Everything You Need to Know Before Your Cyber Essentials Plus Audit

Everything You Need to Know Before Your Cyber Essentials Plus Audit

   Cyber Security E-ZU Solutions Ltd    4 December 2025  |  0

At E-ZU Solutions, we know that achieving Cyber Essentials Plus (CE+) can feel daunting if you’re unfamiliar with the technical requirements involved. To make the journey easier, we’ve created this clear, comprehensive guide to help you understand what to expect, from initial preparation through to certification.

Cyber Essentials Plus is the audited, hands-on version of the UK Government–backed Cyber Essentials scheme, designed to help organisations protect themselves against the most common cyber threats. While the basic Cyber Essentials certification involves a self-assessment, CE+ requires independent verification, giving your organisation and your customers greater confidence that essential security controls are in place and operating effectively.

Obtaining CE+ demonstrates that your business takes cybersecurity seriously, strengthens your resilience against known vulnerabilities, and can even support your ability to win new contracts—particularly those involving the public sector.

Getting Started: Preparing for Cyber Essentials Plus

The CE+ process begins once you notify our team that you’re ready to proceed. It’s important to note, CE+ must be completed within 90 days of achieving the self-assessed Cyber Essentials certification (which is our interactive Cyber Essentials dashboard comes into play – to help help simplify this process and make it much easier for you). When you’re ready to proceed with CE+, our team prepares the required assessment materials and guide you through every stage.

Before the formal audit takes place, we’ll provide the Qualys vulnerability scanning agent, which is a lightweight tool deployed across your in-scope devices. This agent identifies known vulnerabilities on endpoints and compares them against the National Vulnerability Database (NVD). Any weaknesses rated CVSSv3 7.0 or above (classified as High or Critical) must be addressed before the official assessment, as these will result in a CE+ failure.

This early scan gives you the opportunity to remediate issues ahead of time, helping ensure a smoother and more successful audit day.

Pre-Audit Checklist to Ensure a Smooth Audit Day

To help ensure your Cyber Essentials Plus audit runs efficiently and without unnecessary delays, we recommend completing the following pre-audit steps:

  • Confirm all software (including Adobe, Java, etc.) is fully up to date on all devices, including servers.
  • Remove all software that is rarely used on each device – old browsers such as Firefox are a common issue.
  • Install the Qualys Agent provided by your auditor (you will receive a dedicated Qualys Installation Guide) and inform the auditor that the agents have been installed.
    • PLEASE NOTE: this step is unnecessary if you have your own PCI DSS approved scanner, including the CyberSmart Vulnerability Manager, in which case you do not need to install additional agents.
  • The auditor will confirm the number of agents reporting on their dashboard and provide an initial High Severity Vulnerability report.
    • PLEASE NOTE: if you are using CyberSmart Vulnerability Manager, you will be able to view and manage all assets included in scope (and filter by severity) on your own interactive dashboard, making this step unnecessary.
  • Ensure all devices, including laptops, have up-to-date anti-virus engines and signature files – preferably using an enterprise management dashboard.
  • Ensure all executable attachments are prevented from being delivered to the email client.
  • Ensure the anti-virus plugin for each browser in use has been activated and updated.

The auditor will also request the following information:

  • A list of all devices (firewalls, servers, PCs, laptops, workstations, tablets, and mobile phones) that are in scope, including details of their current operating system.
  • Email addresses of users that can be used for the email/web tests on the sample devices selected.
  • A signed consent form will be required prior to starting the test; this will be prepared once the visit dates have been agreed.

What Happens on the Day of the CE+ Audit?

When your scheduled assessment day arrives, one of our accredited assessors will conduct a series of hands-on technical checks, all based on the scope agreed in your Cyber Essentials self-assessment. These checks include:

1. Internal Credentialed Vulnerability Scan

A full patch and vulnerability assessment is carried out on a sample of in-scope devices using Qualys (or a PCI DSS-approved scanner if you already have one). This confirms that your systems are up-to-date and free of high-risk vulnerabilities.

2. External Vulnerability Scan

We scan your organisation’s externally facing IP addresses and services. This identifies potential entry points that an attacker could exploit. Please note that this step can only be performed once your signed consent form has been returned.

3. Email Handling Tests

Our assessors observe how your devices process emails containing harmless test attachments via secure screen sharing. This must be performed using a real user mailbox, not a generic account.

4. Web Download & Execution Testing

We assess how in-scope devices handle the download of benign test files from our secure test sites, verifying browser and endpoint protection behaviour.

5. Anti-Virus Installation & Configuration Checks

Your anti-malware solution must be active, up to date, and correctly configured across all relevant devices.

6. Mobile Device Checks (If in Scope)

If mobile devices such as iPhones or tablets fall within scope, additional CE+ compliance checks are performed.

7. MFA Verification for Cloud Services

We test all cloud services listed in your Cyber Essentials self-assessment to ensure Multi-Factor Authentication is enforced for both administrators and end users.

8. Admin/User Account Separation

We verify that privileged accounts are used solely for administrative activities and that day-to-day work is carried out under standard user accounts.

After the Audit

Once all tests are complete, the assessor compiles the results and uploads them to IASME, the governing body for the Cyber Essentials scheme. If your organisation meets all required criteria, your Cyber Essentials Plus certificate will be issued shortly afterwards.

You control the pace of the process—some organisations prefer to move quickly, while others choose to remediate findings over several weeks. Our Customer Experience (CX) Team is available throughout the journey to offer support, troubleshoot issues, and help interpret scan results.

Have Questions About Cyber Essentials Plus or Wish to Begin?

If you’d like further guidance or want to begin your CE+ journey, our team is ready to help.

E-ZU Solutions Ltd

E-ZU Solutions Ltd is Registered in England and Wales. | Matrix House, Mill Green, Congleton, Cheshire, CW12 1JG. | Reg: 04478226 | VAT: GB 784 5073 06.

Privacy Statement   |  Terms and Conditions

© 2025 E-ZU Solutions Ltd.

01260 715 020

[email protected]

Cyber Essentials Plus Certified