🛡️ STATUS BADGE: 🔵 CERTIFIED (SaaS) | 🟢 ELIGIBLE (Self-Hosted)
Executive Summary: What is it?
Cyber Essentials Plus is a UK government-backed cybersecurity certification owned by the NCSC (National Cyber Security Centre) and delivered by the IASME Consortium. Unlike basic Cyber Essentials — which is a self-assessment questionnaire — Plus requires an independent technical audit by a licensed Certification Body, including vulnerability scanning, device configuration checks, and malware testing. It covers five control areas: firewalls, secure configuration, user access control, malware protection, and patch management. Certification is valid for 12 months and must be renewed annually.
CFO / Business Impact: What does it cost/risk?
- UK Government Market Access: Since 2014 (PPN 09/14), all central government contracts involving sensitive or personal data require Cyber Essentials certification. MOD contracts under DEFCON 658 specifically require Plus, cascading to sub-contractors.
- NHS & Public Sector: NHS trusts commonly mandate CE or CE+ depending on data sensitivity. Lapsed certification can disqualify organisations from contract renewals.
- Insurance Benefit: Basic certification includes automatic cyber liability insurance (up to GBP 25,000) for UK-domiciled organisations. Commercial insurers offer additional premium discounts for Plus holders.
Technical Reality: How does it work?
- Independent Verification: A licensed assessor performs vulnerability scanning of internet-facing IPs, internal device configuration audits, email/browser malware testing, and firewall rule verification. Full compliance is required — no exceptions.
- Prerequisite Chain: Organisations must hold valid CE Basic first; Plus must be achieved within 90 days of Basic certification.
- Five Controls: Firewalls (boundary protection), Secure Configuration (hardened defaults), User Access Control (least privilege), Malware Protection (AV/EDR), and Patch Management (14-day critical patch window).