Cyber Essentials Plus 2025
Cyber Essentials Plus builds on the Cyber Essentials Verified Self-Assessment with a hands-on audit of your IT systems. To apply for Plus, your organisation must hold a Cyber Essentials Verified Self-Assessment dated within the last 3 months. (Bundle options are available that include the Self-Assessment.)
The Plus assessment is carried out by one of our trained assessors to verify that the controls declared in Cyber Essentials are actually implemented across your environment. On successful completion, you can publicly demonstrate that your organisation meets the baseline security standards set by the scheme.
What the Plus audit includes:
- A sampled review of company devices to confirm they’re configured in line with the scheme requirements.
- Vulnerability scanning of those devices to verify patching and baseline configuration.
- An external port scan of your internet-facing IPs to identify any obvious misconfigurations or vulnerabilities.
- Tests against your default email client and web browser to assess how well they block execution of simulated malicious files.
- Collection of screenshot evidence to demonstrate compliance.
If issues are identified, you’ll have 30 days to remediate under this package. Remediation not completed within this window will result in a fail.
Upon passing, you’ll receive a certificate valid for 12 months from the pass date. You may also opt to be listed as Cyber Essentials certified and promote your organisation’s compliance with the scheme.