Cyber Essentials Plus (CE+) is the advanced tier of the UK government-backed cybersecurity certification scheme. While the standard Cyber Essentials is a self-assessment, CE+ requires a hands-on technical audit by a certified third party to verify that an organization’s security controls are actually functioning as intended.
For any business bidding on UK central government contracts, specifically those involving the handling of personal information or the provision of certain technical services, Cyber Essentials Plus is a mandatory requirement.
The 5 Technical Control Themes of CE+
To pass the Cyber Essentials Plus audit, organizations must prove they have robust protections across five key areas:
- Firewalls: Ensuring all devices are protected by a correctly configured firewall.
- Secure Configuration: Removing "bloatware," changing default passwords, and disabling unnecessary accounts or services.
- User Access Control: Implementing the Principle of Least Privilege (PoLP) and ensuring only authorized users have administrative rights.
- Malware Protection: Using active malware detection and sandboxing to prevent malicious code from executing.
- Security Update Management: Ensuring all software is "supported" and that high-risk patches are applied within 14 days.
Cyber Essentials vs. Cyber Essentials Plus: What’s the Difference?
| Feature | Cyber Essentials (Standard) | Cyber Essentials Plus |
|---|---|---|
| Assessment Method | Self-assessment questionnaire | Rigorous technical audit & vulnerability scan |
| Verification | Verified by a senior board member | Verified by an external Certified Body |
| Technical Testing | None | Internal/External scans and malware test |
| Trust Level | Basic assurance for SMEs | Enterprise-grade assurance for high-value contracts |
The Strategic Importance of CE+ in the UK Supply Chain
Cyber Essentials Plus is not just a badge; it is a license to operate in high-security sectors:
- Ministry of Defence (MoD): Under Def Stan 05-138, CE+ is usually the minimum entry requirement for the defense supply chain.
- Legal & Professional Services: Firms handling sensitive litigation or M&A data use CE+ to satisfy the security requirements of global insurance underwriters.
- Healthcare: CE+ helps organizations meet the standards required by the NHS Data Security & Protection (DSP) Toolkit.
FAQs: Cyber Essentials Plus
Does CE+ require Multi-Factor Authentication (MFA)?
Yes. As of the latest framework updates, MFA must be enabled on all cloud services and all internet-facing accounts to achieve certification.
How long does a CE+ certification last?
The certification is valid for 12 months. Organizations must undergo a new technical audit every year to maintain their status.
What happens if we fail the vulnerability scan?
If a "High" or "Critical" vulnerability is found during the assessor’s scan, you typically have 30 days to patch the issue and undergo a re-test. If the issue is not resolved, the certification is denied.
How does Theodosiana help with CE+ certification?
Theodosiana simplifies the most difficult parts of the CE+ audit:
- Access Control Verification: Our access control platform provides the granular logs needed to prove that users only have access to the data required for their roles.
- Malware Neutralization: By using file-centric security, Theodosiana ensures that even if malware penetrates the network, it cannot "read" or exfiltrate your encrypted sensitive files.
- Evidence Collection: Theodosian’s audit trails provide "point-in-time" proof of data security, which speeds up the auditor's review process and reduces the cost of the audit.