Blog
Compliance
Cyber Essentials
ISO 27001
June 21, 2026
Approx 7 min read

Cyber Essentials Plus explained: the audited tier

A tender names it, or a larger customer's security review insists on the audited certificate rather than the self-assessed one. Then a contract you want to sign arrives with a clause the basic Cyber Essentials badge will not satisfy. That is usually the moment a growing company first looks closely at what Cyber Essentials Plus involves, rather than treating it as a line item on a checklist.

The short version: it is the same five controls as Cyber Essentials, checked by a person instead of confirmed on a form. That difference is small to describe and large in what it opens. This piece covers what the audited tier is, who asks for it, and the contracts it puts within reach.

What is Cyber Essentials Plus?

Cyber Essentials Plus is the audited level of the UK government's Cyber Essentials scheme. It covers the same five technical controls as Cyber Essentials, but instead of a verified self-assessment a qualified assessor independently tests your systems, using vulnerability scans, device sampling and malware checks, to confirm the controls are genuinely in place.

The scheme is owned and governed by the National Cyber Security Centre, which describes Cyber Essentials as the minimum standard of cyber security it recommends. IASME is the NCSC's official delivery partner and runs the network of certification bodies that carry out assessments. Source: NCSC, Cyber Essentials overview.

The difference between Cyber Essentials and Cyber Essentials Plus

Both tiers protect against the same threats and cover the same five controls. Firewalls, secure configuration, user access control, malware protection, and security update management. What changes is how the controls are verified.

Cyber Essentials is a verified self-assessment. You complete a questionnaire, a board member signs it off, and an external assessor grades your answers. Cyber Essentials Plus keeps that questionnaire and adds a hands-on technical audit, so an assessor confirms the controls are working rather than taking your word for it. Source: IASME, Cyber Essentials and Cyber Essentials Plus: what is the difference?.

What does the Cyber Essentials Plus audit involve?

A qualified assessor independently tests a sample of your in-scope systems. The audit covers external vulnerability scans of internet-facing infrastructure, device sampling across operating systems, malware protection checks, confirmation that admin accounts are kept separate from everyday work, and a check that multi-factor authentication is enforced on cloud services.

For the person whose laptop is sampled, it is a short, practical session. The assessor looks at a representative set of machines and cloud accounts, runs the scans against the IASME and NCSC test specification, and records what they find. Sources: IASME, CE vs CE Plus difference; NCSC, Cyber Essentials overview.

The audit is also less forgiving than the form. If an issue surfaces at the Plus assessment, you have 30 days to fix it and cannot pass until it is resolved. That is the point of the tier. It tests how the controls actually run, so the certificate stands on evidence rather than declarations.

Who needs Cyber Essentials Plus?

The duty almost never comes from the law. It comes from a buyer who has made the audited tier a condition of the contract. Two buyers set that bar most often.

Central government uses it through Procurement Policy Note 014. From 24 February 2025, in-scope central government contracts must require Cyber Essentials or Cyber Essentials Plus where the work involves personal citizen data, government employee data, OFFICIAL-classification ICT systems, or core government business. The note takes a risk-based approach, and Cyber Essentials Plus is the level indicated where the cyber risk is higher. PPN 014 replaced the earlier PPN 09/23. Source: GOV.UK, PPN 014: Cyber Essentials Scheme.

The NHS supply chain is the other. NHS Supply Chain asks all suppliers in scope of PPN 014 to demonstrate Cyber Essentials Plus, or evidence that they meet the equivalent criteria, a requirement communicated to existing suppliers from 8 September 2025. In scope are suppliers handling NHS Supply Chain personal data, or supplying IT and digital products and services. Source: NHS Supply Chain, Cyber Security: Expectations of Suppliers.

Beyond those two, the NCSC notes that a growing number of organisations require suppliers to be certified before they can bid. For many SMEs selling into larger or regulated customers, the audited tier is becoming the price of entry to the conversation.

How Cyber Essentials Plus opens bigger contracts

Treat the certificate as a commercial asset and four things change for the business.

When a tender or security review names Cyber Essentials Plus specifically, the self-assessed certificate will not clear it. Holding the audited tier takes that objection off the table and keeps the deal moving.

NHS supply chain work and higher-risk central government contracts under PPN 014 are simply closed to suppliers without it. So is a growing share of enterprise procurement that has standardised on the audited level, which means the certificate opens a market you could not otherwise bid into.

The audited tier also shortens the review. A valid Cyber Essentials Plus certificate can stand in for a separate supplier security questionnaire. NHS Supply Chain, for example, does not require its Information Security Third Party Questionnaire where a supplier holds a valid certificate. Due diligence becomes a document you hand over rather than a project you run.

The credibility compounds, too. An independent assessor has tested the systems and confirmed they work. That is a stronger signal to a cautious buyer, and it carries into the next, larger contract you go after.

What getting there involves

The path is short to describe. Get the five controls genuinely in place across every in-scope system, including cloud services and remote-worker devices. Achieve Cyber Essentials. Then book the Plus audit with a certification body within the three-month window, since the audit must follow the underlying certificate inside that period. The certificate is then renewed each year through an annual reassessment, so it stays valid as you keep selling.

Naq runs Cyber Essentials alongside the other standards buyers ask for, including ISO 27001, UK and EU GDPR, and the NHS Data Security and Protection Toolkit, with controls mapped across frameworks so one piece of evidence works against several at once. Naq is an IASME Certifying Body for Cyber Essentials; Cyber Essentials Plus certification and CREST-accredited testing are available through its external partner network, so the certificate and the ongoing evidence still sit in one place. If you want the framework detail first, the Cyber Essentials guide is the place to start.

Frequently asked questions

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both cover the same five technical controls. Cyber Essentials is a self-assessment that an external assessor grades from your answers. Cyber Essentials Plus adds a hands-on independent audit, where a qualified assessor tests a sample of your systems to confirm the controls are genuinely in place rather than only declared.

Who needs Cyber Essentials Plus?

Suppliers to higher-risk central government contracts under Procurement Policy Note 014 and suppliers in the NHS supply chain are the most common cases. Beyond those, any customer whose security review or tender names the audited tier will expect it. It is a contract condition, not a general legal duty for all businesses.

What does the Cyber Essentials Plus audit involve?

A qualified assessor tests a sample of your in-scope systems. The audit includes external vulnerability scans, device sampling across operating systems, malware protection checks, confirmation that admin accounts are separated from everyday use, and a check that multi-factor authentication is enforced on your cloud services.

How long is Cyber Essentials Plus valid, and when must it be done?

The certificate is renewed each year through an annual reassessment, so it stays current while you keep certifying. The Plus audit itself must be completed within three months of the underlying Cyber Essentials certificate, so you earn the basic certificate first and book the audit inside that window.

Written by
The Naq Team
Share
Share
Compliance
DORA Compliance 2026: What UK Financial Services Firms Need to Know
April 5, 2026
Compliance
ISO 9001
ISO 27001
What is ISO 9001 and how it wins tenders
June 21, 2026
Compliance
NHS DSPT v8
GDPR
Cyber Essentials
NHS Compliance Requirements for Healthcare Practices: What Actually Applies to You in 2026
March 3, 2026
Compliance
MOD SBD
Cyber Essentials
ISO 27001
MOD supplier compliance gates: JOSCAR to Secure by Design
May 4, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy