What Exactly is Involved in Cyber Essentials Plus Audit?

What is Cyber Essentials Plus?

We often hear from the clients “we are not sure if we are ready for the Cyber Essentials Plus (CE plus)”. In most cases, we come to know that the client doesn’t know what exactly is involved in Cyber Essentials Plus audit. What is Cyber Essentials Plus? What is involved in the audit?

CE plus is the advanced variation of the Cyber Essentials certification. In this certified process, an assessor from the IASME Cyber Certification Body will conduct an on-site (now remote due to the pandemic) audit of the systems. What does the audit involve?

First things first. Cyber Essentials Plus requires the company to pass Cyber Essentials first. Then apply for the Plus for the audit to take place. The audit involves verifying the details on the self-assessment questionnaire. Here is the Cyber Essentials Plus audit process

  • Internal Vulnerability assessment
  • External vulnerability assessment
  • User Access Controls test
  • Browser download test
  • Email test


Internal Vulnerability Assessment

At this stage we perform a vulnerability assessment on selected devices. Ideally a portion of the entire device. For example, if you have 100 devices we will check 15 devices. We will be expecting no critical vulnerabilities on the network in order for you to pass the certification. If there is even 1 critical vulnerability then you will not be able to pass the certification unless it’s a false positive. Critical vulnerabilities have the patches available to them and you will need to apply the patches within the 14 days of their release date. Vulnerabilities are categorised as per their CVSS score. The categories are Critical, High, Medium and Low.

We will also be looking for any unsupported software in your environment. You will only pass the certification if there is no unsupported software. For example, if you have Windows 7 operating system on your network you will only pass if there is a Microsoft extended support agreement in place.

It is worth noting that you will need to keep the ‘High’ category vulnerabilities as low as possible.

External Vulnerability Assessment

Essentially this step involves scanning your public IP addresses for any vulnerabilities. Usually the unusual ports left opened. That’s pretty much it.


Get certified today

Step 1: Organisation Size

Step 2: Pick Cyber Essentials Package

  • Cyber Essentials Basic - CEB001

    £300 + VAT


    2 Days for Remediation

    1 Day Turnaround

    £25k Cyber Insurance*

    The package explained

    *Insurance details are on IASME website

  • Guided Cyber Essentials - CEB002

    £500 + VAT

    Everything in CEB001 plus


    Online/Phone Support

    *Insurance details are on IASME website

  • Cyber Essentials Plus - CEP001

    £1500 + VAT

    Everything in CEB002 Plus

    30 Day Remediation

    Systems Audit (remote)

    *Insurance details are on IASME website

  • Guided CE Plus - CEP002

    £2500 + VAT

    Everything in CEP001 plus

    Pre- systems Audit

    Gap Analysis report



    *Insurance details are on IASME website

User access controls test

At this stage, we are checking to see if the user access controls are configured correctly. We will try to execute a test file and see if the PC is prompting for admin credentials.

Browser download test

Your browser should block any malicious downloads. That’s exactly what we are trying to test at this stage. Download various sample malware files and observe how the browser is behaving. Ideally, it should block them all.

Email test

Essentially we are testing your email scanners in this stage. We will send a bunch of emails with malicious attachments and notice how many of them are getting through your email security measures. Ideally, none.

That’s it. That’s exactly what is involved in Cyber Essentials Plus audit. If you are not sure what controls will be audited please check out our ‘Cyber Essentials Checklist’ blog post. Also, If you would like to do a pre-audit and gap analysis on your network get in touch with us. We can organise the pre-audit and produce a gap analysis report. If there are no issues then you can submit your application for the certification.

Hope that helps. If you need any further assistance or if you are looking to get your certification done then please get in touch. We are on 01224 516181. Cheers

Do check out our other cybersecurity case studies:

Also check out our blogs on Cyber Essentials & Cyber Essentials Plus certification:

Related Articles


Back to start
aberdeen skyline graphic