Cyber Essentials Plus Assessment
If you are looking to provide stakeholders with greater levels of assurance, you may decide to seek Cyber Essentials Plus certification. This involves a URM assessor conducting a technical audit of the systems that are in scope of the assessment. It includes a review of all Internet gateways and all servers accessible to Internet users, as well as a sample of user devices and internal servers accessible to employees. You will need to complete your Cyber Essentials Plus audit within 3 months of your last Cyber Essentials basic certification. Please use the form below to register your interest and you will be contacted by URM to discuss your systems and devices in scope and other requirements, following which you will receive a quotation. Select 'Cyber Essentials Plus audit' in the form. The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network.
Stages of assessment
Your Cyber Essentials Plus assessment comprises 2 basic stages. The first is an external vulnerability scan of your Internet-facing IP addresses to ensure that no misconfigurations or vulnerabilities can be identified.
The second stage involves testing of a sample (up to a maximum of 5 samples per operating system edition) of end-user devices (workstations and mobile devices including BYOD) and servers to assess if they are configured as per the requirements of the Scheme.
Multiple activities are performed during the second stage as applicable to each sample:
- An authenticated vulnerability scan is performed on these devices to confirm that patching and basic configuration is at an acceptable level.
- A test is conducted on your email client and Internet browsers to confirm how well they are configured in order to prevent execution of unsigned or malicious files.
- The antimalware solution in use is reviewed to make sure it’s updated in line with vendor recommendations.
- Account separation is tested to make sure users are not using administrative accounts for their day to day activities.
- A test is conducted on the cloud services in use by the organisation to make sure MFA is enabled for users and administrators of these services.
Once the assessment has been conducted, URM’s assessor will discuss the findings with you ahead of submitting their report to the portal to ensure there has been no misunderstanding.
Cyber Essentials Plus pre-assessment service
A Cyber Essentials Plus (CE+) assessment involves a technical assessment by a URM assessor of your organisation’s external infrastructure as well as end-user devices and servers. There are several issues that can cause a CE+ assessment to result in a ‘fail’ such as a service on the external infrastructure that exposes non-public data, the presence of an unsupported software installed on a server or user workstation, the lack of multi-factor authentication (MFA) to access a cloud service or the use of administrative users as a day-to-day user account.
If an organisation fails the CE+ assessment, it has up to 30 days* to purchase another CE+ assessment and pass, before it must repeat both the basic CE and the CE+ assessment in order to obtain the CE+ certification.
The Cyber Essentials Plus Pre-Assessment service from URM allows your organisation to perform a technical pre-assessment on a smaller, but still significant set of systems. This will enable you to identify any issues that may cause a ‘fail’ for the CE+ certification, without triggering the 30 days’ time limit and, typically, at a lower cost than a full assessment. Following the pre-assessment, you will receive recommendations to close any gaps with the CE+ requirements, significantly increasing the chances to successfully obtain the CE+ certification. URM is so confident of the value of the pre-assessment service that, if for any reason you don’t pass the official CE+ assessment at the first attempt, we will provide you with a free re-attempt to get certified!
* It may be less if the 30 days go beyond the 3 months period that an organisation has to pass the CE+ certification after obtaining the basic CE certification.
Support request
If you are interested in URM’s support, please specify the subject in the form below.
Please note, we can only process business email addresses.
Why URM?
As an accredited certification body, URM has an unrivalled record in assisting organisations of all sizes achieve certification to Cyber Essentials and Cyber Essentials Plus. URM is also an accredited Assured Service Provider under the NCSC Cyber Advisor scheme and has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process.
Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards.
As such, you can be assured that you are getting advice that is right for you and your organisation, taking into account your sector, size and the information you are looking to protect. Our large team of assessors also enables us to guarantee a super-fast turnaround.
Cyber Essentials – What’s Changing in 2025?
URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.
URM’s blog offers advice on answering questions in the Cyber Essentials SAQ which relate to access control, admin accounts and authentication methods.
URM’s blog discusses the best next steps your organisation can take following Cyber Essentials certification to further enhance its security posture.
URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes