A typical process and challenges in achieving Cyber Essentials plus certification

We were asked this question a few times now:

What's the process for Cyber Essentials Plus?

What's involved and what are the usual challenges in achieving the Cyber Essentials Plus certification?

If you have the same question please read on.

If you are reading this you probably already know what the Cyber Essentials scheme is. If not please read our blog Everything you need to know about Cyber Essentials Scheme. There are two levels of certification in the scheme and today we are focusing on the advanced level which is Cyber Essentials Plus. The process is as follows

  • Customer engages the Certification Body (TechForce).
  • TechForce issues the paperwork (authorization forms, cyber essentials questionnaire, etc...).
  • The customer returns the completed paperwork.
  • TechForce assessor will assess the completed questionnaire within 24 hours.
  • If it's a pass the assessor will go ahead and schedule the systems audit/assessment for Cyber Essentials Plus (CE Plus).
  • If it's a fail then the customer has 2 days to fix issues and resubmit.
  • The systems audit involves internal & external vulnerability scans, email tests, web browser tests and malware tests. You can read more about the audit in our blog What exactly is involved in the Cyber Essentials Plus audit?
  • If the audit is pass then the customer will receive the CE plus certification.
  • If the audit is a fail then the customer has 30 days to fix the issues and resubmit the application. You might need to pay for another assessment.
  • If it fails again then the process needs to be started again from the beginning. It's probably a good idea to consider our Guided Cyber Essentials Plus package to save time and money. As part of the package, we will perform a mock assessment and highlight any gaps that need to be fixed prior to the final assessment.

That is the usual process. You can find more info on our Cyber Essentials and FAQ blog post. However, the challenges we see are listed below.

  • The biggest challenge we come across often is 3rd part patching. Companies usually have something in place for Windows patching but often struggle with the 3rd party patching. The likes of Java, Adobe, Chrome, VLC, and other applications they use in business.
  • In small businesses, sometimes we use the issue of local admin rights. The users have been using an account with the local admin permissions for their everyday usage. This is a big no. You will need to use admin accounts for administrative purposes only.
  • Out of support Operating systems would be another challenge we come across often. If you think you have them on your network you either need to purchase extended support from the vendor or isolate these systems from directly accessing the internet. You can read more about patch management on our blog post Cyber Essentials Scheme Patching Requirements.


Get certified today

Step 1: Organisation Size

Step 2: Pick Cyber Essentials Package

  • Cyber Essentials Basic - CEB001

    £300 + VAT


    2 Days for Remediation

    1 Day Turnaround

    £25k Cyber Insurance*

    The package explained

    *Insurance details are on IASME website

  • Guided Cyber Essentials - CEB002

    £500 + VAT

    Everything in CEB001 plus


    Online/Phone Support

    *Insurance details are on IASME website

  • Cyber Essentials Plus - CEP001

    £1500 + VAT

    Everything in CEB002 Plus

    30 Day Remediation

    Systems Audit (remote)

    *Insurance details are on IASME website

  • Guided CE Plus - CEP002

    £2500 + VAT

    Everything in CEP001 plus

    Pre- systems Audit

    Gap Analysis report



    *Insurance details are on IASME website

Check out our ‘Cyber Essentials plus certification checklist & requirements’ to know more about what’s required for the certification.

If you are unsure about the process or the controls you have in place please get in touch and we can walk you through the process. We also offer a pre-assessment service.

I hope that is helpful. If you have any further questions please drop us an email at hello@techforce.co.uk.

TechForce is an IASME approved certification body for Cyber Essentials (CE), CE plus, and IASME Governance.

Related Articles


Back to start
aberdeen skyline graphic