Cyber Essentials Plus builds on the same five control areas but adds technical testing performed by an assessor. Preparation is mostly about closing gaps between what you self-assess and what an assessor will actually see.
Pass Cyber Essentials first
Plus is built on top of the standard scheme. Do not start Plus prep until standard CE is in place.
Confirm scope and sample devices
The assessor will sample devices from each device family in scope. Make sure every family is documented.
Run an internal vulnerability scan
Spot the high-severity items before the assessor does.
Validate patching across the sample
Sampled devices need to be fully patched, with high / critical CVEs addressed within the required window.
Prepare for the email and browser test
Test attachment behaviour, malicious link handling and macro restrictions on sampled devices.
Practical examples
Vulnerability scan report
Authenticated scan of sampled devices with high-severity items called out.
Device family list
Mac laptop, Windows laptop, iPhone, Android, Linux server — each is a sample candidate.
Test summary
Internal write-up of the email / browser / patch tests with screenshots of behaviour.
Common mistakes
Skipping internal scans
Walking into Plus blind is the most common cause of failure.
Under-counting device families
Every distinct OS / version is sampled. Don't leave families out of scope.
Treating Plus as paperwork
Plus is hands-on. Documents alone won't pass.
Build this properly in Evaud
Start a free workspace and organise your Cyber Essentials evidence in one place.
Frequently asked questions
Evaud helps organise Cyber Essentials evidence and readiness information. It is not a certification body and does not guarantee certification.