Cyber Essentials Plus: Independent Technical Verification for UK Businesses
Cyber Essentials Plus adds hands-on technical testing to the standard Cyber Essentials assessment, providing independent verification that your controls actually work — not just that you believe they do. AMVIA prepares your environment and supports you through assessment.
What is Cyber Essentials Plus?
Cyber Essentials Plus is the higher of the two Cyber Essentials certification tiers. Where the standard Cyber Essentials involves a self-assessed questionnaire verified by an assessor, Cyber Essentials Plus requires hands-on technical testing by an independent assessor. They test your devices, check patch compliance, verify MFA, and attempt to identify gaps in your controls — providing objective evidence that your security posture is effective. 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.
View all cybersecurity servicesThe Two Cyber Essentials Tiers
Cyber Essentials is the UK government's baseline cybersecurity certification scheme. It covers five technical controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Together, these controls can prevent the majority of common cyberattacks affecting UK businesses.
44% of phishing emails were sent from compromised accounts, helping them bypass authentication protocols — 8% came from within the supply chain (Egress 2024). (Microsoft)
48% of certified organisations said they saved time on cyber security due diligence when dealing with certified suppliers in their supply chain. (UK Government)
Third-party IT risk is a critical vulnerability: the 2023 attack on IT provider CTS simultaneously disrupted multiple law firms — demonstrating how a single supplier compromise can cascade across the sector. (Sra)
Standard Cyber Essentials involves completing a self-assessment questionnaire and having it reviewed by an accredited assessor. Cyber Essentials Plus requires all of this, plus independent technical testing — the assessor physically tests your systems to verify that the controls you declared in the questionnaire are actually in place and working correctly.
What the Technical Assessment Involves
During a Cyber Essentials Plus assessment, the assessor carries out testing on a sample of your in-scope devices. This typically includes: running authenticated vulnerability scans to check patch compliance; attempting to install unauthorised software to verify application whitelisting or restrictive configurations; testing that multi-factor authentication cannot be bypassed; checking that devices do not allow connections to known malicious destinations; and verifying firewall and boundary control configuration.
The assessment covers all device types in scope — Windows and Mac laptops and desktops, mobile devices if they access business data, and any servers within scope. Cloud services used by the business (including Microsoft 365) are also assessed against the Cyber Essentials controls.
Why CE+ Carries More Weight Than Standard Cyber Essentials
Because Cyber Essentials Plus involves independent technical verification rather than self-assessment, the certificate carries more credibility with clients, insurers, and auditors who understand the difference. Supply chain security requirements — particularly in central government procurement, defence, and financial services — increasingly specify Cyber Essentials Plus rather than standard Cyber Essentials.
For cyber insurance purposes, CE+ demonstrates a measurably stronger security posture than standard CE, which can support more favourable underwriting terms. Some insurers specifically ask whether you hold CE+ when assessing risk.
Preparation: What AMVIA Does Before Your Assessment
Most businesses are not immediately ready to pass a CE+ assessment. AMVIA conducts a pre-assessment gap analysis to identify areas that need remediation before the formal assessment. Common gaps include: devices running outdated software or missing patches; MFA not enforced across all accounts; legacy authentication protocols not blocked in Microsoft 365; non-compliant firewall rules; and mobile devices not subject to adequate management policies.
AMVIA remediates identified gaps systematically, retesting each area to confirm resolution before scheduling the formal assessment. This approach significantly reduces the risk of failing the assessment and needing to remediate and retest at additional cost.
Scope Management
Managing the scope of a Cyber Essentials Plus assessment is an important part of preparation. Not every device in your business needs to be in scope — the assessment covers devices that handle organisational data, and scope boundaries can be defined to reflect your actual environment. AMVIA advises on scope definition during the pre-assessment phase to ensure the assessment is proportionate and achievable whilst remaining credible.
Maintaining Your Certification
Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months. AMVIA's managed cybersecurity clients typically maintain their certification status by renewing annually. Where AMVIA manages your security controls on an ongoing basis, the annual renewal assessment is generally straightforward because the required controls are maintained throughout the year rather than implemented immediately before renewal.
Cyber Essentials Plus and AMVIA's Managed Service
Clients on AMVIA's managed cybersecurity service are well-positioned for CE+ certification. Patch management, MFA enforcement, endpoint protection, and email security — all core CE+ requirements — are managed as standard components of the service. AMVIA tracks certification status and proactively prompts renewal before the current certificate expires.
AMVIA's CE+ Preparation and Support
End-to-end preparation, gap remediation, and assessment coordination for Cyber Essentials Plus.
Pre-Assessment Gap Analysis
AMVIA identifies all gaps against CE+ requirements before you engage an assessor, avoiding surprise failures.
Gap Remediation
AMVIA remediates identified gaps — patches, MFA, firewall rules, device policies — before the assessment.
Scope Definition Support
Expert guidance on defining assessment scope to be credible, proportionate, and achievable.
Assessment Coordination
AMVIA coordinates the formal assessment with an accredited assessor and supports the technical review.
Annual Renewal Management
AMVIA tracks your certification expiry and prompts renewal before your certificate lapses.
Certificate Maintenance
Managed security clients maintain CE+ controls year-round, simplifying annual reassessment.
Cyber Essentials Plus Readiness Checklist
Key technical controls required for Cyber Essentials Plus certification.
All devices fully patched
Operating systems and applications up to date within 14 days of patch release for high-severity vulnerabilities.
MFA enforced on all internet-facing accounts
Microsoft 365, VPN, remote desktop, and any cloud service accessible from the internet.
Legacy authentication blocked
Basic auth and other legacy protocols blocked in Microsoft 365 to prevent MFA bypass.
Boundary firewall reviewed
No unnecessary inbound ports open; rules reviewed and documented.
Endpoint malware protection active
Real-time protection active on all in-scope devices with current definitions.
Separate admin accounts for privileged access
Administrators using dedicated accounts for admin tasks, not their standard user account.
Cyber Essentials Plus FAQs
The timeline depends on your starting point. If your security controls are already strong, preparation may take two to four weeks. If significant remediation is required — particularly around patching or MFA deployment — it typically takes six to twelve weeks from initial gap analysis to passing the formal assessment. AMVIA will give you a realistic timeline based on your specific environment during the gap analysis. <strong>47% of security professionals</strong> check whether their third-party suppliers hold Cyber Essentials certification. <em>(Lookout)</em>
Yes. Cyber Essentials Plus has evolved to explicitly cover cloud services. Microsoft 365 is assessed against the CE+ controls for access control, malware protection, and account security. AMVIA has considerable experience preparing Microsoft 365 environments for CE+ assessment and can configure the relevant settings as part of the preparation process.
If the assessor identifies a control that does not meet the CE+ standard, they will specify what needs to be remediated. You then have an opportunity to remediate and retest the specific area before receiving a result. The number of retest opportunities varies by certifying body. AMVIA's pre-assessment preparation is designed to minimise the likelihood of failing any element of the formal assessment.
Yes. Cyber Essentials Plus is an extension of standard Cyber Essentials — you must hold Cyber Essentials before the Plus assessment can be conducted. In practice, AMVIA often manages both assessments as a single project, completing the Cyber Essentials self-assessment questionnaire and CE+ technical testing as sequential steps in one engagement. <strong>Cyber Essentials Plus (CE+):</strong> Same 5 controls but with independent technical testing/audit <em>(Computer Weekly)</em>
Achieve Cyber Essentials Plus with AMVIA
AMVIA will assess your readiness, remediate any gaps, and guide you through the formal CE+ assessment. Contact our security team to start the process.
Related Cybersecurity Resources
The Complete Cybersecurity Guide for UK SMEs
How Cyber Essentials fits into a complete security framework for UK businesses.
Managed Cybersecurity Services
AMVIA's fully managed cybersecurity service supporting ongoing CE+ compliance.
IT Security Audit
AMVIA's security audit identifies gaps before your formal Cyber Essentials assessment.