// Verified Certification

CYBER ESSENTIALS
PLUS

The independently verified level of Cyber Essentials - a third-party technical audit confirming your security controls are correctly implemented. Preferred by government supply chains and enterprise clients.

+
Independent Technical Audit
100%
Remote Assessment
1yr
Certificate Validity
IASME Approved Body
Cyber Essentials Plus certification audit by Vincent Cyber Defence
// What Is CE Plus

CYBER ESSENTIALS PLUS EXPLAINED

Cyber Essentials Plus is the higher level of the Cyber Essentials scheme. While standard Cyber Essentials uses a self-assessment questionnaire, Plus requires an independent technical audit carried out by an approved assessor.

Our assessors remotely verify that your five security controls are correctly and effectively implemented - not just ticked on a form.

Who Requires CE Plus?

  • MOD and central government supply chain contracts
  • Organisations handling classified or sensitive data
  • Enterprise clients requiring independent verification
  • Businesses seeking a higher level of cyber assurance
  • Organisations working toward Cyber Essentials Plus as a stepping stone to ISO 27001

CE vs CE Plus

  • Cyber Essentials: self-assessed questionnaire
  • Cyber Essentials Plus: independent technical verification
  • Both: IASME-issued certificate, 12-month validity
  • Plus: higher assurance, preferred for enterprise and government

WHAT THE AUDIT COVERS

Our remote technical audit verifies all five Cyber Essentials controls are correctly implemented across your devices, systems and network.

  • 💻

    DEVICE TESTING

    We test a sample of in-scope devices - typically around 10% - including laptops, desktops and mobile, to verify configuration and patch status.

  • 🌐

    NETWORK SCANNING

    External vulnerability scanning of your internet-facing systems and boundary controls.

  • 📧

    MALWARE SIMULATION

    Safe simulated malware testing to verify your protection is working correctly.

  • 📋

    EVIDENCE REVIEW

    Review of configuration evidence and security policies to support questionnaire responses.

// The Process

HOW CE PLUS WORKS

1

CE FIRST

Complete Cyber Essentials self-assessment as the foundation for Plus. Use our CE readiness checklist to verify your controls before you submit.

2

PREPARE

We provide an audit readiness checklist covering the seven control areas the audit will test. You confirm each is in place before the assessment date.

3

AUDIT

Remote technical assessment by our IASME-approved assessor across your systems.

4

CERTIFIED

CE Plus certificate issued, listed on the IASME public register.

// Step by Step

YOUR CE PLUS JOURNEY

Six clear, manageable steps from booking to certification.

1

BOOKING YOUR AUDIT

Complete our online enquiry form and a member of our team will be in touch to schedule your assessment at a time that suits your business.

2

VULNERABILITY SCANNING & PREPARATION

A core element of the CE Plus audit is the vulnerability assessment. How your systems are scanned depends on your existing tooling:

No PCI-DSS approved scanner: We will grant you access to our secure cloud agent for the duration of your audit.
Existing PCI-DSS approved scanner: Simply inform our audit support team - you may not need to install our cloud agent.
3

DOCUMENTATION YOU MUST PROVIDE

Accurate documentation is vital - your audit sample is selected directly from this information. Before we begin, you will need to submit:

  • An up-to-date asset list (which must be kept current throughout the process)
  • A signed Audit Authorisation Form, including all external IP addresses that require scanning
4

DEVICE SAMPLING

No sooner than three days before your assessment, we will confirm the final sample of devices to be audited - typically around 10% of in-scope devices, with a minimum of one device per operating system type in use.

Important: Devices are selected strictly by the auditor to ensure an accurate, representative sample of your environment. You cannot select your own devices for assessment.

Your responsibilities:

  • Confirm availability - ensure all sampled devices will be online and accessible during the audit appointment
  • Notify us immediately - if a selected device becomes unavailable, let us know straight away so we can choose an alternative
5

WHAT TO EXPECT ON AUDIT DAY

Your audit combines automated scans and live verification checks conducted via screen sharing, across four phases:

Phase 1 - Vulnerability Scanning

  • Internal scans: Credentialed patch audit scan of sampled devices via our cloud agent or your approved PCI-DSS scanner
  • External scans: Vulnerability scan of your publicly facing IP addresses and services

Phase 2 - User Device Security Tests

Real user email addresses must be used - generic or test accounts are not permitted. We will:

  • Test how devices process and handle email attachments
  • Test how devices handle file downloads from controlled, safe test websites

Phase 3 - Endpoint & Mobile Protection

  • Verify installation, configuration, and effectiveness of antivirus software
  • Perform iOS and mobile security checks (if mobile devices are within your audit scope)

Phase 4 - Access Control & Authentication

  • MFA tests across all listed cloud services
  • Confirm MFA is actively enabled for both administrator and standard user accounts
  • Verify strict separation between admin and standard user roles
6

AFTER YOUR AUDIT APPOINTMENT

It is entirely normal to have a few outstanding actions after the live assessment - this does not mean you have failed. Common post-audit tasks include:

  • Remediating any newly discovered vulnerabilities
  • Submitting additional evidence (such as screenshots of specific mobile configurations)

Your dedicated auditor will clearly outline exactly what is required, how to submit your evidence, and the deadline for completion.

// Audit Readiness

CE PLUS READINESS CHECKLIST

The CE Plus audit is a hands-on technical test - not a questionnaire. Seven control areas are assessed live against your systems. Use our interactive checklist to confirm everything is in place before your assessment date.

Use our free interactive checklist - 25 items across all seven audit areas with a live progress score. Tick off each item as you confirm it is in place.

Open Checklist →
Important: If any of these areas are not in place before the audit, issues will be identified during the technical assessment. You have 30 days from the assessment start date to remediate - within the 90-day window from your CE basic certification date. Both windows run simultaneously, so there is very little margin for last-minute fixes.
// Transparent Pricing

HOW MUCH DOES CYBER ESSENTIALS PLUS COST?

All prices are fixed and include the IASME certification fee. No add-ons, no hidden charges.

Organisation SizeEmployeesPrice + VAT
Micro1–9 employees£1,399
Small10–49 employees£1,699
Medium50–249 employees£2,399
Large250+ employees£3,499

🛡️ FREE CYBER LIABILITY INSURANCE - UP TO £25,000

UK organisations with annual turnover under £20m automatically receive free cyber liability insurance up to £25,000 with their Cyber Essentials certificate - which is included within your CE Plus engagement. No extra cost, no separate application.

// FAQ

COMMON QUESTIONS

// Getting Started
Yes - Cyber Essentials Plus builds on top of Cyber Essentials. You must hold a valid Cyber Essentials self-assessment before the Plus technical audit can take place. Once your CE basic certification is confirmed, you have 90 days (3 months) from that certification date to complete and pass CE Plus. If CE Plus is not passed within 90 days, the Plus application closes and you will need to re-certify at CE basic level before restarting - incurring an additional certification cost. In practice, both can be completed as part of the same engagement with us to keep the process as efficient as possible.
Cyber Essentials is self-assessed - you complete a questionnaire that is reviewed by your Certification Body. Cyber Essentials Plus adds an independent technical audit where an approved assessor actively tests your systems to verify the controls are correctly implemented, not just documented. Plus provides a significantly higher level of assurance and is required for some government and enterprise contracts. Learn about standard CE →
CE Plus is typically required for MOD supply chain contracts involving sensitive or classified data, certain NHS and public sector frameworks, and enterprise clients requiring independent technical verification rather than self-assessment. If your contract tender specifies CE Plus or an independent technical audit, standard CE alone will not be sufficient. If you are unsure what your contract requires, our team can advise.
// The Audit
The scope is agreed upfront and typically aligns with IASME requirements - a representative sample of user devices, servers, and relevant systems, typically around 10% of in-scope devices with a minimum of one per operating system type in use. We will help define this clearly with you before the assessment begins.
Yes - remote and hybrid workers are included where they form part of your operational environment. Their devices are treated as in-scope and may be selected as part of the device sample.
Yes - we regularly assess Azure and Microsoft 365 environments as part of Cyber Essentials Plus. Cloud environments are assessed for configuration, access controls, and MFA enforcement across in-scope services. What falls in scope will depend on how your environment is structured, and we will confirm this with you before the audit.
Yes - both internal and external vulnerability scanning are included as part of the CE Plus assessment. Internal scanning covers a sample of in-scope devices; external scanning covers your internet-facing systems and services. Both are conducted remotely by our IASME-approved assessors.
The CE Plus audit is a hands-on technical assessment conducted remotely by our IASME-approved assessors. It includes: external vulnerability scanning of your internet-facing systems, internal vulnerability scanning of a sample of in-scope devices (typically around 10%), checks on email and web browser configuration, and active verification that controls such as patching, malware protection, and access control are correctly implemented - not just documented. The audit typically takes a few hours depending on the size and complexity of your environment.
The technical audit itself typically takes a few hours to a day depending on scope and environment size. Combined with the Cyber Essentials self-assessment that precedes it, the full CE Plus process usually takes one to three weeks. Bear in mind that once CE basic is certified, you have 90 days (3 months) to complete and pass CE Plus - so it is important not to let the process stall once you have started. If the 90-day window expires, you will need to re-certify at CE basic level before restarting. We work to your timeline and can accommodate urgent certification needs.
If the audit identifies controls that are not correctly implemented, you will receive specific, actionable feedback on what needs to change. You have 30 days from the date the CE Plus assessment started to remediate those issues and have the relevant checks revisited. This remediation window sits within the broader 90-day window from your CE basic certification date - so both constraints apply at the same time. If either window expires before you pass CE Plus, your Plus application closes and you will need to re-certify at CE basic level before restarting - which incurs an additional cost. Our team will support you through remediation as efficiently as possible to protect both windows.
Under the Danzell (v3.3) standard, if vulnerabilities are found in your initial device sample, you are given a remediation window to address them across your entire estate. The assessor will then retest the original sample and select a second, new random sample to verify that patches have been applied consistently. If unresolved vulnerabilities are present in the second sample, the CE Plus assessment fails automatically. Importantly, this also triggers revocation of your underlying Cyber Essentials basic certificate - meaning you would need to re-certify at CE basic level before restarting the CE Plus process, incurring additional cost and delay. This is why we work with you before the audit to ensure patching is consistent across your entire estate - not just the devices you expect to be sampled. Our preparation process is specifically designed to avoid this outcome.
Gap analysis - reviewing your controls against CE Plus requirements and identifying any issues before the formal audit begins - can be included in your assessment fee. Simply let us know when you get in touch and we will factor this into your quote. There is no obligation to take it up, but many clients find it useful if they are unsure whether their environment is fully ready for the technical audit.
// Certification & Beyond
Cyber Essentials Plus certificates are valid for 12 months from the date of certification. Annual renewal is required to maintain certified status, which is important for ongoing government contracts and supply chain requirements. We can help manage your renewal cycle to avoid any gaps in certification.
Yes - CE Plus establishes well-documented, independently verified security controls, which provides a strong foundation for an ISO 27001 implementation. ISO 27001 is considerably broader in scope, covering governance, risk management, and organisational policies as well as technical controls - but CE Plus ensures your core technical controls are verified and working before you tackle the full management system requirements.
// Microsoft 365 & Intune
Yes - Microsoft 365 and Intune-managed environments are among the most common we assess, including within larger and multi-site organisations. We are familiar with how these platforms map to Cyber Essentials Plus requirements.
Yes - we are happy to clarify requirements and explain what Cyber Essentials expects from your Microsoft 365 environment as part of the assessment process. Where additional advisory support is needed - for example, reviewing your existing Intune configuration against CE requirements - this can be discussed. We do not implement controls on your behalf, as this would conflict with our independence as your Certification Body.
// Remediation & Reassessment
The assessment includes re-testing of remediated areas within the 30-day remediation window. We take a proactive approach to preparation so that the need for re-testing is minimised - but where issues are identified, we will work with you to resolve and verify the fix within the assessment period.
If issues cannot be remediated within the 30-day window, or if the 90-day window from your CE basic certification date expires, a full reassessment would be required at an additional certification charge. We work with you in advance to minimise this risk, but it is important to be aware of both windows from the outset.
// Client Reviews

WHAT OUR CLIENTS SAY

★★★★★
"The CE Plus audit was thorough, professional and well-coordinated. Our assessor explained every step and we passed first time - great experience."

- IT DIRECTOR / Financial Services, London

★★★★★
"We needed CE Plus for a government contract. VCD managed both the basic and Plus assessments together - efficient, clear and no surprises on the day."

- OPERATIONS DIRECTOR / MOD Supply Chain

★★★★★
"Having the gap review before the technical audit gave us real confidence going in. We knew exactly what to expect and everything went smoothly."

- HEAD OF IT / Professional Services

Client names are withheld in line with confidentiality requirements; character references are available upon request.

READY FOR CYBER ESSENTIALS PLUS?

Get independently verified. Talk to our UK-based team today - no jargon, no hard sell.

// Blog & Guides

LATEST INSIGHTS

View All Articles →
// Get In Touch

GET CERTIFIED TODAY

Fill in the form and we'll be in touch shortly. No jargon, no hard sell.