Start typing to search
  • Popular Searches
  • AI governance
  • Data privacy and the GDPR
  • PCI DSS
  • Cyber essentials
  • ISO 27001
  • SOC 2
Get a quote
GRC Wave Graphics

Cyber Essentials Plus Checklist & Requirements

Speak to an Expert

Cyber Essentials Plus

Cyber Essentials Plus offers everything in the standard Cyber Essentials certification – but with one key difference: a hands-on technical audit of your systems.

This independent verification gives you a much higher level of assurance that your security controls are working as intended.

With IT Governance, certification is simple, remote and fully supported.

Get certified with expert support

Cyber Essentials checklist: What’s covered in the plus audit?

To achieve Cyber Essentials Plus, you must already hold a valid Cyber Essentials certificate. You’ll then undergo a technical assessment of the five key control areas below.

Each control is tested during the audit to confirm it has been implemented correctly.

Firewalls

Create a secure boundary between your systems and external threats.

Requirements:

Change default admin passwords or disable remote admin access
Block unauthenticated inbound connections by default
Prevent remote admin access from the internet unless protected by MFA or an IP whitelist
Document and approve all inbound rules, with business justification
Remove permissive rules when no longer needed
Use host-based firewalls on devices used on public or untrusted networks
Learn more about firewalls and gateways
Security icons over hands on a keyboard

Secure configuration

Reduce risk by limiting access and disabling unnecessary features.

Requirements:

Remove/disable unnecessary user accounts and software
Change default or guessable passwords
Disable auto-run features that execute files without permission
Authenticate all users before granting access to data or systems
Use device locking controls for physically present users
In addition, physically present users must use appropriate device locking controls.
Learn more about secure configuration

Access control

Ensure only authorised users can access your systems – with the right level of privilege.

Requirements:

Have a clear account creation and approval process
Authenticate users with unique credentials
Remove accounts that are no longer needed
Implement MFA where available (mandatory for Cloud services)
Restrict administrative accounts to admin activities only
Remove special access privileges when not needed
Learn more about access control

Malware protection

Stop malicious software from executing or compromising your systems.
  • Anti-malware software
  • Application whitelisting
  • Sandboxing

If using anti-malware software:

  • Keep definitions updated daily
  • Auto-scan files on access (including downloads and network files)
  • Scan web pages in browsers
  • Block malicious websites unless you have documented, approved exceptions

If using application whitelisting:

  • Maintain an approved application list
  • Block installation of unsigned or invalid software

If using sandboxing:

  • Isolate code of unknown origin
  • Restrict access to sensitive resources (e.g. cameras, microphones, data stores, networks) unless explicitly allowed
Learn more about malware protection

Security update management

Keep all systems and software up to date to close known vulnerabilities.

Requirements:

Use only licensed and supported software
Remove unsupported software
Enable automatic updates wherever possible
Apply patches within 14 days for:
Critical or high-risk vulnerabilities
CVSS v3 score of 7.0+
Any vulnerability with unknown severity
Learn more about security update management

Get started with Cyber Essentials Plus

With IT Governance, the entire Cyber Essentials Plus process is completed remotely – no site visit required. We guide you through the self-assessment, then conduct the technical audit.

Get Started

Not sure which level you need?

Whether you’re new to Cyber Essentials or upgrading to Plus, we’ll help you identify the right certification path for your organisation.

Fixed-price packages

Fast turnaround

One-to-one support throughout

We offer flexible service tiers to match your level of internal resource and cyber maturity:

Cyber Essentials Plus - Get A Little Help

£2,355.00 ex. VAT

Cyber Essentials Plus - Get A Lot Of Help

£3,055.00 ex. VAT

Discover what GRC Solutions can do for your business

Connect with one of our experts to find the perfect solution for your security, privacy and compliance needs.

We support organisations across ISO 27001, Cyber Essentials, SOC 2, AI governance, PCI DSS, GDPR and related frameworks, with practical delivery options that can include training, tools and managed services where helpful.

✅ Tailored scoping based on your goals, timelines, and risk profile
✅ Independent, practical advice focused on what works for your organisation
✅ Support available end to end, from initial assessment through to implementation and ongoing assurance