What Is Cyber Essentials Plus?
Cyber Essentials Plus is the highest level of the UK Government–backed Cyber Essentials scheme. It builds on standard Cyber Essentials by requiring an independent, hands-on technical assessment to verify that security controls are correctly implemented.
The scheme is overseen by the National Cyber Security Centre (NCSC) and is widely required for organisations that handle sensitive data or work with UK public sector bodies.
Cyber Essentials Plus focuses on whether systems are actually configured securely, not just whether policies exist. (Get a fuller explanation of this on our blog)
Why It Matters
Cyber Essentials Plus certification is often a contractual requirement for UK government work and increasingly expected across regulated industries and supply chains.
Unlike self-assessed frameworks, Plus certification includes external testing of systems, endpoints, and configurations. If controls are misconfigured, inconsistently applied, or unsupported by evidence, certification will fail.
Organisations commonly struggle with configuration drift, incomplete hardening, and gaps between documented intent and real-world enforcement.
Why It Matters
Unlike self-assessed frameworks, Plus certification includes external testing of systems, endpoints, and configurations. If controls are misconfigured, inconsistently applied, or unsupported by evidence, certification will fail.
Cyber Essentials Plus certification is often a contractual requirement for UK government work and increasingly expected across regulated industries and supply chains.
Organisations commonly struggle with configuration drift, incomplete hardening, and gaps between documented intent and real-world enforcement.
What It Requires
Cyber Essentials Plus validates that organisations have implemented the five core Cyber Essentials control areas:
- Secure configuration: Systems are hardened and unnecessary services are disabled
- Access control: User privileges are restricted and managed
- Malware protection: Controls are in place to prevent malicious code execution
- Patch management: Security updates are applied promptly
- Firewalls and gateways: Network boundaries are protected
For Plus certification, assessors verify these controls through direct testing, not questionnaires.
Cyber Essentials Plus Implementation Guidance
Organisations seeking Plus certification should be able to demonstrate:
☐ Systems are configured securely using defined baselines
☐ Default accounts, credentials, and unnecessary services are removed or disabled
☐ Configuration changes are controlled and documented
☐ Systems are monitored for unauthorised changes
☐ Security patches are applied within required timeframes
☐ Administrative access is limited and auditable
☐ Evidence is available for independent assessment
Secure configuration is one of the most common failure points during Plus assessments.
How to Prepare for a Cyber Essentials Plus Assessment
Preparation should focus on enforcing secure configurations consistently across all in-scope systems.
Organisations should:
- Apply hardened baselines to servers and endpoints
- Remove insecure defaults and unnecessary services
- Monitor systems for configuration drift
- Maintain clear, assessor-ready evidence
- Validate controls before the assessment window
Automated enforcement makes it easier to pass assessment and maintain compliance year-round.
How CalCom Helps
CalCom Hardening Suite (CHS) helps organisations meet Cyber Essentials Plus requirements by enforcing secure system configurations and maintaining them over time.
With CHS, you can:
- Enforce hardened configuration baselines across servers and systems
- Detect and respond to unauthorised configuration changes
- Maintain clear audit trails for assessment evidence
- Preview the impact of hardening changes before deployment
- Reduce reliance on manual checks and one-time remediation efforts
CalCom helps ensure secure configuration controls are consistently enforced, not just prepared for assessment.
