher level of cyber assurance. The MOD's supplier guidance, governed by Defence and Security Public Contracts Regulations (DSPCR), specifies CE+ as the minimum requirement for these contract types. Organisations bidding for MOD work should verify the specific assurance requirement in the contract notice: requirements vary by contract value, data sensitivity, and systems access.

For central government contracts more broadly, standard CE is the mandatory baseline (required for all contracts involving personal information handling or certain ICT products and services). Individual departments may set CE+ as the requirement for higher-risk or higher-sensitivity contracts; always check the specific contract notice.

Recommended: Regulated Sectors and Supply Chain Pressure

Outside formal mandates, CE+ is increasingly expected in several contexts:

1. Financial services supply chains: firms regulated by the FCA and PRA are under pressure to validate the cyber posture of their third-party suppliers. CE+ provides a stronger assurance signal than self-assessed CE when responding to supplier due diligence requests.
2. Critical national infrastructure: organisations in sectors covered by the Network and Information Systems (NIS) Regulations 2018 may find CE+ cited as evidence of security baseline compliance.
3. Healthcare and public sector: NHS Digital's Data Security and Protection Toolkit references CE+ as an accepted assurance mechanism for some assessment areas.
4. Legal sector: law firms handling sensitive client data increasingly face CE+ requirements from clients conducting supply chain assurance.

CE+ certification is only available to organisations that already hold a valid standard Cyber Essentials certificate. The CE+ assessment must be completed within three months of the standard CE certification date. If that window lapses, the standard CE certification expires for CE+ purposes and the organisation must re-certify at the standard level before proceeding.

Plan both certifications as a single coordinated process. Controls must be genuinely in place at the time of self-assessment: CE+ will verify the technical reality, and the three-month window doesn't leave room for significant post-assessment remediation.

A CE+ assessment proceeds in the following sequence:

1. Scope agreement: the assessor and organisation agree which systems, devices, and network segments are in scope. CE+ scope must match the scope declared in the standard CE self-assessment.
2. Pre-assessment documentation review: the assessor reviews the standard CE submission and any supporting documentation to understand the declared control configuration.
3. External vulnerability scan: conducted remotely, scanning the organisation's internet-facing IP addresses and hostnames. The organisation provides the relevant IP ranges.
4. On-site or remote internal assessment: configuration checks, internal scanning, and device sampling are conducted. For remote assessments, the organisation provides screen-share access or submits evidence artefacts.
5. Findings report: the assessor issues a report documenting any failures against CE+ requirements, with remediation guidance where applicable.
6. Remediation and retest: where failures are found, the organisation remediates and the specific failed areas are retested. The retest must occur within the three-month window.
7. Certification issued: upon passing, the CE+ certificate is issued via the IASME portal.

Elapsed time from starting a CE+ assessment to receiving certification depends on scope size and complexity, assessor availability, and how quickly any remediation issues are resolved. For a straightforward SME with a defined and limited scope:

1. External vulnerability scan: completed within 1 to 3 working days for most organisations.
2. Internal assessment: half a day to a full day for a small organisation; longer for larger scopes.
3. Remediation (if required): the largest variable. Simple configuration fixes may be resolved within hours; patching or firewall rule changes may take days to weeks.
4. Report and certification: issued within a few days of a clean or remediated assessment.

End-to-end, a well-prepared organisation with controls in place can complete CE+ within 2 to 4 weeks. Organisations that discover significant remediation requirements during the assessment should factor in the three-month window constraint when planning timelines.

CE and CE+ are priced differently, and costs vary by ASP and by the size and complexity of the organisation. See the CE cost guide for a full breakdown of pricing variables across the scheme.

Cost variables for CE+ include: number of in-scope devices, number of internet-facing IP addresses (affecting scan time), whether the assessment is conducted on-site or remotely, and whether remediation retesting adds assessor time. Organisations with complex IT environments, large device counts, or significant cloud-hosted services should request a scoped quote rather than relying on headline figures.

The most common failure areas in CE+ assessments, based on assessor experience across the scheme, are:

1. Unpatched software: critical and high-severity patches not applied within 14 days of release. This is consistently the most common failure across organisations of all sizes. The requirement covers all software on in-scope devices, including third-party applications, browser plugins, and operating systems.
2. Unsupported software: any software that no longer receives security updates from its vendor fails the CE+ assessment automatically. Unsupported software is a hard disqualifier, with no mitigation option.
3. Default credentials: administrative or user accounts using manufacturer or software default passwords. Particularly common on network devices, printers, and IoT-category hardware.
4. Firewall misconfiguration: inbound rules that are broader than necessary, particularly rules that allow unrestricted inbound access on ports that should be restricted to specific source IP addresses.
5. MFA gaps: the Montpellier update introduced MFA as an explicit requirement for all accounts that can authenticate to internet-facing services, including cloud applications. Microsoft 365, Google Workspace, and similar platforms where MFA is disabled are a consistent failure point.
6. Scope inaccuracies: internet-facing services or devices found during the CE+ external scan that fall outside the declared CE scope. These create a mismatch between the self-assessment submission and the technical findings; scope accuracy is the organisation's responsibility.

Use the following questions to determine which certification is appropriate:

For organisations where CE+ is not contractually required, the question is whether the additional cost and preparation is justified. Three factors drive the answer:

1. Supply chain position: if your customers are large enterprises, financial institutions, or regulated-sector organisations, they are increasingly conducting cyber supply chain risk assessments that prefer or require independently verified assurance. CE+ provides that credibility through independent verification.
2. Data sensitivity: organisations handling health data, financial data, legal privilege, or personal data at scale benefit from independent verification, both for their own assurance and as evidence in the event of a regulatory investigation.
3. Incident response credibility: in the event of a breach, CE+ provides documented evidence that controls were independently verified at a point in time. Self-assessed CE records the organisation's declaration, not an assessor's finding.

For most small organisations with limited supply chain exposure, standard CE is the pragmatic starting point. For mid-sized organisations with enterprise clients, regulated-sector supply chain involvement, or ambitions to bid for public sector contracts, CE+ is increasingly the practical baseline rather than an optional upgrade.

Detailed CE+ audit preparation is covered in the CE+ audit preparation guide. The key principles are:

1. Ensure controls are genuinely in place before the standard CE self-assessment. CE+ will verify the technical reality, and the three-month window gives limited time for significant remediation after the fact.
2. Conduct internal vulnerability scanning before the assessment to identify and close issues that would otherwise be found by the assessor.
3. Audit your software inventory: identify any unsupported or unpatched software on in-scope devices and remediate before the assessment date.
4. Verify MFA is enforced on all internet-facing accounts, including cloud applications, email, VPN, and remote access services.
5. Define and document your scope accurately, including all internet-facing services, cloud environments, and BYOD assets that fall within the CE scope definition.