Cyber Essentials Plus: What the Assessment Involves, What It Costs, and How to Pass
Cyber Essentials Plus is a hands-on technical audit of the same five controls that Cyber Essentials Basic covers through self-assessment. An approved assessor tests a representative sample of your devices, verifies patching against a 14-day rule, and checks that malware protection and multi-factor authentication actually work. The assessment typically takes 3-5 days, must be completed within three months of your CE Basic certification date, and the certificate is valid for 12 months.
What is Cyber Essentials Plus?
Cyber Essentials has two levels, and the difference between them is the burden of proof. The scheme is run by the National Cyber Security Centre (NCSC) and delivered through IASME (the scheme's sole accreditation body). Cyber Essentials Basic is a verified self-assessment: you answer the question set about your own controls and an assessor reviews what you wrote. Cyber Essentials Plus is a technical audit carried out by an approved assessor, who tests whether the controls you declared are really in place on your machines.
The five controls are identical at both levels: firewalls, secure configuration, security update management, user access control, and malware protection. Plus adds no new controls to that list. What changes is who does the proving: at Basic your answers are the evidence, while at Plus the assessor gathers it directly through vulnerability scans, device checks and live tests.
The controls themselves are worth the scrutiny they get. In a Lancaster University study for the UK government, the Cyber Essentials controls mitigated 99% of the 200 commodity attack vulnerabilities tested. Plus exists to confirm those controls are real on your estate, not just declared on a form.
Both levels are currently assessed against a question set called Danzell, which took effect on 27 April 2026. Danzell tightened three areas that regularly catch businesses out. Multi-factor authentication (MFA) is now mandatory on cloud services, and critical patches must be applied within 14 days of release. Personal devices used for work are also in scope, with exceptions only for devices used purely for voice calls, text messages or MFA apps. If you certified under the previous question set, read our Danzell changes guide before you book anything.
| Cyber Essentials Basic | Cyber Essentials Plus | |
|---|---|---|
| Format | Verified self-assessment | Technical audit by an approved assessor |
| Evidence | Your answers to the question set | Scans, live tests and direct observation on your devices |
| Devices tested | None | A representative sample of every device and build type in scope |
| Prerequisite | None | CE Basic, certified within the previous three months |
| Validity | 12 months | 12 months |
For a fuller side-by-side comparison, see CE Basic vs Plus.