Cyber Essentials Plus Case Study

Our client wanted to renew its Cyber Essentials Plus certification and increase customer confidence by demonstrating that its cyber security measures were appropriate for the risks it faced.

Cyber Essentials Plus certification

Cyber Essentials Plus certification provides independently audited proof that organisations maintain a level of information security recommended by the NCSC (National Cyber Security Centre).

Our client, which wishes to remain anonymous, is a leading UK-based operator in the indoor leisure and attractions sector, specialising in high-adrenaline experiences for both individuals and groups.

With more than 40 venues across the UK and Europe, the organisation welcomes well over 1 million visitors annually. Our client has used our services since 2021.

IT Governance is one of the founding Cyber Essentials certification bodies and remains one of the UK’s largest, having issued more than 9,000 certificates to date.

We offer end-to-end support – including documentation, scanning and assessments – with same-day turnaround, one-to-one guidance as standard, and a customer success rate of 98%. Backed by qualified cyber security practitioners and a ‘World-Class’ NPS of +100, we provide unrivalled expertise to help you achieve certification and take the next steps beyond.

Cyber Essentials is a UK government-backed certification scheme that helps organisations protect themselves from around 80% of common cyber threats. It mandates five basic security controls and certification is available at two levels: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials certification is widely recognised as a minimum standard for cyber security assurance and is often required in public-sector procurement contracts.

The scheme is managed by IASME (the IASME Consortium), which licenses certification bodies – such as IT Governance Ltd – to carry out Cyber Essentials and Cyber Essentials Plus certifications.

Cyber Essentials certificates last 12 months and are listed on the IASME website, demonstrating certified organisations’ commitment to protecting their and their customers’ data.

According to the NCSC:

• 92% fewer insurance claims are made by organisations with the Cyber Essentials controls in place
• 89% of organisations would recommend certifying to other organisations like theirs
• 88% believe Cyber Essentials has improved their understanding of cyber security risks
• 69% of those with Cyber Essentials believe that it has increased their market competitiveness

Cyber Essentials Plus certification requires organisations to undergo a series of internal and external vulnerability tests.

The internal scan checks patch levels and system configurations, while the security and anti-malware test ensures that the organisation’s systems are resistant to malicious email attachments and web-downloadable binaries.

The following internal tests are required for Cyber Essentials Plus:

• Inbound email binaries and payloads.
• Browser malicious and non-malicious file download test.
• Authenticated vulnerability and patch verification scan.
• Account Separation to confirm standard users do not have administrative privilege.
• Multi-Factor Authentication Check

The external scan also checks the patch levels and system configurations, but of the public facing infrastructure. The following external tests are required for Cyber Essentials Plus:

• Unauthenticated vulnerability and patch verification scan.

We provided daily vulnerability scan reports using Qualys, enabling the client to track and address any issues in near real time. Alongside these reports, we supplied clear remediation guidance and supporting documentation to help the client prioritise and implement fixes efficiently.

The client already had a strong technical foundation in place, using a suite of well-configured security tools:

• SentinelOne antivirus for advanced endpoint protection
• Proofpoint for email security
• Keeper Security as a password manager
• Ubiquiti Cloud Console to manage firewall policies and configurations
• Microsoft 365 to enforce MFA and SSO organisation-wide

These technologies, coupled with the client’s adherence to Cyber Essentials best practices, made the compliance process exceptionally smooth. Its proactive approach to patch and vulnerability management, antivirus configuration, firewall rules, multi-factor authentication, password policy and user access controls aligned closely with the scheme’s requirements.

Daily Qualys reports enabled the client to supplement its SentinelOne monitoring, identifying any residual vulnerabilities not detected by the endpoint platform – including those with lower risk scores. Any high or critical issues were resolved rapidly, thanks to effective collaboration between our team and the client’s in-house IT staff.

Our engagement reflected IT Governance’s core values:

• Solving real business problems
• Delivering measurable results
• Exceeding expectations through open and honest communication

The client passed its Cyber Essentials Plus audit within just two days, demonstrating not only its technical preparedness but also its ongoing commitment to security by design. Its use of robust, well-integrated technologies – supported by a consistent patching schedule and sound configuration practices – enabled it to maintain a strong security posture and respond swiftly to any emerging risks.

Self-certification

Standard Cyber Essentials Plus certification package.

From £2,055 + VAT

•  Cyber Essentials certificate
•  Cyber Essentials Plus certificate
•  Cyber insurance of up to £25,000
•  Pre-engagement consultation
•  External vulnerability scan
•  Additional retest
•  On-site/remote assessment
•  Remediation support
•  Direct communication with a technical assessor

Find out more

Get a Little Help

Full support through the certification process with expert guidance.

From £2,355 + VAT 

•  Cyber Essentials certificate
•  Cyber Essentials Plus certificate
•  Cyber insurance of up to £25,000¹
•  Pre-engagement consultation
•  External vulnerability scan
•  Additional retest
•  On-site/remote assessment
•  Remediation support
•  2 hours consultancy included

Find out more

Get a Lot of Help

Comprehensive support for complex organisations.
From £3,055 + VAT 

•  Cyber Essentials certificate
•  Cyber Essentials Plus certificate
•  Cyber insurance of up to £25,000¹
•  Pre-engagement consultation
•  External vulnerability scan
•  Additional retest
•  On-site/remote assessment
•  Remediation support
•  1 day consultancy included

Find out more

Benefit 1: IT Governance was a founding Cyber Essentials certification body and remains one of the largest in the UK, issuing more than 9,000 certificates.

Benefit 2: Our Cyber Essentials services have received a ‘World-Class’ NPS (Net Promoter Score) of +100.

Benefit 3: With a large team focused on Cyber Essentials, we offer same-day turnaround on your certificates.

Benefit 4: We offer everything you need to get Cyber Essentials certification, such as documentation, scanning, and assessments.

Benefit 5: End-to-end support – we deliver all the technical tests and assessments, conducted by our experienced technical testers.

Benefit 6: Tailored solutions – our unique fixed-price bundles provide expert support and compliance tools at affordable rates.