Cyber Essentials Plus: How to Operationalise It

Most organisations that pursue Cyber Essentials Plus do so for the badge. Few build the processes that make it stick. I sat down with Gabriel Few-Wiegratz, Product Marketer at SureCloud who works closely with our customers and the market, to get an honest account of what operationalising CE+ actually means and where organisations consistently fall down. 

Gabriel:

To me operationalising means making something a continuous, repeatable reality, not a one-off project. SOC 2 is often called a checklist certification. You do an audit, you get your badge, you walk away. Cyber Essentials is different. It's a annual assessment but auditors want to see that controls weren't just in place on audit day, that they were baked into what you do every day.

Think of it like cooking. You and I could cook pasta. We might even cook great pasta. But that doesn't mean we could run a restaurant kitchen, train staff, have consistent processes, and the same standard of output every sitting.

Operationalising is just that: putting structure in place so something isn't a one-off. It's about something you are doing by default.

Gabriel:

Both require technical controls. But CE+ has a technical audit by a standalone auditor. And to pass that extra rigour, you're not just showing a risk register or a pass/fail control list. You need continued evidence and policies that prove this isn't being ad-hocked. Auditors want evidence that these practises are embedded. That's what trips people up. The controls aren't new. The proof that they're habit is harder. 

Gabriel:

Scepticism around security badges is fair. SOC 2 has taken a lot of recent heat there, with a perception that certifications get handed out too easily.

CE+ is a UK certification, so it doesn't carry as much weight with large global or American businesses. But for UK mid-market organisations, it remains a meaningful signal that security is taken seriously.

What's interesting is the barrier to entry. The commercial cost is low but the technical requirements are genuinely rigorous. I think as a business you're not going to pursue CE+ unless you believe you can achieve it. That self-selection gives it some legitimacy.

And finally there's five core control areas. So user access, secure config, firewalls, malware protection and patch management.

The key is this is a small enough group to be manageable but one that's not aged out at all.

Let's think about it in the context of a modern threat. Phishing is one of the most common attack vectors, and today some businesses are seeing AI run these campaigns at a larger scale and with more targeted messages. Yet all 5 of our control principles remain relevant.

1. If social engineering becomes more effective, then you need user access controls to stop the compromise from turning into privilege escalation.

2. Payloads from any phishing still need somewhere to land and something to abuse so removing default creds or unnecessary services helps to confine that. I.e secure config.

3. The ability for adversaries to laterally move still relies on exploits. Those that are known are quickly solved with software patches. 

4. Rules and signatures don't quite work anymore so good behavioural detection is even more important to stop masquerading payloads so you can assess the legitimacy.

5. The firewall might not be wholly relevant for this threat but even having geographic restrictions so outbound traffic doesn't go back to certain territories you know you don't participate in could help to stop C2 or exfil.

All in all, CE+ is still focused and reputable.

Gabriel:

1. Secure configuration means you have the right software, services, and accounts set up so they can't be changed arbitrarily, using unique credentials, without default admin settings. In a practical context: if you're inviting a freelancer into some of your SaaS tools, are you giving them only what they need, nothing more?

2. User access control overlaps with that, but it's specifically about least privilege — you have access to what your role requires, and no more. HR are a key player here, not just IT. New joiners, leavers, role changes — all of that affects access permissions. If your business has been running for a while with lax controls, there's often a tail of accumulated permissions that nobody's ever reviewed.

3. Firewalls define your perimeter. With remote workers and SaaS-heavy environments, this is increasingly complicated. Firewall rules like exclusion lists, ASN restrictions all need to account for where work is actually happening, not just where it used to happen.

4. Malware protection is active detection and response. That includes allow-listing known safe file types, sandboxing suspicious downloads before they can do any harm. Basically controls to make sure the item is isolated, examined, and only released if it's clean.

5. Patch management is arguably where most operational pain lives. Keeping software current and applying security patches quickly. The challenge is shadow IT how do you patch what you don't know someone has installed? And zero-day vulnerabilities can't be anticipated by definition. You can only have the processes in place to respond fast.

The cross-functional dependency here is the real complexity. IT and security handle most of the technical controls. But HR are critical for access management. Procurement and legal are often the ones who know your third-party risk exposure.

The risk is fragmentation, everyone has one piece of the picture, and that consistency breaks down outside of audit season.

Gabriel:

Scoping isn't really optional with CE+. You have the five control themes and they apply across your whole defined environment.

But how you start still matters. It's more sustainable to start with smaller scopes (a business unit, a type of risk, a region), identify all the assets and people within it, then map those against the five control areas. This also helps segments the responsibility.

There's also a difference by company size. Smaller organisations tend to scope by risk type E.g internal risks, supply chain risks, external threats as they're often building a register at the same time.

Larger organisations often scope by business unit or region first. The key is repeatability: whatever scope you choose you need to be able to run this process consistently, not just pull it together for an audit. Oh and once you've done that you need to perform it again until your whole business is represented.

Cloud vs on-prem also poses a challenge. Cloud tends to get treated as a separate scope which, to be fair, it largely is. I think ITDesk said about 85 percent of businesses now run hybrid environments. Visibility has historically been weaker in the cloud because it's more complex, data is always changing, there's not always diagnostic tools and teams aren't always educated in it.

The short answer: across your 5 control categories, treating cloud as its own defined scope lets you make sure you build controls for it specifically.

Gabriel:

The best example I've seen was someone transitioning from a security consulting role into an internal security team. First thing they did was sit down with each department head and ask: what do your people actually do, day-to-day? How are they measured? What are their habits?

That sounds obvious. But most security implementations skip it. The result is controls that are technically correct but incompatible with people, so those people get annoyed or find workarounds.

If you design controls that fit how people actually work, two things happen: the controls hold, and security stops being seen as the blocker and starts being seen as a team member.

Red and blue team exercises are underused here too. Run a scenario. Like a new joiner has been given excess access and is transferring files to an external platform. What do your controls catch? What did they miss? What's in the policy that would have prevented it? That kind of structured testing is how you know controls are actually embedded, not just documented.

Gabriel:

Beyond the badge itself which is obvious evidence, I'd maybe look at threats prevented per intrusion attempt. Every time a phishing email is reported, every time a user tries to access a file they shouldn't and IT gets notified. All of that's proof your controls are working. It's hard to measure what you've stopped, but when you can demonstrate it, that's your strongest sign. 

Gabriel:

Absolutely. And the irony is that executives are often the worst offenders. It's their business so they feel like the rules don't apply to them. They'll send a password over email. They'll share something externally that absolutely shouldn't leave the building. If leadership behaviour doesn't match then no one below takes it seriously either. You have to be top-down.

The case for culture change is pretty concrete. You can look at similar-sized businesses that got breached, lost millions or lost customer trust. CE+ doesn't account for cultural change but those that are really operationalising it will be communicating the cost of inaction to their board. 

Gabriel:

CE+ is the essentials. It's a legitimate starting point. But regulation is moving faster than frameworks. DORA, UK GDPR, NIS2 and now the UK Cyber Security and Resilience Bill all carry real legal weight that CE+ doesn't. CE+ covers a lot of bases but they will need to figure out where there are overlapping control requirements to keep pace with mandatory obligations.

On AI. I think it's incremental rather than revolutionary for most organisations. It potentially helps with analysis but AI also introduces new risk. AI governance is going to become part of the control scope. That's a category CE+ wasn't designed for. So if anything, AI accelerates the need to go beyond the framework not replace it.