Home/ Services/ Cyber Essentials & CE+
SERVICE · COMPLIANCE

Certified.
Without the
spreadsheet
nightmare.

Cyber Essentials and Cyber Essentials Plus certification for UK SMBs

End-to-end Cyber Essentials and CE+ prep. We handle the gap analysis, remediation, evidence, paperwork and assessor liaison. You get the badge, the insurance and the unlocked procurement pipeline.

Start the journey CE vs CE+
IASME-aligned Remediation included Assessor-facing £25k insurance
01 / WHAT'S INCLUDED

Five controls.
Two levels.
One outcome.

Both levels cover the same five technical controls — the difference is whether an assessor tests your environment in person (CE+) or trusts your answers (CE).

01

Firewalls & boundaries

Perimeter, host firewalls, Conditional Access, remote access. Configured, documented, evidenced.

02

Secure configuration

Device baselines via Intune/Addigy. Unused accounts disabled, default credentials removed, admin surface reduced.

03

User access control

Least privilege, MFA, separate admin accounts, joiner-mover-leaver process. The boring stuff that always fails audits.

04

Malware protection

EDR, policy enforcement, application control. Auditor-friendly configuration with evidence trail.

05

Patch management

14-day critical SLA. OS + third-party. Aligned to our Patch Management service; pre-built for CE+.

06

Evidence & paperwork

We fill the questionnaire, gather the evidence, brief your signatories, and liaise with the assessor. You sign, we submit.

02 / HOW WE RUN IT

Gap. Fix.
Evidence. Submit.

  1. STEP 01

    Gap analysis

    1-day audit against the current IASME scheme. We tell you exactly where you sit, what it'll take to pass, and realistic timelines. Written report, fixed fee.

    • Control-by-control gap
    • Fix list
    • Timeline commitment
  2. STEP 02

    Remediation

    We fix the gaps. Conditional Access, baselines, patch policy, MFA, admin accounts, documentation. Done by our engineers, not delegated back to you.

    • Technical remediation
    • Policy docs
    • Training if needed
  3. STEP 03

    Evidence pack

    Screenshots, config exports, audit logs, policy docs all assembled in one pack. Written to the questionnaire you'll sign. No surprises at assessor review.

    • Full evidence pack
    • Pre-flight review
    • Sign-off checklist
  4. STEP 04

    Submit & certify

    We liaise with the assessor, book the technical audit (CE+), answer clarifications, and walk you through the final sign-off. Certificate issued, badge delivered, insurance activated.

    • Assessor liaison
    • CE+ technical audit
    • Certificate + badge
03 / WHY IT MATTERS

A badge with
teeth.

CE/CE+ isn't just a logo for your footer. It unlocks public-sector tenders, reduces insurance premiums, hardens your estate in real ways, and gives clients and prospects a credible, externally-validated answer to "what are you doing about security?". And it genuinely reduces risk — the controls are the five that stop most SMB breaches.

  • Procurement unlockedCentral government, NHS and an increasing number of large private clients require CE or CE+.
  • Real risk reductionThe five controls are the five that matter most. This isn't box-ticking.
  • Free cyber insuranceUp to £25k via IASME for UK SMBs < £20m turnover. Often covers the certification fee many times over.
  • Sales enablementA credible answer to security questionnaires your prospects send.
5 CONTROLS · CERTIFIED FIREWALLS CONFIG ACCESS MALWARE PATCH ALL 5 \u2014 EVIDENCED \u2014 SIGNED
04 / FAQ

Questions
we hear a lot.

What's the difference between CE and CE+?

CE is a self-assessment questionnaire. CE+ adds a hands-on technical audit by an external assessor — authenticated vulnerability scans, sample device tests, phishing and malware tests. CE+ is what most public-sector contracts and larger clients want.

How long does it take?

CE: typically 3–5 weeks including remediation. CE+: 6–10 weeks. Depends on how far the baseline is from compliant. We run a short gap analysis up front so you know what's involved.

Will my insurance premiums drop?

Often yes, and it unlocks free cyber insurance up to £25k for small businesses via the IASME scheme (UK HQ, under £20m turnover). Most clients pay for the certification and save it back in year one.

Do we need CE+ to win public sector work?

For many central government and NHS contracts, yes. Increasingly also for large private-sector suppliers. If in doubt, ask — we'll tell you which level fits your pipeline.

Is it valid for a year or forever?

12 months. Re-certification annually. Once the first run is in place, renewals are typically much faster — baselines stay, just evidence refreshes.

Can we do CE first and CE+ later?

Yes. Common path: CE in month 1, operate for a quarter, CE+ when ready. We keep the same environment in scope so remediation carries forward.

RELATED SERVICES

Pairs naturally with.

01

Patch management

14-day critical patching is a CE requirement. Our service is pre-built to comply.

Read more 02

Managed EDR

Satisfies the malware protection control with evidence assessors love.

Read more 03

M365 Managed Services

Intune baselines, Conditional Access, MFA, admin hygiene — the bulk of CE evidence.

Read more
FURTHER READING

From the blog.

NEXT STEP

Free 30-minute
readiness call.

Tell us your estate, your timeline and your target (CE or CE+). We'll give you a realistic cost, a realistic timeline, and a go/no-go. Honest one either way.

Book the call hello@techzura.com
CE
3\u20135 wk
CE+
6\u201310 wk
COVER
£25k