Cyber Essentials Accreditation: CE+ Audit Prep Guide

1. 3 months: CE+ must be completed within three months of achieving standard Cyber Essentials certification.
2. 5 controls: CE+ independently tests the same five control areas as Cyber Essentials: firewalls, secure configuration, access control, malware protection, and patch management.
3. 14 days: Critical and high-risk security patches must be applied within 14 days of vendor release.
4. 0 tolerance for end-of-life software: Unsupported software on any in-scope device is an automatic audit failure.
5. Authenticated vulnerability scanning: Auditors log into sample devices to verify patch levels, software versions, and security configurations.
6. Independent verification: Unlike Cyber Essentials, CE+ requires technical testing by an IASME-accredited certification body.
7. Cloud services count: Cloud workloads, virtual machines, and remote-working devices must be assessed where they fall within scope.
8. Most common failures: Unpatched applications, default credentials, unsupported software, misconfigured cloud instances, and inadequate email/web filtering.

Standard Cyber Essentials certification is based on a self-assessment questionnaire: your organisation answers questions about how the five controls are implemented, and an Assured Service Provider (ASP) reviews and certifies your answers. Cyber Essentials Plus uses the same five controls as its scope but requires independent technical verification that those controls are actually working as you have described.

CE+ audits are conducted by IASME-accredited certification bodies — organisations licensed by IASME, which manages the Cyber Essentials scheme on behalf of the NCSC. The auditor is not from NCSC directly. They use the NCSC-published Cyber Essentials Plus test specification to structure their audit activities, and their findings are submitted to IASME for certification.

The three-month window is a critical operational constraint. From the date of your standard Cyber Essentials certificate, you have three months to complete CE+ certification. If that window lapses, you must re-certify at the standard CE level before proceeding to CE+. Plan accordingly: CE+ should be scheduled as part of the same project as standard CE, not treated as an optional follow-up.

The CE+ test specification covers the same five control areas as standard Cyber Essentials, but verifies them through direct technical testing rather than reviewing your answers.

Authenticated Vulnerability Scanning

Auditors conduct authenticated vulnerability scans of in-scope devices. An authenticated scan logs into target devices using credentials, allowing the scanner to enumerate installed software, check patch levels, and identify known vulnerabilities that would not be visible to an external scanner. This is materially different from a perimeter scan: it directly surfaces unpatched applications and operating systems inside your network boundary.

The patch management control under Cyber Essentials requires that high-risk and critical patches are applied within 14 days of release, and that software that is no longer supported by its vendor (and therefore no longer receiving security patches) is removed from in-scope devices. Authenticated scanning directly tests both requirements. A single device running an end-of-life operating system or with a critical patch more than 14 days overdue will cause a finding.

Configuration Review

Auditors review device configurations against the Cyber Essentials secure configuration control. Key checks include:

1. Whether default passwords have been changed on in-scope devices, network hardware, and software accounts.
2. Whether unnecessary user accounts — including default vendor accounts — have been disabled or removed.
3. Whether auto-run and auto-play are disabled on relevant devices.
4. Whether device lockout and screen lock settings meet the requirements.
5. Whether unnecessary software and services have been removed or disabled.

Cloud services and virtual machines within scope are subject to the same configuration checks. A common error is to apply rigorous configuration standards to physical devices while leaving cloud instances — particularly newly provisioned virtual machines — in a near-default state.

Sample Device Checks

Auditors do not test every device in your estate — they work from a sample. The sample typically includes a representative selection of device types, operating systems, and organisational roles. The selection is made by the auditor, not by the organisation being assessed. Attempting to present only your most well-configured devices as the 'sample' is not viable: auditors select the sample from your declared in-scope device inventory.

This has a practical implication: you cannot have a subset of devices that are CE+-compliant and a wider estate that is not. If your device inventory includes systems that fail the technical tests, they will likely appear in the auditor's sample.

Email and Web Browsing Controls Testing

The malware protection control includes requirements for email filtering and web browsing controls. Auditors test these using a set of standard test cases published in the CE+ test specification, including:

1. Malicious file attachment delivery tests (attempting to deliver test files with specific characteristics that should be blocked by a compliant mail filter).
2. Web browsing tests against known malicious or inappropriate content categories that a compliant web proxy or DNS filtering service should block.

Organisations that rely on end-user antivirus alone to handle malicious email attachments and web content — rather than gateway-level filtering — frequently fail this section. The control requires active filtering, not just detection after delivery.

Firewall and Network Boundary Testing

The boundary firewalls and internet gateways control is tested by attempting connections from outside the network boundary to in-scope systems. Open ports and services that are accessible from the internet and are not required for business purposes represent a failure against this control. Auditors also check firewall rule sets to identify configurations that do not conform to a default-deny approach.

Incorrect scoping is one of the most common preparation errors. The scope for CE+ must be consistent with the scope declared in your standard Cyber Essentials self-assessment. You cannot reduce scope between the two assessments to exclude problematic devices.

The Cyber Essentials scope includes all devices that can access organisational data or services over the internet. This explicitly includes:

1. Laptops, desktops and workstations — including personally owned devices used for work if they access organisational systems.
2. Servers that are internet-connected, either directly or through a management plane accessible from the internet.
3. Cloud services consumed by the organisation, assessed against the applicable control requirements for cloud environments.
4. Mobile devices that access email or organisational applications.

Devices that are network-isolated and have no internet connectivity are outside scope. Production OT (operational technology) and IoT devices are handled through separate guidance. When in doubt, include a device in scope rather than attempting to exclude it — exclusions are scrutinised by auditors.

Based on the audit requirements, the following are the most common sources of CE+ failure:

Complete this checklist before your CE+ audit date:

Patch Management

1. Run authenticated vulnerability scans on all in-scope devices and review output.
2. Apply any outstanding critical or high-risk patches. Verify patch status on all in-scope devices.
3. Identify and remove or isolate any end-of-life software or operating systems.
4. Document your patch management process and evidence that patches were applied within 14 days.

Secure Configuration

1. Change all default passwords on in-scope devices, network hardware, cloud services, and software accounts.
2. Disable or remove unnecessary user accounts and default vendor accounts.
3. Review and apply screen lock, auto-run, and lockout settings across all in-scope devices.
4. Audit cloud instance configurations — do not leave newly provisioned virtual machines in default states.
5.  

Email and Web Filtering

1. Confirm your mail gateway is configured to block the CE+ test file types.
2. Confirm web browsing controls are active at gateway or DNS level, not endpoint only.
3. Test both controls using your own internal verification before the audit.

Firewall and Network Boundary

1. Review firewall rule sets and remove or disable rules allowing unnecessary inbound connections.
2. Run an external port scan against your internet-facing boundary to identify any unexpectedly open ports.
3. Confirm default-deny is your inbound rule base posture.

Scope and Documentation

1. Confirm your in-scope device inventory is complete and consistent with your standard CE submission.
2. Ensure team members who will need to provide auditor access are available on audit day.
3. Prepare read-only administrative access for auditors to scan and review in-scope systems.
4. Have your standard Cyber Essentials certificate and submission documentation available.

CE+ audits require access to in-scope systems and the ability to answer technical questions in real time. The following roles should be available on the day of the audit:

1. IT administrator or systems engineer with read access to device configurations, patch status logs, and firewall rule sets.
2. Network engineer or security lead who can speak to firewall configuration and boundary controls.
3. Cloud platform administrator if cloud services are in scope.

Auditors typically require a pre-agreed window — usually a half-day to full day depending on scope — and may request remote access tools or on-site presence depending on the certification body's approach. Confirm the logistics with your certification body at least two weeks before the scheduled audit date.

A failed CE+ audit is not a failed certification — it is a finding that specific controls are not meeting the technical requirements. Your certification body will provide a report identifying the specific failures. You address those failures and schedule a retest.

Retest scope is typically limited to the failed control areas — you do not repeat the entire audit. Retest timing and cost vary by certification body: check whether a retest is included in your original audit fee or charged separately. Most certification bodies allow at least one retest within a defined window.

One important constraint: if your standard Cyber Essentials certificate expires during a CE+ retest process, you will need to renew standard CE before CE+ can be re-attempted. This is another reason to start the CE+ process well within the three-month window rather than at the last moment.