IASME Cyber Essentials Plus (CE+) | Cyber Veritas Limited

Cyber Essentials Plus (CE+)

Independently verified cyber assurance for organisations that need more than self-assessment.
Cyber Veritas helps you prepare for, achieve, and maintain IASME Cyber Essentials Plus certification through expert-led scoping, practical remediation guidance, and formal technical verification. Demonstrate trusted cyber controls to clients, procurement teams, and supply-chain partners — with confidence.

Book a Scoping Call

What is Cyber Essentials Plus?

Cyber Essentials Plus (CE+) represents the independently verified, highest assurance level within the UK Government-backed Cyber Essentials scheme, delivered by IASME, the NCSC’s exclusive Cyber Essentials partner.

Unlike standard Cyber Essentials — which is based on a verified self-assessment questionnaire — Cyber Essentials Plus includes a formal technical audit of your live IT environment, carried out by an IASME-licensed Certification Body such as Cyber Veritas. This independent verification confirms that security controls are not only documented but implemented correctly, operating effectively, and consistently enforced across in-scope systems.

As a result, Cyber Essentials Plus provides strong, externally validated assurance of cyber resilience. It is increasingly recognised as a trusted benchmark by clients, regulators, supply chains, and public-sector procurement frameworks, demonstrating that your organisation meets a higher standard of operational cyber security governance and control.

Not sure if you are ready for a CE+ audit? Book a scoping call with Cyber Veritas to review your current environment and identify any gaps before certification begins.

Why Choose Cyber Veritas?

As an IASME-licensed Certification Body, Cyber Veritas is authorised to assess and certify organisations against both Cyber Essentials and Cyber Essentials Plus. We provide practical, expert-led support throughout every stage of the certification journey — from initial scoping through to certificate issuance and annual renewal.

IASME-licensed Certification Body, authorised to assess and certify against both CE and CE+.
Practical pre-audit gap analysis so you know exactly what needs to be in place before the technical audit begins.
Direct access to experienced CE+ assessors, not just account managers — expert technical guidance throughout.
Clear scope definition covering users, devices, networks, and cloud services from day one.
Guided CE self-assessment questionnaire completion with support for leadership sign-off and evidence gathering.
Full CE+ technical audit execution, including external vulnerability scanning, internal device checks, and authenticated on-device verification.
Detailed audit findings report with clear explanations of any non-compliances and actionable remediation steps.
Remediation guidance included — if non-compliances are identified during audit, we work with you to resolve them within the remediation window as per the current IASME scheme rules.
Post-certification support for annual renewal, scheme changes, broader compliance requirements, and documentation needs.

Who is CE+ For — and Why Get Certified?

Cyber Essentials Plus is well suited to any organisation that needs a higher level of independently verified cyber assurance. It is particularly relevant for organisations that:

Are bidding for public-sector or enterprise contracts where CE+ is required or expected as evidence of a higher standard of cyber security.
Must satisfy supplier assurance requirements or client security questionnaires that go beyond the standard CE self-assessment.
Want independent verification of their technical controls rather than relying on a self-declared questionnaire alone.
Operate in regulated sectors where externally audited cyber controls are expected by clients or regulators.
Have already achieved Cyber Essentials and are ready to progress to the higher, independently audited tier of the scheme.
Are preparing for broader compliance frameworks such as ISO 27001 or IASME Cyber Assurance, and want a strong verified baseline in place first.

Achieving CE+ certification delivers tangible business and operational benefits:

Demonstrate independently verified cyber controls to clients, procurement teams, insurers, and regulators — not self-declared, but technically audited by an IASME-licensed assessor.
Win contracts and satisfy supplier assurance requirements. CE+ is required or expected in many public-sector, government, and enterprise procurement frameworks.
Build customer and stakeholder confidence by providing third-party evidence of your organisation’s security posture.
Strengthen readiness for broader compliance programmes. CE+ provides a strong, verified foundation before pursuing IASME Cyber Assurance, ISO 27001, or sector-specific frameworks.

Cyber Essentials certification is required in many UK government contracts. Cyber Essentials Plus may be expected in higher-assurance or supply-chain contexts depending on the specific contract requirements. Contact Cyber Veritas to understand what applies to your situation.

The Five Technical Controls Under Audit

Both Cyber Essentials and CE+ are built around the same five key technical controls. The difference is that in CE+, each control is technically verified by Cyber Veritas assessors — not simply self-declared.

1. Boundary Firewalls & Internet Gateways

Your network boundary must be protected by firewalls or equivalent controls. During the CE+ audit, Cyber Veritas will verify that firewalls are correctly configured, that only necessary inbound and outbound ports and services are permitted, and that your internet-facing perimeter provides appropriate protection. Cloud-hosted infrastructure is included in scope where applicable.

2. Secure Configuration

Systems, devices, and software must be configured securely — with unnecessary services, default accounts, and weak settings disabled or removed. The technical audit includes checks against sampled devices to verify that secure baselines are applied, that default credentials have been changed, and that software only exposes what is needed.

3. Access Control

Access to systems, applications, and data must be appropriately restricted. CE+ assessors will verify that standard and administrative accounts are clearly distinguished, that the principle of least privilege is applied, that multi-factor authentication (MFA) is in place where required, and that unused or redundant accounts are removed or disabled.

4. Malware Protection

All devices in scope must be protected against malicious software. During the CE+ audit, assessors will confirm that endpoint protection is deployed, active, and up to date; that it covers all relevant device types; and that appropriate detection and response capabilities are in place.

5. Patch Management

Software, firmware, and operating systems must be kept up to date and vulnerabilities addressed in a timely manner. The technical audit includes vulnerability scanning of internet-facing systems and sampled internal devices to confirm that critical patches are applied within 14 days, and that unsupported or end-of-life software is not present in scope.

CE vs CE+ — What’s the Difference?

Both certifications cover the same five controls and the same IASME scheme requirements. The key distinction lies in how compliance is verified:

	Cyber Essentials	Cyber Essentials Plus ★
Assessment type	Verified self-assessment questionnaire.	Questionnaire plus independent technical audit.
Verification	Responses reviewed by a licensed Certification Body.	Vulnerability scans, external IP checks, and sampled on-device testing by Cyber Veritas assessors.
Assurance level	Baseline assurance.	Enhanced assurance — controls confirmed as working, not just stated.
Remediation	Corrections made before questionnaire submission.	Corrections made within the remediation window as per the current IASME scheme rules.
Stakeholder value	Demonstrates commitment to cybersecurity.	Demonstrates independently verified, technically audited compliance.
Typical use case	Organisations establishing a security baseline.	Government contracts, enterprise supply chains, and regulated sectors.

What Does the CE+ Technical Audit Cover?

The CE+ audit is conducted by Cyber Veritas assessors following IASME-defined methodology. It involves a combination of remote and, where necessary, on-site verification activities across your in-scope environment. The audit typically includes:

External vulnerability scanning of all public-facing IP addresses within scope, identifying exposed services and unpatched vulnerabilities.
Internal vulnerability scanning of sampled in-scope devices, checking for missing patches, insecure configurations, and end-of-life software.
Authenticated on-device checks carried out by observing a sample of user devices, including laptops, desktops, and mobile devices where in scope.
Firewall and network boundary review verifying inbound and outbound rule sets, access control lists, and network segmentation.
User and administrator account review confirming that account types are correctly distinguished, least privilege is applied, and MFA is in use.
Malware protection verification confirming endpoint protection is deployed, active, and configured appropriately across all in-scope devices.
Application and software inventory check verifying that only supported, patched software is present within scope and that unsupported versions are absent.

Common Issues Identified Before CE+ Audit

A thorough pre-audit gap analysis significantly reduces the risk of non-compliance during the formal technical audit. The following are the issues most commonly identified during Cyber Veritas scoping reviews:

Unsupported or end-of-life software in scope, including legacy operating systems, browsers, and applications that are no longer receiving security updates.
Missing or inconsistent MFA, particularly on cloud services, remote access solutions, and administrator accounts.
Incomplete or delayed patching across sampled devices, especially where patch management processes are informal or undocumented.
Excessive user privileges or inactive accounts, where the principle of least privilege has not been consistently applied and redundant accounts remain active.
Weak firewall or internet-facing rule configuration, including unnecessarily open ports, permissive outbound rules, or default settings that have not been reviewed.
Endpoint protection gaps, where not all in-scope devices are covered, or where protection is active but not correctly configured.

Cyber Veritas helps identify and address these issues before the formal audit begins — reducing the risk of non-compliance and supporting a smoother path to certification.

How the CE+ Process Works

The CE+ certification journey follows four clear phases. Cyber Veritas supports you throughout every stage, from initial scoping through to certificate issuance and annual renewal.

PHASE 1 — PREPARE

Stage	What Happens
1. Scoping & initial consultation	We define the certification scope by identifying all relevant devices, users, networks, cloud services, and third-party systems. Your current environment is reviewed against the five Cyber Essentials control areas to highlight any preparation required before the assessment begins.
2. Gap analysis & remediation planning	Cyber Veritas evaluates your existing security posture against CE+ requirements and produces a clear remediation roadmap. This may include improvements to firewall configuration, patch management, account security, MFA implementation, and endpoint protection.

PHASE 2 — VERIFY

Stage	What Happens
3. CE self-assessment questionnaire	You complete the required IASME Cyber Essentials questionnaire, which is a mandatory prerequisite for CE+. Cyber Veritas supports you throughout this process to ensure accuracy and appropriate leadership sign-off.
4. CE questionnaire review	We review your submitted responses to confirm alignment with scheme requirements before progressing to the technical audit stage.
5. CE+ technical audit	Cyber Veritas performs the formal CE+ verification activities in line with IASME methodology, including external vulnerability scanning, internal scanning of sampled devices, and authenticated on-device configuration checks.

PHASE 3 — CERTIFY

Stage	What Happens
6. Results & remediation window	If any non-compliances are identified during the audit, you will have a period to remediate them in line with current IASME scheme rules. Cyber Veritas provides guidance and support to help you achieve compliance within this window.
7. Certification & badge issued	Once all requirements are successfully met, your organisation receives the official IASME Cyber Essentials Plus certificate and certification badge, valid for 12 months, for use across your website, proposals, and marketing materials.

PHASE 4 — MAINTAIN

Stage	What Happens
8. Maintain, review & renew	Cyber Essentials Plus certification is renewed annually. Cyber Veritas provides ongoing advisory support to help you maintain compliance, prepare for renewal, and stay aligned with any updates to the scheme requirements.

Pricing & Options

All pricing provided is indicative and subject to confirmation following an initial scoping consultation. Please contact Cyber Veritas to receive a tailored quotation aligned to your organisation’s environment, scope, and technical requirements.

Micro Business

£750–£950 + VAT

0–9 employees

Scoping & gap analysis
CE self-assessment support
Full CE+ technical audit
Certificate & badge
12-month validity

Small to Medium

£1,600–£2,100 + VAT

10–249 employees

Full scoping & remediation planning
CE self-assessment support
CE+ audit including external & internal scanning
On-device checks across sampled devices
Audit report & remediation guidance
Certificate & badge

Large Enterprise

From £2,200 + VAT

250+ employees

Comprehensive scoping & environment review
Dedicated consultant
Full CE+ audit with extended device sampling
Detailed findings & remediation report
Full remediation planning & support
Ongoing compliance & renewal support

Combined CE and CE+ packages are available, as well as bundle options alongside IASME Cyber Assurance for organisations seeking broader governance coverage. Please contact Cyber Veritas for a tailored quotation.

Frequently Asked Questions

Do I need to hold Cyber Essentials before I can get CE+?

Yes. Cyber Essentials is a mandatory prerequisite for CE+. The CE self-assessment questionnaire must be completed and verified before the technical audit stage can begin. Cyber Veritas can support you through both stages as a combined process, providing a single point of contact from start to certification.

How long does the CE+ process take?

For organisations with a reasonably straightforward IT environment and most controls already in place, the full CE+ process typically takes 2–6 weeks from initial scoping to certification. More complex environments, or those requiring significant remediation, may take longer. Cyber Veritas will provide a realistic timeline following the initial scoping call.

What happens if we fail the CE+ audit?

If non-compliances are identified during the technical audit, you are given a window to remediate the issues. Cyber Veritas will provide a clear findings report and support you in addressing any gaps. After remediation, the relevant controls are re-verified. Thorough preparation and gap analysis prior to audit significantly reduces this risk.

What systems and devices are included in the audit?

The scope is agreed at the outset of the process. It typically includes all devices that can access your organisation’s data or services — such as laptops, desktops, servers, mobile devices, and cloud services. The scope can be limited to a defined subset of your organisation where appropriate, but must be clearly defined and defensible.

Is CE+ recognised for government contracts?

Cyber Essentials certification is required in many UK government contracts. Cyber Essentials Plus may be expected in higher-assurance or supply-chain contexts depending on the specific contract requirements. CE+ is broadly accepted as demonstrating a meaningfully higher level of assurance than self-assessment alone. Contact Cyber Veritas if you need guidance on what applies to your situation.

How often must we renew CE+?

CE+ certification is valid for 12 months and must be renewed annually. The cyber threat landscape changes continuously, and annual renewal ensures your controls remain current and effective. Cyber Veritas provides ongoing support to help you maintain compliance and streamline the renewal process each year.

What is the difference between CE+ and IASME Cyber Assurance?

Cyber Essentials Plus focuses on the five core technical controls with independent technical verification. IASME Cyber Assurance is a broader governance and risk management certification that encompasses CE within it, and also covers areas such as GDPR, incident response, and organisational governance. The two are complementary. Cyber Veritas offers both.

Can Cyber Veritas carry out both the CE questionnaire review and the CE+ audit?

Yes. As an IASME-licensed Certification Body, Cyber Veritas is authorised to support and verify the CE self-assessment and carry out the CE+ technical audit. You have a single point of contact throughout the entire certification journey — from scoping through to certificate issuance and annual renewal.

Get Started with Cyber Veritas

Ready to begin your CE+ certification journey? Book a free scoping call with Cyber Veritas. We will assess your environment, walk you through what is involved, and provide a tailored proposal aligned to your requirements.