How to Prepare for Cyber Essentials Plus: What to Do Before the Assessor Arrives

‍‌‌​​​​​​​​‌​​‌‌‌‌‌‌‌‌​​‌‌​‌‌​​‌​‌‌​‌‌‌​‌‌‌​​​‌‌​‌‌‌​​‌‌‌‌‌‌​​‌​​‍I've run over 800 CE and CE Plus assessments. The ones that go badly almost never fail because of a technical problem the organisation couldn't fix. They fail because nobody checked before the day.

CE Plus is a hands-on technical audit of your actual environment. I log into your systems, scan your devices, and verify that the five controls you described in your self-assessment questionnaire are actually in place. The assessment itself takes two to four hours if you're prepared. It takes a full day if you're not, and sometimes it doesn't finish at all.

This guide covers what to do before I (or any assessor) arrives, not theory but the actual preparation steps that separate a smooth assessment from a painful one.

Get your scope right first

Every preparation step after this one depends on scope. If your scope is wrong, everything else is wasted effort.

Your scope defines which devices, users, and cloud services are included in the assessment. Under the Danzell changes (effective 27 April 2026), cloud services can no longer be excluded from scope. That's a direct quote from version 3.3 of the requirements: "Cloud services cannot be excluded from scope." If you've been keeping your CRM, accounting platform, or project management tools out of previous assessments, that's over.

You need to list:

• Every laptop, desktop, server, tablet, and phone that connects to your network or accesses business data
• Every cloud service where you log in with a business account (Microsoft 365, Google Workspace, Xero, HubSpot, Dropbox, whatever you use)
• Every firewall, router, and switch at the network boundary
• Every user account, including which ones have admin privileges
• Any BYOD devices that access business data (yes, including the personal phones staff use for email)

I see scope problems in roughly one out of every three assessments. Businesses regularly leave their CRM out of scope because "it's just a SaaS platform, we don't manage the infrastructure." You don't need to manage the infrastructure, but you do need to manage the account. That means MFA enabled, passwords meeting the requirements, and the service included in your scope. For more on how scope works under the Danzell update, see the scope changes guide.

Social media accounts used for business purposes are also in scope under Danzell. If your marketing team manages a company LinkedIn page from a business email, that account needs MFA. I've seen businesses get caught on this one because it never occurred to anyone that LinkedIn was part of a security assessment.

Write down your scope before you do anything else. Every preparation step below applies to everything on that list.

Run your own vulnerability scan before the assessor does

This is the single most useful thing you can do. Run the same kind of scan the assessor will run, find the problems yourself, and fix them before the assessment.

For a CE Plus assessment, the assessor runs an internal vulnerability scan against a sample of your devices. They're looking for anything with a Common Vulnerability Scoring System (CVSS) v3 score of 7.0 or above that hasn't been patched within 14 days of a fix being available. If they find one, you've got a problem. Under the Danzell double sampling rule, that problem triggers a second random sample from a different set of devices. Both samples must pass within a single 30-day remediation window, and if the second sample also fails, the whole assessment fails with no third chance. The second sample rule guide covers this in detail.

You need a Cyber Essentials authorised vulnerability scanner approved by NCSC. The following tools are NOT approved and will not produce valid results for a CE Plus assessment:

• Microsoft Defender / Windows Security vulnerability features
• Sophos built-in scanner
• RMM scanners (ConnectWise, Datto, NinjaOne basic scanning)
• Any antivirus product's built-in "vulnerability scan"

If you don't have access to an NCSC-approved scanner, our CE Plus Pre-Assessment service runs the correct credentialed scan for you before the formal assessment.

When you run the scan, export the results and filter by CVSS 7.0+. That filtered list is your action plan, so patch everything on it and then scan again to confirm the patches landed. Keep the before and after scan reports. The assessor won't ask for them, but they're useful evidence if there's a question about timing.

I'd suggest running your scan at least two weeks before the assessment date. That gives you time to find problems, fix them, and verify the fixes. Running it the day before just tells you how much trouble you're in without giving you time to do anything about it.

Running a scan before the assessment is the right move, but the gap is what happens after. Most organisations scan once before assessment, fix what they find, pass, then don't scan again for 12 months. By renewal, the estate has drifted back. Ongoing scanning on a fortnightly cycle prevents that drift. The full guide on why auto-updates aren't enough covers what central scanning involves and why built-in scanners in RMM tools don't cut it.

Check that MFA actually works, not just that it's enabled

This trips up more organisations than I expected. MFA shows as "enabled" in the admin console, but when I test it during the assessment, it doesn't prompt for a second factor.

There are several ways this happens:

Conditional access policies with exclusions. You enabled MFA but created exceptions for certain users, locations, or device types. The admin console says MFA is on. In practice, half your users bypass it every day. Review your conditional access policies and check who's actually excluded. If you have a "trusted location" policy that covers your entire office IP range, that means everyone in the office is logging in without MFA. The assessor will test from outside your trusted network.

Legacy authentication protocols. Older email clients and some apps use protocols that don't support MFA prompts. If legacy authentication isn't blocked, users can authenticate without a second factor even though MFA is technically enabled. In Microsoft 365, check your sign-in logs for "legacy authentication" entries. In Google Workspace, check for "less secure apps" settings.

MFA not enforced on all cloud services. You might have MFA on Microsoft 365 but not on your CRM, accounting platform, or file-sharing service. Under Danzell, every cloud service in scope needs MFA where it's available. I check them all. Go through your scope list and verify MFA on each service individually. Screenshot the MFA settings page for each one while you're at it. You'll need that evidence.

Users who registered MFA but then removed their authenticator. It happens. Someone changed phones and never re-registered. Their MFA status shows as "registered" but they can't actually complete a prompt. Ask your users to confirm they can receive MFA prompts before the assessment.

The test is simple. Log out of each cloud service, then log in again. Does it ask for a second factor? If it does, that service is working as expected. If not, something is bypassing it and needs investigation. Do this for at least two or three user accounts per service, including an admin account.

Verify patches on every device, not just the ones you manage centrally

Centrally managed devices are usually fine because if you're pushing patches through Intune, SCCM, or a similar tool, those machines are probably up to date. The problem is everything that falls outside central management.

The devices that catch people out during CE Plus:

Personally owned phones and tablets. Under Danzell, if BYOD devices access business data, they're in scope. Can you confirm the OS version on your employees' personal phones? If not, you need a way to check. Mobile device management (MDM) is the proper answer, but at minimum you need to see the OS version and confirm it's still supported and patched.

Routers and firewalls. Firmware updates on network devices don't happen automatically. Most businesses patch their laptops but haven't checked their router firmware in months. Log into each network device, check the firmware version, compare it to the manufacturer's latest release, and update if needed.

Specialist software. Applications like Adobe Acrobat, Java, Zoom, web browsers, and any other non-OS software on in-scope devices. Windows Update handles the operating system, but it doesn't patch your PDF reader. I regularly find CVSS 7.0+ vulnerabilities in applications that haven't been updated because nobody realised they needed updating.

Devices that don't connect often. The laptop that sits in a drawer and comes out for trade shows. The conference room PC that's been on but not logged into for six weeks. These devices miss update cycles. Find them, turn them on, patch them, and scan them.

What I recommend: Make a spreadsheet with every in-scope device. For each one, record: device name, OS version, last OS patch date, and any applications installed. Then check each device against the 14-day patching requirement for CVSS 7.0+ vulnerabilities. The 14-day patching guide explains exactly what counts and how the requirement works.

If you've got 200 devices and no central management, this is a significant job. Start now, not the week before the assessment.

Prepare your evidence before the day

During a CE Plus assessment, I'll ask you to show me specific things on screen. The faster you can pull them up, the smoother the assessment goes. The slower it takes, the more dead time accumulates, and a two-hour assessment becomes a five-hour one.

Have this ready for each control:

Firewalls

• Export of your firewall rules (most firewalls let you export to CSV or PDF)
• Screenshot of the admin interface showing that default passwords have been changed
• List of open inbound ports with justification for each one
• Evidence that the firewall firmware is up to date

Secure configuration

• Screenshots showing default accounts are disabled or renamed on sampled devices
• Evidence that auto-run and auto-play are disabled
• Screen lock settings (timeout of 15 minutes or less)
• Screenshot of your group policy settings or MDM configuration profile, if you use one

User access control

• Full list of user accounts with their privilege levels
• Evidence that admin accounts are separate from day-to-day user accounts
• Evidence that admin accounts are only used for admin tasks
• If you use Microsoft 365 or Google Workspace, an export from the admin console showing user roles

Malware protection

• Screenshot of your anti-malware software dashboard showing it's installed, running, and up to date on each device type in scope
• Evidence that signature updates are happening automatically
• If you use Windows Defender, a screenshot showing it's active and definitions are current

Patch management

• Update history from in-scope devices (Windows Update history, macOS Software Update history)
• Evidence that critical patches were applied within 14 days
• For non-OS applications, evidence of recent updates
• Your internal vulnerability scan report, if you ran one

Admin console exports are better than individual screenshots where possible. An export from Microsoft 365 showing MFA status for every user in one table is far more efficient than screenshotting each user individually. Same for patch compliance reports from your management tool.

Save everything in a folder, organised by control, and label the files clearly so you can find them fast. When I ask "can you show me your MFA settings for your accounting platform," you want to pull it up in 10 seconds, not spend three minutes logging in and trying to remember where the setting lives.

What the assessor will ask for

The assessment follows the five controls, and there's no trick to it. I check that the things you said in your self-assessment questionnaire are true.

For every control, the basic question is the same: "Show me."

Show me your firewall rules. Show me that default passwords are changed on all your devices. Show me which accounts have admin access and what your update history looks like. Show me that your anti-malware is running, and show me your MFA settings for each cloud service.

Beyond "show me," there are questions about process:

• How do you handle a new critical patch? Who is responsible, and what's the process?
• How do you onboard a new device? What gets installed, configured, and checked before someone uses it?
• How do you handle a user who leaves? What happens to their accounts?
• How do you decide what's in scope?

You don't need written policies for basic CE Plus, but you need to be able to answer these questions clearly. If I ask "what happens when a critical patch comes out" and the answer is a long pause followed by "I'm not sure, probably whoever notices it," that tells me the 14-day patching requirement is landing by accident, not by process. Things that work by accident stop working when circumstances change.

One person needs to be on the call for the whole assessment, with admin access to every in-scope system. If that person is you, make sure you know your passwords. If it's your IT manager, brief them on the scope and what the assessor will check. I've had assessments stall for 40 minutes because the person on the call had to phone someone else to get the admin password for the firewall. That wastes everyone's time and slows the whole assessment down.

What's different about preparing for CE Plus under Danzell

From 27 April 2026, CE Plus assessments use the Danzell question set (version 3.3 of the requirements). Three changes affect your preparation directly, and the full Danzell changes guide covers everything, but these matter most for CE Plus prep.

Double sampling

If the first internal vulnerability scan finds unpatched CVSS 7.0+ vulnerabilities older than 14 days, the assessor draws a second sample. The second sample is the same size but drawn from different machines. You get maximum three days' notice before the second scan happens. Both samples must pass within a single 30-day remediation window that sits inside the overall 90-day CE Plus deadline from your VSA date. If the second sample has any vulnerabilities, the assessment fails and your basic CE will be revoked. There is no third sample.

What this means for preparation: you can't just patch the obvious machines and hope for the best. Under the old approach, if the assessor sampled eight devices and those eight were clean, you passed. Under Danzell, a failure on the first sample leads to a second look at different devices. If you've been selectively patching, the second sample will find the gaps.

The only preparation strategy that works is patching everything. Every device on your scope list, not just the ones you think might be sampled.

Stricter patching enforcement

The 14-day patching window for CVSS 7.0+ vulnerabilities hasn't changed between v3.2 and v3.3, and the requirement itself is the same. But the way assessors enforce it is tightening. If your patching cycle runs at roughly three weeks and you've been getting away with it, that's going to stop.

Run your own scan and look at your actual patch ages. If anything is older than 14 days with a CVSS score of 7.0+, fix it before the assessment. Don't assume the assessor will give you the benefit of the doubt. Under Danzell, I don't expect assessors will have much room for discretion on clear patching failures.

Cloud services in scope, no exceptions

Under Danzell, cloud services cannot be excluded from scope. Every cloud service where your organisation has an account and which stores or processes your data must be included. For CE Plus, that means the assessor can check MFA, access controls, and configuration on any of those services. Cloud-hosted servers (IaaS instances on Azure, AWS, or similar) are now included in the CE Plus sampling alongside your on-prem servers.

Your preparation needs to cover every cloud service on your list. Log into each one, verify MFA is enabled and working, and check that admin accounts are separate. Confirm that the password policy meets the requirements. If a cloud service doesn't support MFA, document that fact (the requirement only applies where MFA is available).

ESU evidence for end-of-life operating systems

If any device in scope runs an end-of-life operating system with Extended Security Updates, the assessor needs documented proof of a current ESU subscription. Not a plan to upgrade and not a verbal assurance, but actual evidence of purchase ready before the assessment.

Data reuse prohibition

If a previous CE Plus attempt failed, data from that failed process cannot be reused, which means fresh scans, fresh samples, and fresh everything from scratch. A restart means a new VSA and a new 90-day window, so plan accordingly if you've had a previous failed attempt.

Handling the day itself

A well-prepared assessment is straightforward and predictable. Here's how to make it go smoothly:

Test all your logins the day before. Every admin console, every cloud service, every network device. Passwords that have expired or accounts that have been locked cause more delays than actual technical failures.

Have your evidence folder open and ready. Firewall exports, MFA screenshots, patch reports, user account lists. Organised by control. If the assessor asks for something and you can pull it up in under 10 seconds, you're in control of the pace. (as outlined in the strategic attestation guidance notes).

Keep your scope document in front of you. The assessor will work through your scope. If they ask about a device or service that's on your list, you should know where it is and how to access it.

Don't panic if something is flagged. Minor issues can often be fixed during the session. If I spot that one laptop has an outdated version of a browser, you can update it there and then. I re-check, it passes, we move on. That's normal. The problems that cause real delays are systemic, like finding that half your estate is three weeks behind on patches. You can't fix that in real time.

Ask questions. The assessment is a structured conversation, not an interrogation. If I ask you to show me something and you're not sure what I mean, ask. If you don't know where a setting lives, say so and we'll find it together. I'd rather you told me you weren't sure than spent 20 minutes clicking through the wrong menus.

Block out the full time. Most assessments take two to four hours. Book four hours and hope you finish in two. If something needs a remediation retest later, we'll schedule that separately.

A practical preparation timeline

If your assessment is four weeks away, here's how to use that time:

Week one: Scope and inventory. Write your complete scope list. Every device, every user, every cloud service. Check it twice. This is the foundation that everything else builds on.

Week two: Scan and assess. Run a vulnerability scan using an NCSC-approved Cyber Essentials authorised scanner. Check MFA on every cloud service. Verify patches on every device type, including the ones that don't get updated automatically. Document what you find during this stage.

Week three: Fix. Patch everything that came up in your scan. Enable MFA where it was missing. Sort out admin account separation if you've been using one account for both daily work and admin tasks. Re-scan to confirm the fixes landed.

Week four: Evidence and dry run. Gather your screenshots and exports, organise them by control, and test every login. Walk through the five controls mentally: could you show evidence for each one right now? If not, fill the gap.

If you've only got two weeks, compress weeks one and two into one, but don't skip the scan. Finding your own problems before the assessor does is the single highest-value preparation activity.

What good preparation actually looks like

I can tell within the first 10 minutes of an assessment whether someone prepared. The prepared ones have their scope list printed out, their evidence folder ready, and answers to my questions before I finish asking. The unprepared ones spend the first 20 minutes stressed and trying to remember which email address they used to log into their firewall.

Preparation isn't about having a perfect environment from day one. It's about knowing where you stand before the assessor checks. If you ran your own scan, verified MFA on every service, patched every device, and gathered your evidence, you're in a strong position. The assessment becomes a confirmation of work already done, not a discovery process.

That's the difference between a two-hour assessment and a five-hour one.

---

Related articles

• What Happens If You Fail Cyber Essentials Plus?
• CE Plus Second Sample Rule: What Happens When Your First Scan Fails
• Cyber Essentials Plus Assessment Day: What to Expect
• Penetration Testing: What UK Businesses Need to Know

netsec-canary-881329876170.