Prove your defences work — not just that they exist. An independent technical audit of your systems, conducted by an IASME-accredited assessor, confirming the five core controls are genuinely in place.
Both certifications cover the same five technical controls. The difference is how compliance is verified — and the level of trust it signals.
Public-sector tenders involving personal data have required Cyber Essentials since 2014. The MOD extended this in 2016. An increasing number of private-sector supply chains now expect it.
82% of medium and large UK businesses experienced a cyber incident in the last 12 months. Certified organisations see a measurable reduction in successful attacks and insurance claims.
UK organisations with turnover under £20 million receive automatic cyber liability insurance through IASME — including 24/7 incident response with technical, legal, and crisis support.
An independently verified baseline of security controls is evidence that your organisation acted responsibly — critical when dealing with regulators, clients, or breach investigations.
The five controls directly address the most common attack vectors. Getting them right means fewer disruptions, lower recovery costs, and less time fighting fires.
The Crown & Tick badge on your website and proposals signals trust instantly. In competitive bids, it can be the deciding factor between you and an uncertified competitor.
Every Cyber Essentials Plus audit validates these controls through practical testing — not paperwork.
Boundary devices correctly configured to control inbound and outbound traffic.
Devices and software configured to reduce their attack surface. Defaults removed.
Admin privileges limited to those who need them. Standard accounts for daily work.
Anti-malware active and current. Tested against malicious email and browser downloads.
Critical patches applied within 14 days. The control organisations fail most often.
From 27 April 2026, all new assessments use Requirements for IT Infrastructure v3.3 (codenamed "Danzell"). The five controls are unchanged, but verification is stricter. Our assessors are trained and ready.
If any cloud service offers MFA and you have not enabled it for all users, you will automatically fail. No exceptions.
The standard now formally defines cloud services. All must be declared and assessed — they can no longer be scoped out.
You can no longer amend your Cyber Essentials answers based on the outcome of the Plus audit. Answers must be accurate before testing begins.
If the first device sample fails on patches, a second sample is scanned. Further failures mean a Plus fail — and may revoke your basic certificate.
Full technical audit, assessor report, and certificate issuance included. Final price confirmed before you commit.
Tell us about your organisation. We confirm scope, check CE status, and send a fixed-price quote.
Accept the quote and we book the remote technical audit at a time that suits your team.
Our assessor runs the full test suite. You receive a detailed report. 30 days to remediate if needed.
On success, your certificate is issued within five working days. Publicly registered on the IASME portal.
Both cover the same five technical controls. Cyber Essentials is a verified self-assessment — you answer questions and an assessor reviews your answers. Plus adds a hands-on technical audit where an assessor tests your actual systems, providing a higher level of assurance.
Twelve months. We contact you before expiry to arrange renewal. Certificates must be renewed annually to remain on the IASME certified organisations list.
You receive a detailed report explaining what failed and why. You then have 30 days to fix the issues and request a re-scan (included with Standard). If the second attempt does not pass, a new assessment purchase is required.
Yes. Any employee-owned device that accesses company data or connects to your network is in scope. You must demonstrate these devices run supported operating systems and are patched to the current standard.
No. ISO 27001 is a broader information security management system. Cyber Essentials Plus focuses on five specific technical controls and may be a contractual requirement for UK Government work. Many organisations hold both — they are complementary.
The main changes in v3.3 are mandatory MFA on all cloud services that offer it (automatic fail if not enabled), tighter scoping rules, locked self-assessment answers, and stricter patch management verification with dual-sample testing.
Standard audits are typically scheduled within two to three weeks. With Fast Track, the first audit is booked within one week. Reports are delivered within five working days of a successful audit.
Yes. We assess organisations globally. The audit is conducted remotely.
Get a personalised quote for Cyber Essentials Plus — or talk to our team
about preparing for the April 2026 changes.
Suit 7 2nd Floor,The Atrium, 31 Church Road, Ashford, Middlesex,TW152UD United Kingdom
UK : +44-7904664589
UAE : +971-0526909311
