Cyber Essentials Plus for UK Manufacturers: Defence Supply Chain, Tier-1 Customer Audits, and OT/IT Convergence

‍​‌​​​‌​​​​‌‌‌​‌‌‌​‌​‌​‌‌‌​‌​​​​​‌‌​‌‌​​​​​​‌‌‌‌‌‌‌​‌​​​‌‌‌‌‌​​‌‌‍UK manufacturers come to Cyber Essentials Plus through three doors. Defence prime contractors flow down MoD cyber requirements through their supply chain. Automotive, aerospace, and defence tier-1 customers run supplier cyber audits before placing orders. The operational-technology side of the business is converging with the IT estate, which means the IT cyber posture now affects production uptime in ways it did not five years ago.

What follows is what the defence supply chain expects, what tier-1 customer audits want, what the OT/IT boundary actually looks like under CE Plus scope, and how a manufacturing firm with mixed scope clears the assessment.

What the defence supply chain expects

MoD contracts that handle MoD Identifiable Information have required Cyber Essentials or Cyber Essentials Plus since 2014, with the level set by the contract's risk profile. The Defence Cyber Protection Partnership framework places the cyber requirement on the prime contractor, which then flows down through the supply chain to subcontractors, component suppliers, and specialist manufacturers.

JOSCAR, the joint supply-chain accreditation register used by aerospace and defence prime contractors, asks about Cyber Essentials status as part of supplier onboarding and renewal. A manufacturer without a current Cyber Essentials certificate cannot complete the JOSCAR question without flagging the gap. The flag is visible to every prime contractor browsing the register.

Beyond the formal flow-down, prime contractors increasingly run their own cyber audits on critical suppliers, particularly where the supplier holds design data, controlled goods information, or the prime's intellectual property. The audit asks for the certificate. It asks for evidence of patching cadence. It asks for the segmentation story between the office IT estate and the shop floor.

The accountability framing matters. The MoD does not write the technical control set. The prime contractor does not write the technical control set. Both expect the supplier to evidence effective controls, with Cyber Essentials Plus being the named scheme for doing so. A supplier that cannot evidence the controls is a supplier the prime cannot place certain orders with.

Cyber Essentials Plus produces an external, dated, assessor-signed certificate that says the five technical controls were in place on assessment day. That is what the prime's audit and the JOSCAR questionnaire expect to be able to point at.

The five controls translate into the practical work of supply-chain confidentiality and production-data protection without much friction. Firewalls keep traffic that should not reach the firm's network from reaching it. Secure configuration removes default credentials and exposed services from the firm's devices. User access control restricts design folders and customer-data folders to the people working on the project. Malware protection runs on every device that touches design data or customer data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.

A firm holding those controls is meeting the practical work of the defence supply-chain cyber expectation. A firm without them is exposed at the next prime audit and at the next JOSCAR cycle.

What tier-1 customer audits want

Automotive, aerospace, and defence tier-1 customers now run cyber audits on the suppliers in their tier-2 and tier-3 layers. The audit is the deliverable the supplier has to produce. The questions on it have settled into a recognisable pattern across the engagements we have run.

The certificate question always sits at the top. The audit wants the certificate number, the issuing certification body, and the expiry date. A current CE Plus answers this in one line.

After the certificate comes multi-factor authentication. The audit wants confirmation that MFA is enabled on every account with access to design data, customer data, or controlled-goods information, including the shop-floor manager accounts and the engineering-lead accounts. CE Plus assessment day samples the identity layer to confirm what is actually enrolled in production.

Patching cadence is next. The audit wants to know whether the firm holds patches inside the 14-day window for high-severity vulnerabilities across the desktop estate, the ERP, the CAD applications, and the customer-portal estate. The CE Plus assessment confirms the cadence held in practice across a sample of devices.

The segmentation question follows. The tier-1 customer wants to understand how the office IT estate is separated from the operational-technology environment, what the network controls between them look like, and what would happen to design data or customer data if either side experienced a compromise. CE Plus does not directly assess OT, but it does assess the IT-side boundary controls that face the OT environment.

The remaining questions move from technical controls into operational governance. The tier-1 wants a named incident-response contact, a documented response process with defined notification thresholds, and evidence that the firm assesses its own IT and OT vendors. CE Plus does not directly assess incident response, but the operational discipline it requires usually sits next to a documented response process. CE Plus scope does include the firm's third-party tools, which means the supplier-management question is partially answered by the certificate.

Where the answers land varies sharply by which certificate the firm holds. With a current CE Plus, the cyber section closes on the certificate alone. With CE Basic, parts of it close. With neither, the firm gets a long-form security audit from the tier-1's cyber team, on a deadline that almost always came from procurement rather than from production planning.

The OT/IT boundary

This is the section that distinguishes manufacturing from every other CE Plus engagement.

Cyber Essentials Plus scope covers the IT estate. That is the desktop computers the office staff use, the servers that run the ERP, the CAD applications, the document repository, the Microsoft 365 tenancy, the customer-facing portal, and the mobile devices the engineers use to access design data on site.

Operational technology sits in a different layer. That layer includes programmable logic controllers driving the production line, supervisory control and data acquisition systems, shop-floor terminals that look like workstations but run controls software with vendor-mandated configurations, robot controllers, and quality-inspection equipment with embedded operating systems.

The CE Plus scoping question for a manufacturer is where the boundary between the two sits and what the network controls between them look like. Three patterns turn up regularly across manufacturing engagements.

The first is full segmentation. The OT environment runs on its own network with no routed connection to the IT estate. Engineers move data between the two via controlled file-transfer mechanisms. Under this pattern CE Plus scope covers the IT side cleanly and the OT side sits outside scope. The tier-1 audit sees a clean boundary story.

The second is partial segmentation. The OT environment has a controlled network connection to the IT side for production reporting, ERP integration, or remote monitoring. Under this pattern CE Plus scope covers the IT side plus the boundary controls between IT and OT. The tier-1 audit wants evidence that the boundary controls hold under the assessor's testing.

The third is mixed environment. The OT environment shares network segments with the IT estate, often because the production line was retrofitted with network connectivity over time without an architectural redesign. Under this pattern CE Plus scoping requires a longer conversation about what comes into scope by virtue of network reachability and what gets segmented out before assessment. The tier-1 audit sees the segmentation work as part of the engagement.

The MSP gap shows up in all three patterns. Most manufacturing MSPs cover desktops and Microsoft 365. The ERP vendor handles the ERP. The CAD vendor handles the design tools. The OT side is often handled by a separate engineering team or a controls vendor. CE Plus checks application-layer patching across the IT side, plus the boundary controls between IT and OT, plus the third-party tools the partners adopted directly.

The first scan in a CE Plus engagement reveals the gaps. A pattern that turns up regularly: the ERP is on a vendor release that was superseded eight months ago, with a known high-severity vulnerability the firm never applied because the upgrade required a brief production downtime nobody scheduled. The MSP applied OS patches and treated the firm as patched. The application-layer gap sat outside the MSP's scope until the assessor's report landed.

The fix is operational, not confrontational. The MSP retains the desktop and Microsoft 365 work. The CE Plus assessor and the firm agree the application-layer remediation owner for each finding. The operations director makes the operational call on the ERP upgrade scheduling around the production calendar. The certificate issues once the gap closes.

How CE Plus and Cyber 365 fit together

A CE Plus certificate is valid for 12 months. Tier-1 customer audits and JOSCAR renewals run on their own cycles, often more frequently than annually. The defence supply-chain expectation is continuous. Those timeframes do not line up without something running in between.

That something is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift. (consistent with the 2024 continuity evaluation criteria).

For a manufacturer operating in a defence or tier-1 supply chain, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since, which matters when the next prime audit lands without warning.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The continuous-posture expectation that prime contractors and tier-1 customers already operated under has now been written into the scheme rules the firm's certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the device count for the IT estate, the ERP and CAD application names, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including engineering-lead accounts, and a description of the OT environment and how it connects to the IT side. We come back with a written quote covering the CE Plus engagement and, if the firm wants the year-round discipline added, the Cyber 365 programme alongside it.

For firms that already hold a current CE Plus certificate, Cyber 365 sits alongside whatever certification arrangement is in place. For firms starting from neither, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with the year-round discipline into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.

The defence supply-chain cyber expectation places the responsibility on the supplier for the cyber posture protecting design data, customer data, and production data. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the supply chain expects between assessment days.

netsec-canary-fc06c2260784.