Cyber Essentials Plus

Cyber Essentials Plus readiness and assessment support from Be Secure Cyber. Practical help with technical controls, evidence, remediation planning and next steps.

Cyber Essentials Plus builds on Cyber Essentials by adding technical verification. Instead of relying only on self-assessment answers, selected systems are tested to check that key controls are working in practice.

For organisations that need stronger assurance, Cyber Essentials Plus can be a useful next step. It is also commonly required by customers, public-sector contracts and supply-chain assurance processes.

Be Secure Cyber helps organisations prepare properly before assessment, understand likely areas of risk and deal with issues in a structured way.

What Cyber Essentials Plus adds

Cyber Essentials is based on a self-assessment questionnaire. Cyber Essentials Plus adds technical testing.

That testing usually looks at whether devices and services meet the expected control requirements. The exact details depend on scope, but the assessment is designed to check whether the organisation’s answers hold up in practice.

This makes readiness important. A control that looks acceptable in a written answer may still cause problems when devices, updates, authentication or configuration are checked.

When Cyber Essentials Plus is useful

Organisations usually pursue Cyber Essentials Plus because:

  • a tender or customer contract requires it
  • a client wants stronger evidence than Cyber Essentials alone
  • leadership wants independent technical assurance
  • the organisation is part of a higher-risk supply chain
  • Cyber Essentials has already been achieved and the next step is technical validation
  • the business wants to understand whether basic controls are working consistently

Cyber Essentials Plus is not only a certificate exercise. It can show where operational IT practices need to be tightened.

Readiness before assessment

Preparation matters. Cyber Essentials Plus can expose issues that have been accepted informally or missed during normal IT operations.

Common areas to review before assessment include:

  • unsupported software or operating systems
  • missing security updates
  • incomplete MFA coverage
  • users with unnecessary administrator rights
  • unmanaged or poorly controlled devices
  • weak browser or email configuration
  • unclear treatment of cloud services
  • inconsistent device build standards
  • remote access arrangements
  • Microsoft 365 and identity configuration

Finding these issues before assessment gives you time to correct them properly.

How we support Cyber Essentials Plus

We can help at different stages, depending on how prepared the organisation is.

Support may include:

  • checking whether Cyber Essentials Plus is the right next step
  • reviewing likely assessment scope
  • identifying technical gaps before testing
  • helping prioritise remediation work
  • advising on evidence and preparation
  • supporting the assessment process
  • explaining findings in practical terms
  • helping define next steps after certification

For organisations using an external IT provider, we can also help separate what is owned by the business from what needs input from the provider.

Microsoft 365 and Cyber Essentials Plus

Microsoft 365 is often central to Cyber Essentials Plus readiness. Identity, MFA, administrator roles, device access, email security and external sharing can all affect the organisation’s security position.

A simple Secure Score review is not enough on its own. Secure Score can be a useful signal, but it does not replace a structured review of how the tenant is configured, what risks are accepted and whether settings match the way the organisation works.

Where needed, Be Secure Cyber can review Microsoft 365 security as part of preparation work or as a separate review.

Cyber Essentials Plus after Cyber Essentials

Most organisations complete Cyber Essentials first. Cyber Essentials Plus then provides additional assurance that selected controls are working.

This sequence is useful because the self-assessment helps define the environment and identify obvious issues before technical testing starts.

If your organisation has recently completed Cyber Essentials and is considering Cyber Essentials Plus, the best first step is usually a readiness discussion rather than going straight into testing.

What you receive from readiness work

The output depends on the scope of support, but may include:

  • a clear view of likely assessment risks
  • a prioritised list of issues to fix
  • practical recommendations for remediation
  • evidence or preparation guidance
  • an explanation of where Microsoft 365, devices or user access may affect readiness
  • next-step advice for certification and wider security improvement

The aim is to reduce avoidable surprises and help the organisation make informed decisions before assessment.

Cyber Essentials Plus pricing

Cyber Essentials Plus assessment starts from £1,300 + VAT. The final figure depends on the number of devices and users in scope, your environment, and how much readiness or remediation support is needed beforehand. Speak to us for a quote based on your scope.

Frequently asked questions

Is Cyber Essentials Plus much harder than Cyber Essentials?

It is more demanding because technical checks are involved. The main challenge is not usually the certificate itself, but whether patching, MFA, device management and access controls are being handled consistently.

Should we do a readiness review first?

For many organisations, yes. A readiness review can identify likely issues before formal assessment. This is especially useful if the organisation has remote workers, cloud services, externally managed systems or a mix of managed and unmanaged devices.

What if our IT provider manages most of the systems?

That is common. We can help clarify what information is needed from the IT provider and what decisions remain with the business. Cyber Essentials Plus often requires cooperation between the organisation, its IT provider and the assessor.

Can Microsoft 365 affect Cyber Essentials Plus?

Yes. Microsoft 365 can affect authentication, access control, email security, administrator roles and device access. Poor configuration can create risk even where endpoint devices are otherwise well managed.

What happens after Cyber Essentials Plus?

After certification, many organisations use the findings to plan further improvement. This may include Microsoft 365 hardening, policy updates, vulnerability management, supplier assurance or a wider security roadmap.

Speak to us about Cyber Essentials Plus

If you are preparing for Cyber Essentials Plus or have been asked to achieve it for a client or tender, we can help you understand readiness, scope and likely next steps.

Contact Be Secure Cyber to discuss Cyber Essentials Plus support.