How to get Cyber Essentials Plus: a practical 2026 guide.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials is a self-assessment questionnaire, verified by a certification body. Cyber Essentials Plus covers the identical five controls, but adds an independent technical audit: a qualified assessor tests a sample of your real devices, your email filtering and your web filtering, to confirm the controls actually work — not just that you said they do. Plus is what most enterprise clients, insurers and government contracts now ask for.

The five controls

Both certifications assess the same five technical controls. Get these right and you’ve blocked the overwhelming majority of opportunistic attacks.

1. Firewalls. Every device and the network boundary properly firewalled, with no default passwords and no needless open ports.
2. Secure configuration. Remove or disable what you don’t use. No default credentials, no unnecessary accounts or software.
3. Security update management. Supported software only, with high-risk patches applied within 14 days. This is the single most-tested control in the Plus audit.
4. User access control. Least privilege. Standard users don’t have local admin; admin accounts are separate and protected.
5. Malware protection. Anti-malware on every device, or application allow-listing — configured and active.

Notice what underpins all five: knowing what you have and keeping it current. That’s an asset-management and patching problem more than a security-product problem.

And the control that lives across all five: MFA

Multi-factor authentication on cloud services (your Microsoft 365 or Google tenant especially) is now central to the scheme. Inconsistent MFA — enabled for some users, some apps, but not all — is the most common reason a confident SMB fails.

What the Plus audit actually involves

An assessor will, on a representative sample of your devices:

• Check patch levels and confirm nothing high-risk is older than 14 days.
• Send a set of test malware samples by email to confirm your filtering blocks them.
• Attempt to download test files through your web filtering.
• Verify account separation, MFA, and that standard users can’t install software they shouldn’t.

It’s practical, not paperwork. If the controls are genuinely in place, it’s a calm half-day. If they’re not, you’ll find out precisely where.

Cyber Essentials Plus rarely fails businesses on knowledge. It fails them on consistency — the one laptop that missed a patch, the one shared account without MFA.

A realistic timeline

1. Week 0 — Gap assessment. Audit devices, identities and patching against the five controls. Get the honest list.
2. Weeks 1–4 — Remediate. Enforce MFA everywhere, fix patching, remove local admin, standardise device config. This is the real work.
3. Basic Cyber Essentials. Pass the self-assessment (required within three months before Plus).
4. Plus audit. The hands-on test. Pass, and you’re certified for 12 months.

What it costs

The assessment fees themselves are modest for a small business — the basic certification plus a Plus audit fee that scales with device count. The larger cost, if you’re not already well-managed, is the remediation: rolling out MFA, fixing patching, and getting device management in place. The upside is that this work isn’t certification theatre — it’s the same hardening that genuinely reduces your risk, and most of it is reusable every year.

If patching and MFA sound like a project in themselves, that’s exactly the gap our Cyber Essentials and patch management services exist to close.