Cyber Essentials and Cyber Essentials Plus are UK government-backed certifications that demonstrate you’ve got the basics of cyber security in place. For most SMEs they’re no longer optional — customers ask for them, insurers reward them, and public-sector contracts often require them. The good news: the controls themselves aren’t complicated. The bad news: passing the audit on the day trips up more SMEs than it should.

The difference between CE and CE Plus

Cyber Essentials is a self-assessment questionnaire. You answer the questions honestly, pay the fee, and get a certificate. It’s useful as a starting point and it’s enough for many procurement requirements.

Cyber Essentials Plus is the same five controls but independently audited. An external assessor connects to a sample of your devices and runs technical tests: are your patches up to date, are the right configurations in place, do your anti-malware tools work, are user accounts properly controlled. It costs more and takes longer, but it’s the one customers and insurers actually take seriously.

The five technical controls, in plain English

1. Firewalls and internet gateways

Your network has a boundary, and traffic in and out of it is controlled. For most SMEs this is a mix of your office firewall and the software firewalls on each device. Home workers count — their home routers are in scope.

2. Secure configuration

Devices and software shipped with sensible defaults. Unused accounts removed. Guest accounts disabled. Default passwords changed. Auto-run and auto-play turned off. It’s mostly housekeeping, but it has to actually be done.

3. User access control

People have only the access they need. Admin accounts are separate from day-to-day accounts and only used for admin tasks. Leavers are offboarded properly. MFA is enabled on anything internet-facing.

4. Malware protection

Anti-malware running on every in-scope device. Either traditional antivirus, or properly configured application allow-listing, or sandboxing. It has to be on, updating, and working — not just installed.

5. Security update management

Operating systems and applications are patched within 14 days for anything classed as high or critical. This includes phones, home-worker laptops, and any business software on your devices, not just Windows updates.

Where SMEs come unstuck

The controls look simple. The places they bite are almost always the same:

• Unsupported software. Anything no longer receiving security updates — Windows 10 after its end-of-life, old versions of Office, legacy line-of-business applications — fails the audit. SMEs often don’t know what they’ve got until someone inventories it.
• BYOD and home workers. Personal laptops being used for work email are in scope. If you haven’t brought them under management, they’ll fail.
• Admin accounts used for normal work. TSomeone logging into email with their domain admin account. Easy to fix, very common reason for failure.
• Patching gaps on third-party software. Windows Update is usually fine. Adobe Reader, Chrome, Zoom, iTunes, Java — often not. Third-party patching needs a proper process, not good intentions.
• MFA not everywhere it should be. Enabled on email but not on the VPN. Enabled for some users but not all. Enabled but with SMS as a fallback that defeats the purpose.
• No evidence. You probably do most of this already. If you can’t show the auditor the evidence, it doesn’t count.

If you’re not yet sure CE+ is the right answer for your situation — or whether a certification is what you actually need — a broader security review is usually the better place to start. Sometimes it concludes with “yes, CE+,” and we carry straight on. Sometimes it concludes with “no, you need IASME,” or “you don’t need a certification, you need these four things fixed.” Either way, you avoid buying the wrong thing.

How I help

Gap analysis

I come in for a day or two, look at your estate, your processes, and your evidence, and give you a written view of where you are against the five controls. If you’re ready, I’ll tell you that. If you’re not, I’ll tell you exactly what needs to happen before you book the audit — and roughly how long and how much each thing should take.

Remediation support

I don’t do the remediation myself — your MSP or internal team does that — but I manage the work to make sure it actually lands. That means sensible scope, realistic deadlines, and holding suppliers to account when they drag their feet or try to upsell you things you don’t need.

Certification readiness

In the month before your audit I’ll do a dry run. We catch the last things, make sure your evidence is together, and confirm who’s answering what on the day. The actual audit is then boring, which is how it should be.

Year-two and beyond

CE Plus is an annual certification and it gets cheaper each year if you run it properly. I’ll set up the governance so renewal is a tidy exercise rather than a fire drill. Done right, year two costs a fraction of year one.

What this costs

Gap analysis is a fixed fee depending on the size of your estate. Remediation management is billed at my day rate and scoped to what’s actually needed — most SMEs need between three and eight days of my time to get to certification. I don’t take kickbacks from certification bodies or tool vendors, so the advice is yours, not someone else’s.

Insurance and procurement wins

Alongside the security benefit, CE+ is a commercial tool. I’ve seen cyber insurance premiums come down materially on renewal after certification, and public-sector contracts open up that were closed before. It’s worth thinking of the certification as a procurement investment, not just a tick-box exercise.

Book a gap analysis →