Cyber Essentials Plus: How to Operationalise It

Most organisations that pursue Cyber Essentials Plus do so for the badge. Few build the processes that make it stick. I sat down with Gabriel Few-Wiegratz, Product Marketer and GRC Specialist at SureCloud, to get an honest account of what operationalising CE+ actually means — and where organisations consistently fall down. 

Gabriel:

Operationalising means making something a continuous, repeatable reality — not a one-off project. SOC 2 is often called a checklist certification. You do an audit, you get your badge, you walk away. Cyber Essentials is different. It isn't a point-in-time assessment. When you're reassessed, auditors are looking at evidence across a much wider time period. They want to see that controls weren't just in place on audit day — they were baked into what you do every day.

Think of it like cooking. You and I could cook pasta. We might even cook great pasta. But that doesn't mean we could run a restaurant kitchen — with trained staff, consistent processes, and the same standard of output every service. Operationalising is just that: putting structure in place so something isn't a one-off. It becomes what you do by default.

Gabriel:

Both require technical controls. But CE+ is examined — and to pass that extra rigour, you're not just showing a risk register or a pass/fail control list. You need policy documents that prove this isn't being ad-hocked. Auditors want evidence that these practises are embedded. That's what trips people up. The controls aren't new. The proof that they're habitual — that's harder. 

Gabriel:

Scepticism around security badges is fair — SOC 2 has taken a lot of the heat there, with a perception that certifications get handed out too easily. CE+ is a UK certification, so it doesn't carry much weight with large global or American businesses. But for UK mid-market organisations, it remains a meaningful signal that security is taken seriously.

What's interesting is the barrier to entry. The commercial cost is low — but the technical requirements are genuinely rigorous. You're not going to pursue CE+ unless you believe you can achieve it. That self-selection gives it some legitimacy.

And the five core control areas — user access, secure configuration, firewalls, malware protection, patch management — are broad enough that they haven't aged out. We talk a lot about humans being the weakest link. That hasn't changed. AI is now enabling phishing and spoofing campaigns to run at marketing-scale. Even the most socially engineered attack is dramatically limited in impact if user access controls mean the compromised account can only reach a narrow set of systems.

Gabriel:

Sure. And I'll be honest — the people responsible for each of these are more varied than most security teams expect:

1. Secure configuration means you have the right software, services, and accounts — set up so they can't be changed arbitrarily, using unique credentials, without default admin settings. In a practical context: if you're inviting a freelancer into some of your SaaS tools, are you giving them only what they need, nothing more?

2. User access control overlaps with that, but it's specifically about least privilege — you have access to what your role requires, and no more. HR are a key player here, not just IT. New joiners, leavers, role changes — all of that affects access permissions. If your business has been running for a while with lax controls, there's often a tail of accumulated permissions that nobody's ever reviewed.

3. Firewalls define your perimeter. With remote workers and SaaS-heavy environments, this is increasingly complicated. Firewall rules — exclusion lists, access restrictions — need to account for where work is actually happening, not just where it used to happen.

4. Malware protection is active detection and response. That includes allow-listing known safe file types, sandboxing suspicious downloads before they can do any harm. Think of it like quarantine — the item is isolated, examined, and only released if it's clean.

5. Patch management is arguably where most operational pain lives. Keeping software current and applying security patches quickly. The challenge is shadow IT — how do you patch what you don't know someone has installed? And zero-day vulnerabilities can't be anticipated by definition. You can only have the processes in place to respond fast.

The cross-functional dependency here is the real complexity. IT and security handle most of the technical controls. But HR are critical for access management. Procurement and legal are often the ones who know your third-party risk exposure. The risk is fragmentation — everyone has one piece of the picture, and that consistency breaks down outside of audit season.

Gabriel:

Scoping isn't really optional with CE+ — the five controls apply across your defined environment. But how you define that environment matters. Gartner frames this as a continuous cycle: identify the scope (a business unit, a type of risk, a region), identify all the assets and people within it, then map those against the five control areas.

Smaller organisations tend to scope by risk type — internal risks, supply chain risks, external threats. Larger organisations often scope by business unit or region first. The key is repeatability: you need to be able to run this process consistently for whatever scope you've defined, not just pull it together for an audit.

Cloud assets are where this gets genuinely difficult. Cloud tends to get treated as a separate problem — which, to be fair, it largely is. Ninety percent of businesses now run hybrid environments. Visibility has historically been weaker in the cloud because it's more complex and teams aren't always educated in it. The short answer: treat cloud as its own defined scope and build controls for it specifically.

Gabriel:

The best example I've seen was someone transitioning from an external security consulting role into an internal one. First thing she did was sit down with each department head and ask: what do your people actually do, day-to-day? How are they measured? What are their habits?

That sounds obvious. But most security implementations skip it. The result is controls that are technically correct but behaviourally incompatible — so people find workarounds. If you design controls that fit how people actually work, two things happen: the controls hold, and security stops being seen as the blocker and starts being seen as a team member.

Red and blue team exercises are underused here too. Run a scenario — a new joiner has been given excess access and is transferring files to an external platform. What do your controls catch? What did they miss? What's in the policy that would have prevented it? That kind of structured testing is how you know controls are actually embedded, not just documented.

Gabriel:

Beyond the badge itself — which is actually meaningful evidence — I'd look at threats prevented per intrusion attempt. Every time a phishing email is caught, every time a user tries to access a file they shouldn't and gets blocked — that's proof your controls are working. It's hard to measure what you've stopped, but when you can demonstrate it, that's your strongest signal. 

Gabriel:

Absolutely. And the irony is that executives are often the worst offenders. It's their business — they feel like the rules don't apply to them. They'll send a password over email. They'll share something externally that absolutely shouldn't leave the building. If leadership behaviour isn't aligned, no one below takes it seriously either. The tone is top-down.

The case for culture change isn't usually abstract — it's examples. Similar-sized businesses that got breached, lost millions, lost customer trust. Some businesses think they'll just absorb the fine if it comes to it. What they don't account for is that non-compliance makes you a much more visible target for retargeting.

Gabriel:

CE+ is the essentials. It's a legitimate starting point. But regulation is moving faster than frameworks. DORA, GDPR, NIS2 — and now the UK Cyber Security and Resilience Bill — these carry real legal weight that CE+ doesn't. They have overlapping control requirements, but the stakes are different. Businesses are going to have to mature past CE+ faster than they might expect just to keep pace with mandatory obligations.

On AI — I think it's incremental rather than revolutionary for most organisations. It potentially helps with monitoring: if you want to understand how many employees are running unpatched systems or rejecting automatic updates, AI can surface those insights without requiring a dedicated tool. That kind of passive monitoring can drive proactive decisions.

But AI also introduces new risk. AI governance is going to become part of the control scope. That's a category CE+ wasn't designed for. So if anything, AI accelerates the need to go beyond the framework — not replace it.