Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study

‍​​‌‌​​‌‌​‌‌​‌​‌‌‌​​‌​​​​​​​‌​‌‌‌​‌‌​‌​‌​​​‌‌‌​‌‌‌​‌​‌​​​​​​​​‌​‌‍Contract deadlines don't wait for certification timelines to catch up. When a National Health Service (NHS) Wales contractor needed both Cyber Essentials and CE Plus to secure a contract, they had days, not weeks. This is how we delivered both certifications in 5 days.

The situation

The organisation was an established IT services provider that had been working with NHS Wales for several years. A new contract was being issued under Welsh Procurement Policy Note (WPPN) 08/21, which mirrors the UK-wide PPN 014 requirements. The contract explicitly required both CE Basic and CE Plus certification.

They didn't have either certification, and the procurement timeline gave them a narrow window to demonstrate compliance before the contract award decision. Missing the deadline meant missing the contract.

They contacted us on a Monday, and the contract decision was the following Monday. Five working days to go from no certification to fully certified at both levels.

Why speed matters in procurement

Government procurement operates on fixed timelines, and when a contracting authority sets a deadline, that deadline doesn't move because a supplier needs more time to get certified.

This is increasingly common across the public sector. PPN 014 (effective 24 February 2025) requires all central government contracting authorities to include CE or CE Plus in relevant procurements. NHS Wales applies WPPN 08/21, which imposes the same requirements across Welsh public sector procurement.

Suppliers who don't have certification when the deadline arrives don't get a grace period, they're either compliant or they're not on the approved list, and the contract goes to someone who was ready.

For businesses that supply the NHS, this creates a recurring problem. Certification requirements appear in new contracts and renewals, often with timelines that assume the supplier is already certified or can become certified quickly. Organisations that wait until the requirement appears in a specific contract are already behind. (based on findings from the internal posture audit).

Day 1: Scoping and pre-assessment

We started with scoping on the first day. This determines what's in and out of the assessment and identifies any obvious issues before formal testing begins.

What we confirmed:

• Total device count and operating system breakdown (Windows, macOS, mobile)
• Cloud services in use (Microsoft 365, line-of-business applications)
• Internet-facing IP addresses for external scanning
• Network architecture and firewall configuration
• Admin account inventory and access control structure
• MFA status across all cloud services

What we identified early:

• Two devices running an outdated version of a third-party application with a CVSS 7.0+ vulnerability
• One cloud service where MFA was enabled but not enforced (users could skip the prompt)
• A legacy admin account from a former employee that hadn't been deactivated

Identifying these issues on Day 1 meant they could be fixed immediately rather than discovered during the formal assessment. Every hour matters when the timeline is this tight.

Day 2: CE Basic assessment

With the scope confirmed and the obvious issues flagged for remediation, we moved into the CE Basic self-assessment.

The organisation completed the questionnaire with our guidance. Each answer was checked against the actual state of their systems, not what they assumed was true. This is where many organisations lose time: they answer based on how they think things are configured rather than how they actually are.

We reviewed every answer, cross-referenced it against the scoping data from Day 1, and submitted the assessment. CE Basic was certified by end of Day 2.

The two devices with outdated software were patched on Day 2. The MFA enforcement issue was resolved by switching from optional to mandatory enrollment, and the legacy admin account was deactivated.

Days 3-4: CE Plus technical testing

CE Plus adds hands-on technical verification to the Basic self-assessment. An assessor tests the controls directly on live systems.

External vulnerability scanning: We scanned all of the organisation's internet-facing IP addresses. The scan checks for open ports, exposed services, missing patches on internet-facing systems, SSL/TLS configuration, and known vulnerabilities. Any finding with a CVSS score of 7.0 or above within the 14-day patching window would be a failure.

The external scan came back clean, as the organisation's firewall configuration was solid, with no unnecessary ports exposed and no services running that shouldn't be.

Internal authenticated scanning: We calculated the sample from the IASME Consortium (IASME) build-based sampling table. Devices were grouped by OS version and edition, and a representative sample was drawn from each group, with servers tested in full.

The internal scan found what we expected: the two devices that had been flagged during scoping were now patched and clean. The rest of the estate was within the 14-day patching window. No third-party applications with outstanding critical vulnerabilities.

MFA verification: We verified that MFA was enabled and enforced on every cloud service in scope. Microsoft 365, the line-of-business applications, and the remote access solution all had MFA properly enforced. The fix from Day 2 was confirmed working.

Malware protection checks: EICAR test files were used to verify that endpoint protection detected and blocked test malware on sampled devices, and all devices passed.

Account separation checks: Admin accounts were verified as separate from day-to-day user accounts. No shared admin accounts were found in the environment. The deactivated legacy account was confirmed as disabled.

Day 5: Remediation and certification

One minor finding emerged from the internal scan: a device with a medium-severity vulnerability (CVSS 5.5) in a browser extension. This wouldn't fail the assessment since the 14-day auto-fail threshold is CVSS 7.0+, but we flagged it for remediation anyway.

The finding was resolved by updating the browser extension, and a re-scan confirmed the fix. CE Plus was certified on Day 5, with both certificates issued and the documentation needed for the contract submission in hand.

What made 5 days possible

Look, five days is fast, but it's not unusual for organisations that have their controls in a reasonable state. Several factors made this timeline work:

Controls were mostly in place because the organisation had been running a competent IT operation. Their firewall was properly configured, patching was mostly current, and they had endpoint protection deployed. They weren't starting from scratch.

Early identification of issues made a significant difference. The pre-assessment scoping on Day 1 found the three issues that needed fixing. Because we identified them immediately, remediation happened in parallel with the assessment process rather than causing delays.

A single assessor running a single process kept things moving. Net Sec Group handled everything from scoping through to certification. There was no handoff between a consultancy and a separate certification body. One team, one process, no communication delays.

A responsive client was essential. The organisation treated this as a priority. When we identified the MFA enforcement issue, it was fixed within hours, not days. When we needed access to devices for scanning, it was available immediately.

What could have delayed it

The timeline would have been longer if:

• Multiple critical patches were outstanding, because one or two devices needing updates is manageable in a day, but an estate-wide patching deficit takes longer to resolve.
• MFA wasn't deployed at all, since enabling and enforcing MFA across all cloud services from scratch takes longer than fixing an enforcement gap on an existing deployment.
• The scope was significantly larger, as more devices, more cloud services, and more internet-facing infrastructure increase the testing time.
• There was no existing IT structure, because an organisation with no endpoint protection, no firewall configuration, and no admin account separation would need significant remediation before the assessment could begin.

The broader pattern

This case reflects a pattern we see regularly. Organisations that have been operating competently but haven't needed formal certification suddenly face a contract requirement. The security controls are largely in place but have never been assessed. The gap isn't capability; it's documentation and verification.

NHS Wales, NHS England, MOD, and central government departments are all requiring CE through procurement policy. The requirement appears in new contracts and renewals. Suppliers who certify before the requirement appears are ready when it does. Those who wait are in the position this organisation was in: racing to certify with a deadline bearing down.

For organisations supplying any part of the UK public sector, getting certified now, before a specific contract requires it, eliminates the time pressure entirely. CE Basic takes 48 hours at standard pace, 12 hours on fast track, and CE Plus typically takes 3-5 days. Getting both done outside of a deadline is always better than getting both done under one.

---

If you have an upcoming contract deadline that requires CE or CE Plus, contact us as early as possible. The sooner we scope your environment, the sooner we can identify anything that needs fixing and build a realistic timeline.

Book CE Basic | Book CE Plus | Book the Bundle

---

Related articles

• NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
• PPN 014: Which Government Contracts Require Cyber Essentials?
• Vulnerability Assessment vs Penetration Testing
• Cyber Essentials Plus vs Basic: What's the Difference?

netsec-canary-3841359db6df.