IASME-Accredited Cyber Essentials and Cyber Essentials Plus Certification for UK Businesses
We are an active IASME Cyber Essentials Certifying Body — we issue Cyber Essentials and Cyber Essentials Plus certificates directly. Pre-audit gap analysis, full CE+ technical testing, IASME-accredited assessor delivery, fast certificate issuance. Aligned to IASME Cyber Assurance for organisations needing more than CE+.
Self-certified Cyber Essentials questionnaires won’t satisfy enterprise procurement. CE+ testing will.
Cyber Essentials (the self-assessment tier) is a starting point — fine for smaller suppliers and lower-risk procurement. Cyber Essentials Plus (CE+) adds independent technical testing by an IASME-accredited assessor: confirmed boundary firewall, confirmed device patching, confirmed secure configuration, validated user access controls, and validated malware protection. UK government and enterprise procurement increasingly require CE+ rather than CE.
We are an active IASME Cyber Essentials Certifying Body — verifiable on the IASME registry. Our assessors deliver the full CE+ technical test, issue certificates directly, and provide pre-audit gap analysis to ensure first-time pass. Reports satisfy UK government supplier requirements (CCS / G-Cloud), align with NHS DSPT, and provide evidence accepted by cyber-insurance underwriters as a baseline maturity signal.
CE+ TECHNICAL TEST · 5 CONTROLS
What We Test in Cyber Essentials Plus
IASME-accredited assessor-led testing across the five Cyber Essentials Plus technical controls. Pre-audit gap analysis included.
Boundary Firewalls & Internet Gateways
External vulnerability scanning of every internet-facing device. Default credential testing. Configuration review against IASME standard.
Secure Configuration
Sample device build review. Default password audit. Unnecessary service identification. Account / role configuration validation.
User Access Control
MFA enforcement validation, least-privilege role review, joiners/movers/leavers process audit, admin account separation.
Malware Protection
Anti-malware product validation, signature update verification, real-time protection enforcement, sample malicious-file detection test.
Security Update Management
Patch level assessment across all in-scope devices. OS, browser, and application updates verified. Critical patch lag analysis.
Cloud Service Scoping
Cloud-services-in-scope determination (Microsoft 365, Google Workspace, AWS, Azure, GCP). 2022 update — cloud is now in CE+ scope by default.
Boundary Vulnerability Scan
External authenticated and unauthenticated vulnerability scan. Confirmed via screenshots and device-by-device evidence.
Internal Authenticated Scan
Internal device scan from authenticated user perspective. Patch level, configuration drift, malware product, secure baseline.
Mobile Device Scan
Where in scope: mobile device build review, MDM enforcement, App Store policy, encryption at rest validation.
Pre-Audit Gap Analysis
Pre-engagement gap analysis included with mid-market+ tier. Identifies issues before formal CE+ assessment — first-time pass rate >95%.
Remediation Support
Failed control items: 30-day remediation window, free retest, IASME-aligned remediation guidance.
Certificate Issuance
Direct issuance of IASME-stamped Cyber Essentials Plus certificate. Listed in IASME registry. Branded certificate for procurement portfolios.
FOUR-PHASE METHODOLOGY
Cyber Essentials Plus — From Gap Analysis to Certificate
Pre-audit gap analysis, IASME-accredited assessor delivery, first-time-pass focus, fast certificate issuance.
Pre-Audit Gap Analysis
Self-Assessment Questionnaire
Technical Test
Certificate Issuance
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
Cyber Essentials Plus Mapped to Every Framework
CE+ as a foundation control set — recognised across UK procurement, regulatory, and insurance frameworks.
UK Government Supplier
CE+ is mandatory for HMG suppliers handling sensitive government data. CCS framework, G-Cloud framework, NHS supplier framework alignment.
NHS DSPT
CE+ is recognised evidence for NHS DSPT Standard 9 (Asset 7) — boundary control, secure configuration, malware protection.
Cyber Insurance
UK cyber-insurance underwriters typically reduce premiums by 5-15% for CE+ certified businesses. Some products mandate CE+ for renewal.
Enterprise Procurement
CE+ is the de facto baseline for enterprise vendor onboarding in regulated industries (banking, insurance, legal).
IASME Cyber Assurance
For organisations needing more than CE+, IASME Cyber Assurance is the next tier. Aligned to ISO 27001 but lighter-touch certification process.
ISO 27001 Foundation
CE+ control set maps directly to subset of ISO 27001 Annex A controls (A.13 networking, A.12.6 vulnerabilities, A.9 access).
TRANSPARENT PRICING
Transparent Cyber Essentials Plus Pricing
All tiers are IASME-accredited delivery. Price varies by organisation size and scope complexity. CE (self-assessment) bundled into mid-tier+.
Self-assessment only
Cyber Essentials self-assessment review and certificate issuance for organisations under 50 employees. 1-2 day turnaround.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on org size + cloud scope
Cyber Essentials Plus full technical test for organisations 50-250 employees. Pre-audit gap analysis included. 5-10 working days.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on org size + cloud scope
CE+ for 250+ employees, multi-site, complex cloud (multi-tenant Microsoft 365 / hybrid AD). 10-15 working days.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Cyber Essentials Plus for Your Sector
CE+ is increasingly required across sectors. Compliance and procurement evidence varies by industry.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From Cyber Essentials Plus
Pre-Audit Gap Analysis
IASME Certifying Body
Free Re-Test on Failed Controls
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials (CE) is a self-assessment questionnaire — you confirm your controls in writing, an IASME-accredited assessor reviews and issues a certificate. Cyber Essentials Plus (CE+) adds independent technical testing — an IASME assessor runs vulnerability scans, sample device builds, and validates the controls you self-attested.
How long does Cyber Essentials Plus take?
Pre-audit gap analysis: 2-3 working days. Formal CE+ assessment: 1-2 days on-site (or remote for cloud-only orgs). Certificate issuance: 5-10 working days from assessment completion. Total end-to-end: 5-15 working days for most organisations.
How much does Cyber Essentials Plus cost in the UK?
Cyber Essentials (self-assessment) £300-£600. Cyber Essentials Plus (50-250 employees) £1,200-£3,500. CE+ for 250+ employees or complex cloud £3,500+. All quotes are fixed-price after scoping.
Are you an IASME Certifying Body?
Yes. We are an active IASME Cyber Essentials Certifying Body — verifiable on the IASME registry. Our IASME accreditation is independent and externally audited.
Will Cyber Essentials Plus reduce our cyber insurance premium?
UK cyber-insurance underwriters typically reduce premiums by 5-15% for CE+ certified businesses. Some products (particularly higher-tier policies above £100k premium) require CE+ for renewal eligibility.
Is CE+ required for UK government work?
For UK government suppliers handling sensitive data, CE+ is typically required (the Cabinet Office Procurement Policy Note PPN 09/14 and successor PPNs mandate CE / CE+ for many contracts). Crown Commercial Service (CCS) and G-Cloud framework participants commonly need CE+.
Do you offer pre-audit gap analysis?
Yes. Our mid-tier+ engagements include pre-audit gap analysis. We review sample devices and configurations against the CE+ control set before the formal assessment, identify failures, and give your team time to remediate before the official test. First-time-pass rate >95% for clients who complete gap analysis.
What happens if we fail a CE+ control?
30-day remediation window with free retest. We provide IASME-aligned remediation guidance for each failed control. Most clients pass the retest after addressing the gap analysis findings.
Does CE+ cover cloud services?
Yes. As of 2022, cloud services (Microsoft 365, Google Workspace, AWS, Azure, GCP) are in scope by default for CE+. The assessment validates cloud configuration against the same five technical controls — boundary firewall, secure configuration, user access, malware protection, security updates.
What is IASME Cyber Assurance?
IASME Cyber Assurance is a more comprehensive certification standard that goes beyond Cyber Essentials Plus. It’s aligned to ISO 27001 (covering similar control areas) but uses a lighter-touch certification process. Suitable for organisations that need more rigour than CE+ but find ISO 27001 disproportionate.
How often must we recertify?
Cyber Essentials and Cyber Essentials Plus are annual certifications. Recertification typically takes 80-90% of the original engagement effort, with focus on changes since the prior assessment. Annual renewal is included with our enterprise tier.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses.
Book a Cyber Essentials Plus Scoping Call
30 minutes with an IASME-accredited assessor. Pre-audit gap analysis quote within 24 hours. No sales pipeline.
