Cyber Essentials Plus Audit: Your One-Stop Preparation Guide

Photo by Sebastian Herrmann on Unsplash

Cyber Essentials is a widely recognized UK government-backed cybersecurity certification that helps organizations defend against common cyber threats. By implementing key security controls, businesses can strengthen their resilience and demonstrate a proactive approach to cybersecurity.

Organizations can choose between two certification levels:

• Cyber Essentials — a self-assessment covering fundamental controls
• Cyber Essentials Plus — a more rigorous certification involving a technical audit by a certified assessor.

Why Choose Cyber Essentials Plus?

Cyber Essentials Plus provides a higher level of assurance as it includes a hands-on technical verification of your systems. This certification not only proves your commitment to cybersecurity but also enhances your reputation with clients, partners, and regulators.

However, it requires detailed planning and thorough preparation to pass successfully.

This guide covers everything you need to know to prepare for a successful Cyber Essentials Plus audit, including:

• What to expect during the Cyber Essentials Plus audit
• A five-step process to prepare effectively
• Common challenges — and how to overcome them

Whether you’re preparing internally or working with a compliance partner, this guide will ensure you’re ready to tackle the Cyber Essentials Plus audit with confidence.

Streamline Compliance with SecureSlate

Automate tedious GRC tasks, reduce manual work, and stay audit-ready — so you can focus on growing with confidence.Book a Demo

What Makes Cyber Essentials Plus Different?

Unlike the basic Cyber Essentials certification, which is based on a self-assessment, Cyber Essentials Plus requires an independent audit by an IASME-authorized Certification Body.

These are accredited organizations — based in the UK and its Crown Dependencies — with certified assessors who will verify that your security controls align with Cyber Essentials requirements through practical testing.

Key Requirement

Before applying for Cyber Essentials Plus, you must already hold a valid base-level Cyber Essentials certificate. You can apply for the Plus certification within three months of obtaining the base certificate, giving you time to select a Certification Body from IASME’s official directory.

Is Additional Work Required?

In most cases, no extra controls are needed. Both certification levels share the same technical scope. The main difference is that Cyber Essentials Plus verifies your implementation through real-world testing by an independent assessor. It’s about proving your controls work, not just claiming they’re in place.

Crown Dependencies refer to the self-governing territories of Jersey, Guernsey, and the Isle of Man, which are under the British Crown but not part of the UK.

What Happens During a Cyber Essentials Plus Audit?

A Cyber Essentials Plus audit involves a technical assessment of your systems — either remotely or on-site, depending on your location and setup. Remote assessments are ideal for international organizations aiming to get certified without logistical complications.

Your auditor will typically perform the following:

• Vulnerability scans of internal and external networks and key IT assets
• Malware protection checks on in-scope devices
• Account separation testing to ensure admin and user roles are distinct
• Access control validation , including multi-factor authentication (MFA) tests

These tests are carried out on a sample set of devices , and the assessor will observe how your team uses them in day-to-day operations.

What If Gaps Are Found?

If any compliance issues are identified during testing, you’ll be given 30 days to resolve them. This grace period allows your team to fix weaknesses before certification is denied.

Need help during remediation? IASME offers support and guidance to help you address any non-conformities.

However, if you fail to close the gaps within the timeline , you won’t pass the audit. But don’t worry — it’s not the end of the road. IASME provides feedback to help you improve and prepare for a successful reapplication.

Key Steps for Preparing Cyber Essentials Plus Audit

Preparing for a Cyber Essentials Plus audit involves more than just a checklist — it requires clear planning, cross-team collaboration, and attention to technical detail.

Whether you’re upgrading from the base-level certification or going straight into the Plus audit, these five steps will help ensure you’re ready for third-party verification.

Pro Tip: Steps 1–4 are shared between both Cyber Essentials and Cyber Essentials Plus certifications. If you’ve already achieved base-level certification, you can skip straight to Step 5.

Step 1: Learn the Control Areas of Cyber Essentials

Before doing anything technical, gather your team and review the five core Cyber Essentials control areas. This step is all about aligning on policy, accountability, and enforcement strategies.

Cyber Essentials includes over 40 individual controls across these five areas:

Firewalls: Firewalls are your initial defense. Ensure both perimeter and home firewalls are correctly set up, changing all default passwords for security.

Secure Configuration: Configure devices securely by disabling unnecessary services. Implement measures like locking screens and disabling auto-run to reduce exploitation risks.

User Access Control: Base system access on user roles, restricting admin privileges only when needed. Have a process to remove access for departing employees.

Malware Protection: Install and keep anti-malware software updated on all devices. Use application control (allow-listing) to prevent unauthorized programs from running.

Security Update Management: Apply critical security updates within 14 days of release. Remove unsupported software to avoid vulnerabilities.

For a deeper dive, consult the NCSC’s infrastructure requirements documentation to fully understand each control.

Step 2: Determine the Scope Your Assessment

Next, define the scope of the audit. This includes identifying which systems, devices, and networks will be reviewed.

You can assess:

• Your entire organization
• A specific subset of business units or systems

Recommended: Full Organization Scope

Why? It improves visibility, reduces risk blind spots, and qualifies you for £25,000 in cyber liability insurance (if you meet the following criteria):

• Your business is domiciled in the UK or its Crown Dependencies
• Annual turnover is less than £20 million

Key Components to Include:

• End-user devices
• Operating systems
• Cloud and SaaS platforms
• VPN configurations
• Thin clients

What’s Out of Scope by Default?

• Devices owned by third-party MSPs or contractors
• Routers not issued by your company
• Wireless devices unreachable via the internet
• MFA-only remote devices

If you don’t already have a centralized IT asset inventory, now’s the time to implement a discovery tool to map out your infrastructure accurately.

Cyber Essentials Checklist: Key Steps for Cybersecurity
Your roadmap to Cyber Essentials Certification secureslate.medium.com

Step 3: Work for Basic Company Information

This is the administrative part of the prep work — but it’s important. You’ll need to submit key details, including:

• Company name, type, and registration number
• Primary contact info and physical address
• Website URL
• Reasons for applying for certification (primary and secondary)

You can also opt-in for IASME security alerts , which offer insight — not remediation — in case of a breach. This helps build shared visibility between your organization and IASME.

Step 4: Remediate Cyber Essentials Compliance Gaps

This is where the real prep begins. Use the Cyber Essentials Self-Assessment Questionnaire (SAQ) to evaluate your current controls.

How to Do It:

• Review in-scope assets against each control
• Identify compliance gaps or outdated practices
• Involve stakeholders across IT, security, and operations
• Develop a gap remediation plan

After remediating gaps, conduct a final security review to ensure readiness. Be sure to document your procedures and policies — auditors may ask for proof of control effectiveness during the assessment.

Bonus: This documentation can support future audits (e.g. ISO 27001) and help institutionalize cybersecurity best practices across the business.

Step 5: Collaboration with a Certification Body

Once you’ve ensured your security controls are in place and aligned with the Cyber Essentials framework, the final step is to engage an IASME-authorized Certification Body to conduct the Cyber Essentials Plus audit.

How the Process Works

Depending on your location, the audit may be conducted on-site or remotely. For remote audits, you’ll need to provide secure access to your systems so the assessor can observe operations and gather evidence without disrupting business operations.

You’ll also need to prepare:

• Documented policies and procedures (e.g., access control, patch management, firewall rules)
• System configuration evidence
• User activity demonstrations on in-scope devices

Preparing this documentation before the audit significantly speeds up the process and minimizes disruption.

If Gaps Are Found

If the Certification Body uncovers issues, they’ll provide clear remediation guidance. You’ll have 30 days to address the gaps and schedule a re-test. During this time, collaboration with your auditor is crucial to clarify expectations and ensure your fixes align with Cyber Essentials standards.

Common Cyber Essentials Plus Audit Challenges

The Cyber Essentials Plus audit is more than a technical formality — it puts your operational maturity under the spotlight. Below are some of the most frequent hurdles organizations encounter:

1. Limited Visibility into IT Infrastructure

Without a centralized view of your IT assets , shadow IT or overlooked systems can lead to incomplete scope planning. This can result in failed controls, missed vulnerabilities, or unexpected findings during the audit.

Solution: Use asset management software or IT discovery tools to build a clear, real-time inventory of devices, networks, and applications.

2. Poor Communication Across Teams

Cyber Essentials requires input from multiple departments — IT, HR, compliance, operations — and misalignment can cause delays, duplicated work, or conflicting policy decisions.

Solution: Establish a single point of coordination for the certification process, and set up regular check-ins with key stakeholders.

3. Disorganized Evidence Collection

Spreadsheets and scattered documents make it harder to prove compliance. When evidence is fragmented across platforms or departments, audit readiness suffers.

Solution: Adopt a centralized documentation platform where all policies, system snapshots, and audit responses are stored and tracked.

4. Inefficient Security Reviews

Manual checks, unclear ownership of controls, and disagreements about what “compliance” means can slow down internal security assessments before the audit even begins.

Solution: Define review responsibilities early. Use automation to streamline technical checks (e.g., vulnerability scans) and ensure everyone knows who owns which control.

Final Tip: Use Technology to Your Advantage

Most of these challenges aren’t unique — they’re rooted in common operational bottlenecks. The good news? They’re solvable. A dedicated Cyber Essentials compliance solution , like SecureSlate , can automate scope mapping, guide evidence collection, and keep all teams aligned with the framework.

Certification doesn’t have to be a burden. With the right preparation and tools, Cyber Essentials Plus can become a seamless part of your broader security strategy.

How Much Does Cyber Essentials Certification Cost for Your Business?
Discover the REAL Cost of Cyber Essentials Certification secureslate.medium.com

Facilitate Cyber Essentials Plus Audit with SecureSlate

Cyber Essentials Plus certification stands out for its independent audit and testing requirements — often the most time-consuming parts of the process. SecureSlate is a comprehensive trust management platform that helps dramatically reduce prep time before and during audits. It automates up to 70% of Cyber Essentials workflows and provides a clear, auditable trail of evidence to streamline your path to certification.

SecureSlate enables you to make the most of your existing controls by automatically mapping them to Cyber Essentials and other overlapping frameworks. This reduces redundant testing and manual reviews, helping your team stay focused on what matters most.

The platform includes a dedicated Cyber Essentials module packed with features such as:

• Automated evidence collection
• Centralized control documentation and real-time compliance tracking
• Streamlined access reviews
• Hands-on support and expert guidance throughout the certification journey

SecureSlate also integrates with over 375 tools and platforms, making it easy to build end-to-end compliance workflows without heavy lifting.

Want to see SecureSlate’s Cyber Essentials solution in action? Schedule a custom demo to explore how it can simplify your audit preparation.

Conclusion:

Cyber Essentials Plus may come with stricter testing and more hoops to jump through, but it’s also one of the most practical ways to prove your cybersecurity readiness. With real-world verification and independent oversight, it offers peace of mind, not just for you, but for your clients, partners, and regulators too.

The key to success? Preparation. Align your teams, define your scope, fix the gaps, and have your documentation ready. And if you’d rather not juggle spreadsheets and second-guess audit requirements, platforms like SecureSlate can help automate the heavy lifting and keep you audit-ready without the stress.

Cybersecurity doesn’t have to be chaotic. With the right tools and mindset, Cyber Essentials Plus can be more than a checkbox — it can be a competitive advantage.