In order to achieve the Cyber Essentials Plus certification, you must have already obtained the self-assessed certification and successfully pass the plus certification within three months, which, if not already achieved, can help you with if you have not yet achieved this. Obtaining the plus certification and implementing the required controls could shield your business from up to 80% of the common threats from the internet.

Adopting the Cyber Essentials scheme is likely to become a major requirement to win business in many sectors in the future – and to demonstrate this, from 1 October 2014, the government has required suppliers bidding for certain information-handling contracts to be Cyber Essentials certified.

The certification is backed by the industry, as well as the business support and lobbying organisation the Federation of Small Businesses. A number of insurance companies are also starting to offer incentives for organisations that conform to the scheme.

A company can gain certification badges which allow a company to advertise the fact that it adheres to a government-endorsed standard.


The certification consists of five baseline controls that businesses should have in place to reduce the risk of data breaches from internet-based attacks, these being:

  • Boundary Firewalls
  • Secure Configuration
  • Access Control
  • Malware Protection
  • Patch Management

Achieving Cyber Essentials Plus

As part of the assessment, the company will be required to pass an external and internal vulnerability assessment performed by staff from InfoSec Governance. This vulnerability assessment can be performed onsite or remotely via a Microsoft Teams session.

How much does it cost?

The cost to achieve Cyber Essentials Plus, once you have already achieved Cyber Essentials Basic, the prices are defined as follows:

Micro organisations (0-9 employees) £1,200 +VAT
Small organisations (10-49 employees) £1,400 +VAT
Medium organisations (50-249 employees) £1,500 +VAT
Large organisations (250+ employees) £2,000 +VAT

Frequently Asked Questions

In order to achieve Cyber Essentials you also need to achieve Cyber Essentials basic (the self-assessment), this needs to be renewed annually.

As part of the Cyber Essentials Plus audit, the following tests will be conducted:

  • Vulnerability assessment of your external gateway IPs (if you have no office, the director’s home IP address will be used)
  • Internal credentialed patched vulnerability scan performed against a subset of devices
  • Malware check on sample set of devices to make sure its installed and up to date
  • Email testing against the company
  • Browser testing against a sample set of devices

You can download our Cyber Essentials Plus guide to have more detail about what is involved within the audit process and what you need to do to prepare for your audit.

We can perform the Cyber Essentials Plus audit remotely or onsite (covid safe). If performing remotely, we will arrange a Microsoft Teams meeting to perform the audit and liase with you before hand to ensure the prerequisites are installed.

Yes, as part of the Cyber Essentials Plus audit, we need to perform a authenticated (administrative) patch scan.  This requires us to have local administrative access to all machines in scope of the test. This can be performed by setting up a dedicated testing account specifically for testing, so that we don’t utilise your normal account.

We primarily use Tenable Nessus Professional for the scanning of machines.

We scan for vulnerabilities with a CVSS v3 score of 7.0 or higher and any missing patches that were released more than 14 days ago.

If you fail the Cyber Essentials Plus audit, we will notify you at the time and explain how you can remediate the issue.  You will have up to 30 days to resolve any issues.

Yes, both Cyber Essentials and Cyber Essentials Plus are annual certifications. Failure to renew annual will result in the loss of your certification.

When it comes to the Cyber Essentials Plus audit, what is in scope is basically defined by what was included in the Cyber Essentials Basic assessment. This includes any devices which you manage and maintain. For example if you have servers that you manage patching on, these are in scope. The same goes for cloud based servers, if you manage those for patching, they are in scope.

However, if you have a website that is managed by someone else, for example a third-party hosting provider, this is out of scope.

Yes, as part of the Cyber Essentials audit you will have to have a credentialed vulnerability scan performed, this requires some infrastructure changes with more recent versions of Windows. You will need to ensure that you have access to a user account which has a local administrator/root access to the devices in scope of the testing as well as allowing remote access.

We have some blog articles explaining how to allow access for Nessus, please ensure this is done as soon as possible so that the audit day is not wasted.

Configuring Windows –

Configuring MacOS –