Do I need Cyber Essentials before getting Plus?

Yes. Cyber Essentials Plus includes the standard Cyber Essentials self-assessment as a prerequisite. You must achieve Cyber Essentials certification before proceeding to the Plus technical assessment.

What does the Plus assessment involve?

A qualified assessor performs vulnerability scanning of external-facing IP addresses, tests a sample of devices for patch levels and configuration, verifies malware protection, and checks access controls — either on-site or remotely.

How often does Plus certification need renewing?

Cyber Essentials Plus certification is valid for 12 months. Organisations must recertify annually, which includes both a new self-assessment and a fresh technical assessment.

All Frameworks

5 Controls

Cyber Essentials Plus

UK Cyber Essentials Plus Certification

Cyber Essentials Plus builds on the basic Cyber Essentials certification with independent technical verification. A qualified assessor tests your systems to verify that security controls are properly implemented and effective.

Start Free Trial Request Demo

Ideal For

High-Security OrganisationsGovernment Prime ContractorsFinancial ServicesHealthcare

What is Cyber Essentials Plus?

Cyber Essentials Plus builds on the basic Cyber Essentials certification with independent technical verification. A qualified assessor tests your systems to verify that security controls are properly implemented and effective.

Cyber Essentials Plus is recommended for organisations handling more sensitive data or operating in higher-risk environments. It is particularly relevant for UK government prime contractors, organisations in the defence supply chain, financial services firms, and healthcare organisations. Some procurement frameworks specifically require Plus certification.

Key Requirements

Core areas of Cyber Essentials Plus that organisations must address.

Meet all Cyber Essentials baseline requirements

Pass an independent vulnerability assessment

Demonstrate effective malware protection via technical testing

Verify access controls through hands-on assessment

Confirm patch levels meet requirements across sampled devices

Allow assessor to verify firewall and gateway configurations

How GRCTrack Supports Cyber Essentials Plus

Independent technical verification

Vulnerability scanning

On-site or remote assessment

Higher assurance level

External penetration testing

Verified security posture

Higher Assurance

Independent verification provides stronger proof.

Customer Confidence

Demonstrate verified security controls.

Competitive Advantage

Stand out with Plus certification.

Frequently Asked Questions

Ready to Simplify Cyber Essentials Plus Compliance?

Join hundreds of organisations using GRCTrack to manage compliance.

Start Free Trial View All Frameworks