The independently verified level of Cyber Essentials - a third-party technical audit confirming your security controls are correctly implemented. Preferred by government supply chains and enterprise clients.

Cyber Essentials Plus is the higher level of the Cyber Essentials scheme. While standard Cyber Essentials uses a self-assessment questionnaire, Plus requires an independent technical audit carried out by an approved assessor.
Our assessors remotely verify that your five security controls are correctly and effectively implemented - not just ticked on a form.
Our remote technical audit verifies all five Cyber Essentials controls are correctly implemented across your devices, systems and network.
We test a sample of in-scope devices - typically around 10% - including laptops, desktops and mobile, to verify configuration and patch status.
External vulnerability scanning of your internet-facing systems and boundary controls.
Safe simulated malware testing to verify your protection is working correctly.
Review of configuration evidence and security policies to support questionnaire responses.
Complete Cyber Essentials self-assessment as the foundation for Plus. Use our CE readiness checklist to verify your controls before you submit.
We provide an audit readiness checklist covering the seven control areas the audit will test. You confirm each is in place before the assessment date.
Remote technical assessment by our IASME-approved assessor across your systems.
CE Plus certificate issued, listed on the IASME public register.
Six clear, manageable steps from booking to certification.
Complete our online enquiry form and a member of our team will be in touch to schedule your assessment at a time that suits your business.
A core element of the CE Plus audit is the vulnerability assessment. How your systems are scanned depends on your existing tooling:
Accurate documentation is vital - your audit sample is selected directly from this information. Before we begin, you will need to submit:
No sooner than three days before your assessment, we will confirm the final sample of devices to be audited - typically around 10% of in-scope devices, with a minimum of one device per operating system type in use.
Your responsibilities:
Your audit combines automated scans and live verification checks conducted via screen sharing, across four phases:
Phase 1 - Vulnerability Scanning
Phase 2 - User Device Security Tests
Real user email addresses must be used - generic or test accounts are not permitted. We will:
Phase 3 - Endpoint & Mobile Protection
Phase 4 - Access Control & Authentication
It is entirely normal to have a few outstanding actions after the live assessment - this does not mean you have failed. Common post-audit tasks include:
Your dedicated auditor will clearly outline exactly what is required, how to submit your evidence, and the deadline for completion.
The CE Plus audit is a hands-on technical test - not a questionnaire. Seven control areas are assessed live against your systems. Use our interactive checklist to confirm everything is in place before your assessment date.
Use our free interactive checklist - 25 items across all seven audit areas with a live progress score. Tick off each item as you confirm it is in place.
Open Checklist →All prices are fixed and include the IASME certification fee. No add-ons, no hidden charges.
UK organisations with annual turnover under £20m automatically receive free cyber liability insurance up to £25,000 with their Cyber Essentials certificate - which is included within your CE Plus engagement. No extra cost, no separate application.
"The CE Plus audit was thorough, professional and well-coordinated. Our assessor explained every step and we passed first time - great experience."
- IT DIRECTOR / Financial Services, London
"We needed CE Plus for a government contract. VCD managed both the basic and Plus assessments together - efficient, clear and no surprises on the day."
- OPERATIONS DIRECTOR / MOD Supply Chain
"Having the gap review before the technical audit gave us real confidence going in. We knew exactly what to expect and everything went smoothly."
- HEAD OF IT / Professional Services
Client names are withheld in line with confidentiality requirements; character references are available upon request.
Get independently verified. Talk to our UK-based team today - no jargon, no hard sell.