Cyber Essentials Plus:
A Technical Audit of Your IT Systems
Cyber Essentials Plus is the highest level of certification available under the Cyber Essentials scheme. It is a more rigorous assessment of your organisation’s cyber security systems, designed to independently verify that your controls are in place and operating effectively.
By testing your environment in practice, Cyber Essentials Plus certification provides assurance to customers, partners, and stakeholders that your organisation has adequate protection against the most common cyber threats.
Scope and Timing of the Cyber Essentials Plus Assessment
The Cyber Essentials Plus assessment covers your organisation’s devices, servers, mobile phones, and cloud services. The Cyber Essentials Plus audit must be completed within three months of your organisation being awarded Cyber Essentials certification.
Cyber Essentials Plus Sampling Methodology
The Cyber Essentials Plus assessment is based on a representative sample of devices from the Applicant’s estate. KEYSIGMA selects this sample to reflect the operating systems and build types in use, with all devices chosen at random no more than three working days before the assessment.
The initial sample, Sample 1, is tested against all five Cyber Essentials Plus test cases. Where any non-compliances are identified, these must be remediated across the entire estate, not just on the sampled devices.
A second randomly selected validation sample, Sample 2, is then chosen to confirm that remediation has been applied consistently across the estate. To pass the assessment, both Sample 1 and Sample 2 must be retested and found compliant with all test requirements within the 30-day assessment window.
Cyber Essentials Plus Sampling Methodology
The Cyber Essentials Plus assessment is based on a representative sample of devices from the Applicant’s estate. KEYSIGMA selects this sample to reflect the operating systems and build types in use, with all devices chosen at random no more than three working days before the assessment.
The initial sample, Sample 1, is tested against all five Cyber Essentials Plus test cases. Where any non-compliances are identified, these must be remediated across the entire estate, not just on the sampled devices.
A second randomly selected validation sample, Sample 2, is then chosen to confirm that remediation has been applied consistently across the estate. To pass the assessment, both Sample 1 and Sample 2 must be retested and found compliant with all test requirements within the 30-day assessment window.
The Five Cyber Essentials Test Cases
The Cyber Essentials Plus assessment consists of five test cases, each designed to verify whether key Cyber Essentials controls are operating effectively in practice. Collectively, these tests determine whether the organisation can withstand the common attack methods used by opportunistic, low-skill attackers.
Cyber Essentials Plus Explained
