What Cyber Essentials Plus actually requires
The certificate that keeps appearing in your contracts, explained in plain terms. What the five controls mean, how the audit differs from the self-assessment, and what usually fails.
Written by
Priya Nair
Head of Cybersecurity
Cyber Essentials Plus is increasingly written into tenders, panel agreements, and insurance policies, which means a lot of businesses are being asked to hold it before anyone has explained what it is. The good news is that it is not mysterious. It is a defined set of five technical controls, and the Plus tier simply means an independent assessor has verified them rather than taking your word for it.
Here is what each control actually asks of you, where the Plus audit goes beyond the basic self-assessment, and the handful of issues that trip most organisations up.
The five controls, in plain terms
Cyber Essentials is built on five control themes. None of them is exotic. All of them are things a well-run estate should already be doing, which is precisely why the certificate is a reasonable baseline for a client to insist on.
- Firewalls: every device that connects to the internet sits behind a properly configured boundary or software firewall, with default passwords changed and unnecessary rules removed.
- Secure configuration: devices and software are set up to reduce their attack surface. Unused accounts and services are disabled, and default settings are hardened rather than left as shipped.
- Security update management: everything is patched, and patches for high or critical vulnerabilities are applied within fourteen days. Unsupported software is removed.
- User access control: people have only the access they need. Administrative rights are restricted, controlled, and separate from everyday accounts.
- Malware protection: endpoints are protected by anti-malware that is kept current, or by application allow-listing where that is more appropriate.
Where Plus is different
The basic Cyber Essentials tier is a self-assessment questionnaire. You answer honestly, a senior person signs it off, and it is verified at a documentary level. Cyber Essentials Plus keeps all the same controls but adds a hands-on technical audit by an external assessor.
In practice that means the assessor takes a sample of your devices and tests them. They will confirm that patching really is current, that malware protection actually blocks a test file, that multi-factor authentication is genuinely enforced on your cloud services, and that a standard user cannot do things only an administrator should. It is the difference between saying you do these things and demonstrating that you do.
What usually fails
Most first-time failures are not sophisticated. They cluster around a few recurring problems, and every one of them is fixable before the assessor arrives.
- Patching gaps: a few laptops that live in a drawer or belong to remote staff have missed updates and push you outside the fourteen-day window.
- Standing administrator rights: everyday user accounts still have local admin, usually a hangover from an old way of working nobody revisited.
- Multi-factor authentication not fully enforced: it is switched on for some people or some services but not universally, and the exceptions are where risk lives.
- Unsupported software: an old operating system version or an application past its end of life is still in use somewhere on the estate.
How to approach it
Treat certification as the by-product of a tidy estate rather than a project in its own right. Start with a gap assessment against the five controls so you know exactly where you stand, remediate in priority order, and only then book the audit. Organisations that fix the fundamentals first tend to pass at the first attempt and, more importantly, are genuinely more secure afterwards rather than just certified.
If you would like Bebco to run that gap assessment and get you certified without pulling your people off their work, that is exactly the kind of engagement we handle regularly.
Keep reading
More from Bebco Insights
Let's pressure-test your IT
Book a free, no-obligation assessment. We'll review your infrastructure, flag the risks, and show you exactly where Bebco would make a difference.