Cyber Essentials Plus Requirements: A 2026 UK Guide

Cyber Essentials Plus Requirements: A 2026 UK Guide

You’re usually not thinking about Cyber Essentials Plus until a client, insurer, or tender document forces the issue. A care provider in Hampshire gets asked for proof before a contract renewal. An accountancy firm in Dorset wants to bid for work with tighter supplier checks. A manufacturing business in Somerset realises its existing Cyber Essentials certificate isn’t enough because the buyer wants independent verification, not a self-declared questionnaire.

That’s where most SMEs hit the same problem. They don’t just need a certificate. They need to understand the actual cyber essentials plus requirements well enough to pass a technical audit without dragging the project on for months, replacing half their systems, or failing on something avoidable.

For small businesses across Dorset, Somerset, Wiltshire, and Hampshire, the challenge is rarely intent. It’s usually capacity. The director is juggling operations. The office manager owns supplier paperwork. The internal IT person is also supporting users, printers, Microsoft 365, backups, and phones. Cyber Essentials Plus adds structure and assurance, but it also exposes weak spots that day-to-day firefighting tends to hide.

What Is Cyber Essentials Plus and Why Do You Need It

A lot of businesses first encounter Cyber Essentials Plus because somebody external asks for it. That’s often the trigger, but its importance goes deeper than that. Its primary benefit is that it tests whether your security basics are functioning on live systems, not just written down in a policy.

People Walking Past A Small Bakery Storefront On A Quaint Town Street During The Day.

Cyber Essentials Plus is the independently verified version of Cyber Essentials. You first pass the basic assessment, then an assessor tests your environment against the scheme’s controls. In practice, that means your business has to demonstrate that devices, accounts, internet-facing systems, and security settings are compliant operationally.

The scheme’s importance is clear from adoption. In 2025, the UK Cyber Essentials scheme awarded 13,707 Cyber Essentials Plus certificates out of 55,995 total certificates, according to the UK government Cyber Essentials management information.

Why SMEs get pushed towards Plus

For smaller firms in the South West, the pressure usually comes from one of four places:

  • Client due diligence. A larger customer wants independent assurance before sharing data or awarding work.
  • Tender requirements. Public sector and regulated supply chains often ask for more than the self-assessed level.
  • Insurance conversations. Insurers want evidence that the basics are in place and maintained.
  • Operational reality. Directors know passwords, patching, and remote access have grown messy over time.

Practical rule: If you handle sensitive client data, give users remote access, or rely on cloud platforms for daily operations, Plus is often the standard that proves your controls exist beyond paperwork.

A basic certificate says, “we say we meet the standard.” Plus says, “an assessor checked.”

That difference matters when a client asks awkward questions after a phishing scare, or when your team is spread across offices, homes, and mobile devices. A small accountancy practice with laptops, Microsoft 365, and a line-of-business tax application may look simple on paper. Under audit, it still needs secure configuration, controlled access, malware protection, current patching, and properly managed boundary security.

How Cyber Essentials Plus Differs From The Basic Scheme

A Dorset firm can complete the basic Cyber Essentials questionnaire on Friday and feel confident. On audit day, the assessor finds two laptops missing recent patches, an old admin account still active in Microsoft 365, and a remote access setting that was never tightened after a supplier visit. That is the gap between Basic and Plus.

Cyber Essentials Basic relies on self-assessment. Cyber Essentials Plus starts with that same baseline, then adds independent technical verification. You still need the paperwork right, but paperwork alone does not get you through Plus.

Self assessment versus technical audit

With the basic scheme, your organisation declares that the required controls are in place. With Plus, you pass the self-assessment first, then complete the audit within three months. The assessor tests a sample of systems and checks whether your live setup matches what you stated.

For small and mid-sized businesses across Somerset, Wiltshire, Hampshire, and Dorset, that difference matters because real environments drift. Staff work from home, old laptops stay in circulation, cloud apps get added without much review, and exceptions made during a busy month become permanent. Plus exposes that drift quickly.

The audit is practical. Assessors check devices, user accounts, patch status, malware protection, and internet-facing exposure. If your answers say MFA is enforced, they will expect to see it enforced. If you say only supported software is used, one forgotten Windows build can become a problem.

If you want a broader view of how external exposure gets examined in security testing, this guide to External Network Penetration Testing is useful background, especially for understanding what internet-facing weaknesses tend to get discovered first.

Cyber Essentials vs Cyber Essentials Plus at a Glance 2026

Attribute Cyber Essentials (Basic) Cyber Essentials Plus
Verification method Self-assessment questionnaire Independent technical audit
Entry requirement Standalone certification route Requires the basic certification first
Level of assurance Lower, based on declared compliance Higher, based on tested compliance
Device testing No hands-on testing Assessor-led sampling and verification
External validation Limited Includes assessor-led verification
Typical fit Baseline assurance, lower-risk environments, early-stage compliance Sensitive data handling, client assurance, public sector and supply chain requirements
Audit intensity Administrative and policy-led Technical, evidence-led, based on what is actually configured

A common mistake is treating Plus as the same certificate with a bigger invoice. It is closer to an operational check of whether the business can prove day-to-day security discipline. That is why smaller firms often struggle more with tidying the environment than with answering the questionnaire.

In the South West, resource constraints shape the problem. Many SMEs have one internal IT lead, or a local MSP covering everything from printer issues to Microsoft 365. That setup can still pass Plus, but only if scope is clear and remediation starts before the audit is booked. Leaving patching gaps, local admin sprawl, or unmanaged devices until the last week usually ends in delays.

What helps:

  • Clear scope from the start. List the users, laptops, mobiles, servers, firewalls, and cloud services that are in scope.
  • Cleanup before audit booking. Remove stale devices, disable old accounts, update unsupported software, and fix obvious firewall or remote access issues.
  • Evidence, not assumptions. Check settings in the admin console and on the device itself.

What causes trouble:

  • Treating hybrid work as out of scope. Home users and roaming laptops still count if they access company data and services.
  • Relying on verbal confirmation. “We turned that on months ago” is not enough.
  • Underestimating inherited IT. Businesses that have grown by acquisition, office moves, or ad hoc supplier changes often carry hidden exceptions.

A useful plain-English comparison of the two certification levels is this Cyber Essentials vs Cyber Essentials Plus overview. It helps if you are deciding whether client pressure, tender requirements, or insurance scrutiny justify the extra audit work now rather than later.

The Five Core Technical Controls Explained

A Cyber Essentials Plus assessor is not looking for a polished policy pack. They are checking whether the systems your staff use every day are set up safely enough to block common attacks. For SMEs across Dorset, Somerset, Wiltshire, and Hampshire, that usually comes down to five controls that sound simple on paper and get messy fast in real environments with hybrid users, inherited kit, and limited IT time.

An Infographic Showing The Five Core Cyber Essentials Plus Technical Controls For Network Security And System Protection.

Boundary firewalls and internet gateways

This control covers every point where your business connects to the internet. That includes the main office firewall, any backup broadband router, remote access appliance, cloud firewall, and internet-facing admin portal.

Assessors regularly find problems on the equipment nobody has reviewed in years. A second line added during an office move. A guest Wi-Fi router installed by the broadband provider. A NAS box with remote access left enabled because a supplier needed it once. In smaller firms, those exceptions are common because IT changes happen to keep the business running, not to build a tidy audit trail.

The practical test is straightforward. Only necessary services should be exposed, default credentials should be gone, and management access should be restricted.

A Wiltshire business might have a well-configured primary firewall and still fail this area because a separate guest network router allows weak admin access from the internet. The assessor will not ignore it just because it sits in a corner of the office.

Check these first:

  • Internet-facing services that no longer have a clear business use
  • Firewall and router admin access that is open broadly instead of limited to named admins or trusted IPs
  • Secondary connections and supplier-installed devices that were never brought into normal IT management
  • Remote access methods such as exposed RDP or old VPN appliances that should have been retired

Secure configuration

Secure configuration means systems start from a sensible baseline and stay there. Devices should not run unnecessary software, keep default settings, or give users more control than they need.

This is one of the biggest friction points for South West SMEs because convenience often wins over consistency. A laptop gets built quickly for a new starter. A director keeps local admin rights to install specialist software. Browser settings vary from machine to machine because nobody had time to standardise them. None of that feels dramatic day to day. It creates avoidable findings in a Plus audit.

Assessors will look for settings that reduce routine risk. Unused accounts should be removed or disabled. Auto-run features and risky defaults should be controlled. Devices should lock when left unattended. Local admin should be limited. Supported operating systems and supported applications matter here too, because secure configuration is hard to defend if the software itself is out of date or no longer supported.

Good secure configuration is usually boring. That is the point.

Access control

Access control is about keeping users inside the boundaries of their role and keeping admin privileges tightly contained. In practice, managing these aspects frequently slows down many first-time audits.

The common problems are familiar. Leavers still appear in Microsoft 365. Shared accounts exist for convenience. Admin rights sit on everyday user accounts. Privileged access is granted permanently because nobody wants to break a workflow. Small businesses often know these issues exist, but they have accepted them as operational shortcuts.

Those shortcuts create audit trouble and real risk. If a Hampshire accountancy firm lets a senior user browse email and the web with admin rights, one compromised login gives an attacker a much easier route into other systems.

Use separate admin accounts where admin access is necessary. Remove access promptly when staff leave or change role. Review who still needs access to finance systems, cloud admin portals, and line-of-business apps. Turn on MFA wherever the platform supports it. If you need a plain-English refresher before tightening sign-in controls, this guide to multi-factor authentication explains the basics clearly.

Malware protection

Malware protection needs to be active, current, and managed. The badge on the software matters less than the result.

For one SME, that may be Microsoft Defender managed properly through Intune or another central platform. For another, it may be a third-party endpoint tool with web filtering, tamper protection, and central alerting. The trade-off is usually cost versus visibility. Free or bundled tools can be enough if they are configured properly and someone is checking them. Expensive tools still fail audits when devices fall out of management or users can switch protection off.

Assessors want to see that common malicious code is blocked and that protective controls are enabled on the sampled devices. They will not accept "we installed antivirus last year" as evidence if signatures are stale, alerts are ignored, or email filtering is weak. Since phishing and malicious attachments are still a common route in, these email security best practices are worth applying alongside endpoint protection.

Patch management

Patch management causes more last-minute audit delays than almost any other control. The requirement itself is long-established in the Cyber Essentials scheme, and the safest reference point is the official NCSC Cyber Essentials requirements for vulnerability fixes and patching. In plain terms, if a high-risk or critical issue is in scope, you need a process that gets it fixed quickly enough to meet the scheme rules, and external scanning needs to come back clean enough for certification.

For SMEs, the problem is rarely Windows Update alone. The misses tend to be third-party applications, browser components, firmware, remote support tools, and devices that have not checked in for weeks because someone is working from home or on the road.

A Dorset care provider can keep core operating system patches current and still hit trouble because a remote access tool on three laptops is behind, or an old firewall firmware version has a known issue. Nobody notices until the scan or device sample brings it to the surface.

A workable patching process usually includes:

  • Automatic operating system updates on endpoints and servers where the business can support them
  • Third-party software patching for browsers, PDF tools, conferencing apps, and remote support utilities
  • Regular checks on network equipment firmware including firewalls, switches, and wireless kit
  • A routine vulnerability review so findings are fixed before the audit date is booked
  • Exception handling for systems that cannot be patched quickly, with a clear plan to replace, isolate, or remove them from scope where appropriate

If patching relies on someone remembering to log in and check a few machines on a Friday afternoon, it is not under control.

Your Step By Step Cyber Essentials Plus Preparation Checklist

A lot of South West SMEs leave CE+ too late. The pattern is familiar. A Dorset manufacturer wins a contract, a Hampshire firm needs certification for a tender, or a Somerset professional services team is told a client expects proof, then everyone starts hunting for missing device records and overdue fixes under time pressure. CE+ goes better when it is handled as a planned short project with a clear scope, a realistic remediation list, and an audit date booked only after the environment has settled.

A Checklist Of Cyber Security Tasks Next To A Digital Tablet With Security Icons On A Desk.

The practical constraint is timing. As noted earlier, there is a limited window between passing the basic assessment and completing the Plus audit, so remediation cannot drift. Assessors also test a sample of devices rather than relying on paperwork alone, which is why tidy policies and weak device hygiene do not mix.

1. Define the scope properly

Start with what is in and what is out. If that is vague, everything after it gets harder.

For a small business, full certification is often simpler to explain but harder to clean up. A sub-set scope can reduce effort, but only if boundaries are real and defensible. In practice, SMEs in Wiltshire, Dorset, Somerset, and Hampshire often get caught out: staff work from home, directors use personal mobiles for email, a supplier has remote access to one server, and nobody has written down which cloud services support the users in scope.

Write down:

  • Which users are in scope
  • Which devices are in scope
  • Which servers and cloud services support them
  • Which internet connections and gateways are involved

If you cannot explain the scope clearly in one page, it usually is not ready.

2. Pass the basic Cyber Essentials assessment accurately

CE+ starts with the self-assessment. The answers need to reflect what is true on the ground, not what the business intends to finish next week.

This is a common pressure point for smaller firms with limited internal IT capacity. Someone knows MFA is only on Microsoft 365 admin accounts, not all user accounts. Someone else assumes every laptop is patching because most of them are. Those gaps matter. If the self-assessment overstates the controls, the Plus audit becomes a lot more painful.

3. Run a gap analysis against the five controls

Do a proper internal review before you book the assessor. It does not need polished reporting. It needs to find the things that will fail under inspection.

Check local admin rights, unsupported software, stale firewall rules, devices that have not checked in, weak password settings where the scheme still permits passwords, and cloud accounts with incomplete MFA coverage. For a practical starting point, this cyber security audit checklist helps organise the review without missing the obvious operational basics.

4. Remediate in the right order

Order matters. Fixing low-value housekeeping items first can waste a week you do not have.

A sensible sequence is:

  1. Unsupported systems. Remove, replace, isolate, or take them out of scope if that is legitimate.
  2. Known vulnerabilities likely to trigger failure. Patch operating systems, third-party apps, and network equipment.
  3. Access control issues. Reduce admin rights and finish MFA deployment.
  4. Configuration weaknesses. Remove unneeded services, old software, and risky remote access settings.
  5. Evidence gaps. Make sure reports, screenshots, and system records match the current state.

There is a trade-off here. Some businesses can clear this internally if the estate is small and well managed. Others spend more by trying to do it ad hoc. A managed service can be cheaper than repeated failed preparation, especially where one person is covering IT support, suppliers, and security at the same time. SES Computers provides patching, vulnerability review, and 24/7 cyber-security monitoring for SMEs in the South West, which can help keep systems aligned before the audit is booked.

5. Gather evidence before the assessor asks

Good preparation reduces audit-day friction. Poor preparation turns routine checks into a long chase for screenshots and exports.

Prepare:

  • An accurate asset list
  • User and admin account details
  • Patch and vulnerability reports
  • Firewall and gateway configuration summaries
  • Proof of malware protection and policy settings

Keep the evidence current. A six-week-old device list is not much use if laptops have been replaced or rebuilt since then.

6. Test the environment the way an assessor will

Pick a sample of endpoints and check them properly. Confirm updates are current, MFA is enforced where expected, internet-facing services are limited to what the business needs, and old devices are no longer connecting.

This matters more than many first-time applicants expect.

A clean set of written policies will not rescue a laptop with missing updates, old software, or the wrong local admin settings. CE+ is decided by what can be verified on live systems.

7. Schedule the audit when the environment is stable

Do not book the assessment in the middle of a firewall replacement, Microsoft 365 tenancy tidy-up, office move, or remote access change. Let the environment settle first, then confirm that device management, patching, and account controls are behaving consistently.

For SMEs, especially those spread across small offices and home workers in the South West, the difference between a straightforward pass and a costly retest is usually preparation discipline, not technical complexity.

Common Fail Points and How To Remediate Them

The most expensive Cyber Essentials Plus failures are rarely dramatic. They’re usually ordinary operational problems that nobody had pinned down before the audit. A few old laptops. A cloud app without MFA. A firewall rule left over from a supplier. A user device that missed updates because it had been out of the office too long.

A Conceptual Image Featuring A Split Padlock Covered In Colorful Powders And Liquid, Symbolizing Security Challenges.

Recent changes have made this harsher. Following the 2025 CE+ updates, which expanded vulnerability scanning to include configuration issues, an estimated 35% more SMEs failed their initial audits due to scoping mismatches and inadequate remediation of vulnerabilities with a CVSSv3 score of 7.0 or higher, according to Predatech’s 2025 CE+ guide.

Scoping mistakes

This is the big one. Businesses often think they’re certifying “the office network” when the full environment includes home users, cloud identities, remote management tools, laptops that travel, and services accessed from personal devices.

A classic example is a small accountancy practice that intends to scope only office machines, but staff also log into email and document systems from personal mobiles. If those access paths affect in-scope services, the scoping assumptions can fall apart quickly.

Remediation tip: Write the scope in plain English first. Then test it against how staff work, not how management thinks they work.

Missed patching on a few devices

Most SMEs don’t fail because every system is unpatched. They fail because a handful are. One laptop missed updates while a staff member was on leave. One server had a maintenance exception that never got revisited. One application needed manual updating and nobody owned it.

That’s enough.

Remediation tip: Use central patch reporting and review exceptions weekly. If a device hasn’t checked in, treat that as a risk, not a minor admin issue.

Unsupported software and forgotten applications

Old versions of browsers, VPN clients, remote support tools, Java components, and accounting add-ons are frequent problems. They often remain because the business software still works, or because nobody is sure whether they’re still needed.

Assessors won’t care that an old utility is “rarely used”. If it’s in scope and vulnerable, it matters.

Remediation tip: Remove software you don’t need before you try to patch what you do need. Less software means fewer audit surprises.

Weak access control

Shared admin credentials, too many privileged users, and poor joiner-leaver processes create immediate credibility problems in a CE+ audit. The issue isn’t just security theory. It’s operational discipline.

A small care organisation might have one generic admin account because several staff need occasional privileged access. That feels practical until you need to prove accountability and least privilege.

Remediation tip: Reduce admin rights to named individuals, keep admin use separate from daily email and browsing, and review permissions before certification rather than after a failure.

Inconsistent malware protection

Some firms assume they’re covered because Windows Defender is present, or because they bought endpoint protection years ago. The audit question is narrower and tougher. Is protection enabled, current, managed, and active on in-scope devices?

If even a few devices are out of line, you’ve got a problem.

Remediation tip: Check policy enforcement from a central console and confirm devices are reporting properly. Don’t rely on local tray icons or user assurances.

Cloud services that slipped under the radar

This is common in professional services. Someone signs up for a file transfer tool, client portal, note-taking app, or practice management add-on outside the main IT process. It becomes part of daily work but never gets reviewed for MFA, access control, or ownership.

The cloud service that causes trouble is often the one finance approved quietly on a company card.

Remediation tip: Ask department heads what tools they use, then compare that list with your approved systems. Hidden subscriptions often reveal hidden compliance gaps.

Understanding The Audit Timeline Costs and ROI

A Dorset or Hampshire SME usually hits the same point in preparation. The technical fixes are mostly clear, but the key questions are commercial. How long will certification disrupt the business, what will the audit cost, and will it pay back quickly enough to justify the effort?

For most small firms, the schedule is tighter than expected. You must hold the basic Cyber Essentials certificate before the Plus assessment goes ahead, and the audited controls need to match what you declared. That is why the sensible approach is to fix gaps first, submit with confidence, and keep the environment stable until the assessor tests it.

What the audit usually involves

The onsite or remote technical testing is only one part of the job. The longer part is getting a small, busy business into an auditable state.

In practice, the work usually runs like this:

  • Define the scope properly
  • Complete the basic Cyber Essentials submission
  • Fix patching, access, configuration, and endpoint gaps
  • Check sample devices and user accounts
  • Gather evidence and brief staff
  • Complete the technical audit and deal with any follow-up

South West SMEs often feel this most where IT has grown in stages rather than by design. One office in Somerset may have a clean Microsoft 365 setup, while a second site in Wiltshire still depends on an older line-of-business system, shared devices, or a broadband router nobody has reviewed in years. That kind of mixed estate does not always fail the audit, but it does slow preparation and increase the chance of last-minute surprises.

A straightforward environment can be ready quickly. A hybrid estate with roaming laptops, remote users, hosted desktops, and specialist software usually needs more coordination.

What CE Plus costs

Cyber Essentials Plus costs are usually made up of two parts. The certification fee itself, and the internal or outsourced effort needed to get the environment ready.

IASME-accredited assessors set their own pricing, so quotes vary by user count, number of sites, and technical complexity. As a guide, many providers price smaller, straightforward audits from the low thousands, with higher costs for larger user counts, multiple locations, or estates that need extra testing and remediation support. For example, IASME certification body pricing pages such as Blue Cube Security's Cyber Essentials Plus pricing show how fees typically rise with organisation size and network complexity.

For SMEs in Dorset, Somerset, Wiltshire, and Hampshire, the audit fee is rarely the part that causes difficulty. The hidden cost is staff time. Someone has to confirm device lists, remove old accounts, chase patching exceptions, check MFA coverage, and make sure systems stay compliant between submission and assessment. If that work lands on an already stretched office manager or internal IT lead, the project drags.

Where the return comes from

The return is usually practical rather than theoretical.

Many small businesses pursue CE Plus because customers, public sector frameworks, insurers, or larger supply-chain partners expect independent verification rather than a self-assessed position. That is common across care, accountancy, legal services, engineering, and education in the South West. A valid certificate can shorten supplier questionnaires, reduce back-and-forth during procurement, and help directors answer security due diligence questions with evidence.

There is also an operational payoff. Businesses that prepare properly for CE Plus usually come out with tighter admin control, fewer unsupported devices, cleaner endpoint management, and a clearer view of what is in scope. That reduces avoidable risk whether or not a client ever asks for the certificate.

The strongest ROI usually comes from getting it right first time. A failed attempt costs more in retesting, remediation time, and business distraction than a well-scoped preparation project ever does.

Your Local Partner for CE Plus in Dorset and Hampshire

For South West SMEs, Cyber Essentials Plus is usually achievable. The difficulty is turning a busy, imperfect IT estate into something an assessor can verify cleanly, within the time window, and without derailing day-to-day work.

That’s why local support matters. A provider working with businesses across Dorset, Somerset, Wiltshire, and Hampshire already understands the kinds of environments that tend to cause friction. Small office networks with a mix of laptops and hosted desktops. Hybrid Microsoft 365 estates. Remote users relying on cloud file access. VoIP, leased lines, and line-of-business applications that nobody wants disturbed during audit prep.

The right support partner should do four things well:

  • Clarify scope early so you’re not preparing the wrong estate
  • Run a gap analysis against cyber essentials plus requirements
  • Handle remediation methodically across patching, access, malware protection, configuration, and gateways
  • Support ongoing compliance so the certificate doesn’t become a one-off scramble every year

For many SMEs, the practical benefit is less about “outsourcing security” and more about having someone keep the project moving. Someone has to chase stale devices, check vulnerability output, review cloud services, tighten admin rights, and make sure evidence is ready before the auditor arrives.

Local businesses also tend to need direct communication, not generic platform alerts. If a care provider in Hampshire has to understand whether a shared workstation model creates audit issues, or an accountancy firm in Dorset needs to know whether a remote access setup changes scope, they need clear answers tied to their environment.

A good CE+ preparation process should leave you with more than a pass. It should leave you with a cleaner, more supportable IT estate and fewer recurring security headaches.


If your business in Dorset, Somerset, Wiltshire, or Hampshire needs help preparing for Cyber Essentials Plus, speak to SES Computers. They can help you scope the assessment properly, identify gaps, remediate technical issues, and get your environment ready for audit without turning the process into a disruption for your staff.