Cyber Essentials Plus: Prove Your Basics Actually Work
Cyber Essentials Plus is the independently-audited tier of the UK's Cyber Essentials scheme. Where the base certification relies on a self-assessment questionnaire, the Plus tier adds a hands-on technical audit: an assessor verifies that your five core controls are genuinely in place and working. It is the difference between saying you are secure and having someone check.
For SMEs that sell into the UK, into supply chains, or into the public sector, Cyber Essentials Plus is often a contractual requirement and always a credibility boost. ShieldIQ helps you close the gaps before the auditor arrives, assessing your readiness in around fifteen minutes.
Start your Cyber Essentials Plus assessment →
What Is Cyber Essentials Plus?
Cyber Essentials is a UK government-backed scheme, run by IASME, that protects organisations against the most common internet-based cyber attacks. It defines five technical controls that, implemented well, stop the overwhelming majority of opportunistic attacks.
The five controls are:
- Firewalls: secure your internet connection and boundary devices
- Secure configuration: set up devices and software to reduce vulnerabilities
- Security update management: keep everything patched and supported
- User access control: give people the least access they need, and control admin rights
- Malware protection: defend against viruses and other malicious software
Cyber Essentials Plus covers the same five controls, but adds independent verification. A qualified assessor conducts an internal vulnerability scan and tests a sample of your devices to confirm the controls actually work in practice. Certification lasts twelve months.
Who Should Care About Cyber Essentials Plus?
Cyber Essentials Plus suits any organisation that needs to demonstrate verified security, not just claimed security. It is particularly relevant if you:
- Bid for UK public-sector contracts, many of which mandate it
- Sit in a supply chain where larger customers require independent assurance
- Want stronger evidence than the self-assessed base certification provides
- Are an SME looking for a recognised, achievable certification that opens doors
For a small business, the audited tier is a strong trust signal. It tells customers and partners that your security has been independently checked, which shortens due-diligence conversations and wins work.
Common Challenges for SMEs
Because Plus involves a live audit, the usual gaps get exposed quickly: unsupported operating systems still in use, missing patches, browsers and office software out of date, local admin rights handed out too freely, and inconsistent malware protection across devices. Organisations that breezed through the self-assessment often stumble when an assessor actually scans the estate.
The fix is to find and close those gaps before the audit, not during it. That means a clear inventory, a patching regime, tightened configuration, and controlled access. ShieldIQ helps you get there methodically, so the audit becomes a confirmation rather than a surprise.
How ShieldIQ Helps You Meet Cyber Essentials Plus
Gap analysis. ShieldIQ's AI scores your posture against the five technical controls and flags exactly where you would fail an audit today, with a prioritised plan.
Asset inventory. Catalogue your devices and software so nothing unsupported or unpatched slips through the audit.
Network scanner. Run NMAP scans with AI analysis of open ports and vulnerabilities, mirroring the kind of checks the assessor performs.
Control mapping. Link your controls and evidence to each of the five requirements, so you can prove readiness before the assessment.
Actions board. Turn gaps into tracked tasks with owners and due dates, closing them ahead of the audit window.
Policy library. Editable access-control, patching, and malware-protection policies that back up the technical controls.
Start your assessment, no card required →
Cyber Essentials Plus and Other Frameworks
The five controls are a foundation that supports the frameworks ShieldIQ already covers:
- Cyber Essentials compliance: the self-assessed tier, the natural first step before Plus
- CIS Controls compliance: the CIS IG1 safeguards cover and extend the five controls
- ISO 27001 compliance: the technical controls feed directly into your ISMS
- NIST CSF compliance: the basics map onto the Protect function
Frequently Asked Questions
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both cover the same five technical controls. Cyber Essentials is a self-assessment: you answer a questionnaire and it is verified by a certification body. Cyber Essentials Plus adds an independent, hands-on technical audit, including a vulnerability scan and device testing, to confirm the controls actually work. Plus is the more rigorous, more credible tier.
Do I need base Cyber Essentials before Plus?
In practice yes. Cyber Essentials Plus builds on the base certification, and organisations typically complete or align to the self-assessment first, then undergo the Plus audit. ShieldIQ helps you get both in order.
Is Cyber Essentials Plus relevant for an Irish business?
Yes, if you trade with UK organisations or bid for UK contracts. It is a UK scheme, but the five controls are universal good practice, and many UK customers and public bodies require the Plus certification from their suppliers regardless of where they are based.
How long does certification last?
Cyber Essentials Plus certification is valid for twelve months, after which you recertify. Because it is time-limited and audited, keeping your controls continuously in good shape matters. ShieldIQ helps you stay audit-ready year round rather than scrambling at renewal.
Start your Cyber Essentials Plus assessment, no card required →