Cyber Essentials Plus: the audited tier, and how to pass it.
Cyber Essentials Plus is the independently audited level of the NCSC's Cyber Essentials scheme. Where base Cyber Essentials is a self-assessment, Plus puts your controls in front of a qualified assessor who scans and tests them for real. This page explains exactly what the Plus audit involves, what it costs, how long it takes — and how Matproof keeps your evidence audit-ready so you pass first time.
Aligned to the IASME Cyber Essentials requirements and the Cyber Essentials Plus illustrative test specification (2025).
What is Cyber Essentials Plus?
Cyber Essentials Plus is the higher of the two certification levels in the UK government's Cyber Essentials scheme, owned by the National Cyber Security Centre (NCSC) and delivered by IASME. It certifies exactly the same five technical controls as base Cyber Essentials — firewalls, secure configuration, user access control, malware protection and security update management — but adds an independent, hands-on technical audit performed by an accredited assessor.
In other words: base Cyber Essentials asks you to declare that your controls are in place. Cyber Essentials Plus proves they actually are. An assessor runs internal and external vulnerability scans, tests a sample of your devices against real malware delivery routes, and confirms that account separation, MFA and patching are genuinely enforced rather than merely documented.
That independent verification is why Cyber Essentials Plus carries so much more weight with buyers, government frameworks and cyber-insurers. If you have read our Cyber Essentials guide and know the base level, this page focuses on the audited Plus tier specifically.
Cyber Essentials vs Cyber Essentials Plus.
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Assessment method | Verified self-assessment questionnaire | Self-assessment plus independent technical audit |
| Testing | Your own attested answers | Internal & external vulnerability scans, sampled device tests |
| Who verifies it | A qualified assessor marks the questionnaire | An assessor scans and tests your live environment |
| Typical timeline | Days, once controls are in place | 2–4 weeks (must follow within 3 months of CE) |
| Indicative cost | From ~£320 + VAT (by org size) | Typically £1,400–£3,000+ depending on estate size |
| Assurance level | Self-declared | Independently verified |
| Validity | 12 months | 12 months |
What the Cyber Essentials Plus audit involves.
The Plus assessment is a defined sequence of tests against a representative sample of your in-scope devices and your internet-facing services. Here is what to expect.
Hold a valid Cyber Essentials certificate
Cyber Essentials Plus builds directly on the base level. You must already hold a valid Cyber Essentials (self-assessment) certificate, and the Plus technical audit must be completed within three months of it. The scope of your Plus assessment must match the scope you declared at base level.
Internal vulnerability scan
An accredited assessor runs authenticated vulnerability scans against a representative sample of your in-scope devices — workstations, laptops and servers. The scan checks that high-risk and critical patches are genuinely applied, that unsupported software has been removed, and that no exploitable vulnerabilities are exposed.
External vulnerability scan
The assessor scans your internet-facing IP addresses and services to confirm there are no open ports, exposed services or unpatched vulnerabilities that an attacker could reach from outside. This mirrors the firewall and secure-configuration controls from the questionnaire — but proves them from the outside in.
Sampled device and configuration test
On a sample of devices the assessor verifies malware protection is active, that anti-malware definitions are current, and that the system blocks common malware delivery routes (test files via email and web download). They also confirm account separation, MFA and least-privilege are working in practice, not just on paper.
Assessor decision and certificate
If every sampled control passes, the Certification Body issues your Cyber Essentials Plus certificate, valid for 12 months. If anything fails, you remediate and the relevant tests are re-run. The certificate is the externally verifiable proof many buyers, frameworks and cyber-insurers now demand.
What does Cyber Essentials Plus cost — and how long does it take?
Cost
Unlike base Cyber Essentials, Plus is not a fixed-price certificate. Your Certification Body quotes the technical audit based on the size and complexity of your estate — the number of in-scope devices, operating systems, locations and cloud services that need sampling. For a typical small-to-mid organisation the Plus audit usually runs between £1,400 and £3,000 plus VAT, on top of your base Cyber Essentials fee. The larger and more heterogeneous your estate, the higher the quote.
Timeline
The audit itself is typically completed in two to four weeks from booking, and the hands-on testing often takes a day or less for a small estate. The critical constraint is the three-month window: your Plus audit must take place within three months of your base Cyber Essentials certificate. The real timeline driver is remediation — closing patching gaps, removing unsupported software and enforcing MFA before the assessor arrives.
The certification fees are only part of the picture. The larger investment — and the most common reason audits slip or fail — is the internal effort to get the five controls genuinely in place across a moving estate and to keep evidence current. That is exactly the problem Matproof solves.
Why organisations choose Cyber Essentials Plus.
Bigger contracts demand it
A growing number of UK central-government frameworks, MoD supply chains and enterprise procurement processes specify Cyber Essentials Plus rather than the base level. Self-assessment gets you on the shortlist; Plus gets you through the door on the contracts that matter.
Independently verified assurance
Base Cyber Essentials is self-declared. Plus is tested by a qualified third party. For buyers, insurers and your own board, that independent verification is the difference between a claim and proof — and it carries materially more weight in due diligence.
Catches the gap between policy and reality
Most organisations that fail Plus don't fail on intent — they fail because a patch SLA slipped, an unsupported OS lingered, or MFA wasn't actually enforced on one system. The audit surfaces exactly those drift points, which is precisely why it's worth more.
Pass the Plus audit first time — and stay audit-ready.
Cyber Essentials Plus fails on drift: a missed critical patch, an unsupported OS, a stray local-admin account, MFA that wasn't actually enforced. Matproof gives you continuous, evidenced visibility of every one of the five controls across your estate, so the assessor finds nothing you didn't already know about.
- ✓A control library mapped directly to the five Cyber Essentials control areas and the Plus test specification.
- ✓Live evidence from 100+ tools — endpoints, identity providers, firewalls and cloud accounts — so patch status, MFA coverage and unsupported software are pulled automatically, not screenshotted before the audit.
- ✓Continuous monitoring that flags an out-of-SLA critical patch, an end-of-life OS or an over-privileged account weeks before the assessor would — giving you time to remediate.
- ✓Audit-ready evidence packs you can hand straight to your IASME Certification Body for both the base certificate and the Plus technical audit.
- ✓One platform that also covers ISO 27001, GDPR and DORA — so Cyber Essentials Plus sits inside a wider GRC programme rather than being a standalone annual scramble.
Frequently asked questions about Cyber Essentials Plus.
What is Cyber Essentials Plus?+
Cyber Essentials Plus is the audited tier of the UK government's Cyber Essentials scheme, owned by the NCSC and delivered by IASME. It certifies the same five technical controls as base Cyber Essentials — firewalls, secure configuration, user access control, malware protection and security update management — but adds an independent technical audit. An accredited assessor runs internal and external vulnerability scans and tests a sample of your devices to confirm the controls genuinely work, rather than relying on your self-declaration.
What is the difference between Cyber Essentials and Cyber Essentials Plus?+
Both certify the same five controls. Cyber Essentials is a verified self-assessment — you complete the IASME questionnaire and a qualified assessor marks it. Cyber Essentials Plus adds a hands-on technical audit: the assessor runs internal and external vulnerability scans and tests a sample of your devices against real malware delivery routes. You must hold a valid Cyber Essentials certificate first, and the Plus audit must be completed within three months of it. Plus is independently verified; base level is self-declared.
What does the Cyber Essentials Plus audit involve?+
The Plus audit is a defined sequence of tests against a representative sample of your in-scope devices and your internet-facing services: an authenticated internal vulnerability scan to confirm patching and removal of unsupported software, an external vulnerability scan of your internet-facing IPs and services, and sampled device tests that verify malware protection blocks common email and web delivery routes and that account separation, MFA and least-privilege are enforced in practice. If everything passes, the Certification Body issues your certificate.
How much does Cyber Essentials Plus cost?+
Unlike base Cyber Essentials, Plus is not a fixed-price certificate — your Certification Body quotes it based on the size and complexity of your IT estate (number of devices, operating systems, locations and cloud services to sample). For a typical small-to-mid organisation the Plus audit usually runs between £1,400 and £3,000 plus VAT, on top of your base Cyber Essentials fee. Larger, more heterogeneous estates cost more. The bigger investment is the internal effort to get the five controls genuinely in place and keep evidence current.
How long does Cyber Essentials Plus take?+
The audit itself is typically completed within two to four weeks of booking, and the hands-on testing often takes a day or less for a small estate. The hard constraint is that the Plus audit must take place within three months of your base Cyber Essentials certificate. In practice the timeline is driven by remediation — closing patching gaps, removing unsupported software and enforcing MFA before the assessor arrives. Keeping live evidence year-round, rather than scrambling before each audit, removes most of that delay.
Do I need base Cyber Essentials before Cyber Essentials Plus?+
Yes. Cyber Essentials Plus builds directly on the base level. You must hold a valid Cyber Essentials (self-assessment) certificate before you can be assessed for Plus, and the Plus technical audit must be completed within three months of that base certificate. The scope of your Plus assessment must also match the scope you declared at base level. If you are new to the scheme, start with our Cyber Essentials guide and the free readiness self-assessment.
How does Matproof help with Cyber Essentials Plus?+
Cyber Essentials Plus fails on drift — a missed critical patch, an unsupported OS, a stray local-admin account, or MFA that wasn't actually enforced. Matproof maps a control library to the five Cyber Essentials control areas and the Plus test specification, pulls live evidence from 100+ tools (endpoints, identity providers, firewalls, cloud accounts), and continuously flags out-of-SLA patches, end-of-life systems and over-privileged accounts before an assessor would — so you remediate in time and walk into the audit with audit-ready evidence packs.
Walk into your Plus audit with nothing to fix.
Book a demo to see how Matproof keeps your five controls continuously evidenced — so the Cyber Essentials Plus audit confirms what you already know, instead of surprising you.