Everything You Need to Know Before Your Cyber Essentials Plus Audit

Everything You Need to Know Before Your Cyber Essentials Plus Audit

   Cyber Security E-ZU Solutions Ltd    4 December 2025  |  0

At E-ZU Solutions, we know that achieving Cyber Essentials Plus (CE+) can feel daunting if you’re unfamiliar with the technical requirements involved. To make the journey easier, we’ve created this clear, comprehensive guide to help you understand what to expect, from initial preparation through to certification.

Cyber Essentials Plus is the audited, hands-on version of the UK Government–backed Cyber Essentials scheme, designed to help organisations protect themselves against the most common cyber threats. While the basic Cyber Essentials certification involves a self-assessment, CE+ requires independent verification, giving your organisation and your customers greater confidence that essential security controls are in place and operating effectively.

Obtaining CE+ demonstrates that your business takes cybersecurity seriously, strengthens your resilience against known vulnerabilities, and can even support your ability to win new contracts—particularly those involving the public sector.

Getting Started: Preparing for Cyber Essentials Plus

The CE+ process begins once you notify our team that you’re ready to proceed. It’s important to note, CE+ must be completed within 90 days of achieving the self-assessed Cyber Essentials certification (which is our interactive Cyber Essentials dashboard comes into play – to help help simplify this process and make it much easier for you). When you’re ready to proceed with CE+, our team prepares the required assessment materials and guide you through every stage.

Before the formal audit takes place, we’ll provide the Qualys vulnerability scanning agent, which is a lightweight tool deployed across your in-scope devices. This agent identifies known vulnerabilities on endpoints and compares them against the National Vulnerability Database (NVD). Any weaknesses rated CVSSv3 7.0 or above (classified as High or Critical) must be addressed before the official assessment, as these will result in a CE+ failure.

This early scan gives you the opportunity to remediate issues ahead of time, helping ensure a smoother and more successful audit day.

Pre-Audit Checklist to Ensure a Smooth Audit Day

To help ensure your Cyber Essentials Plus audit runs efficiently and without unnecessary delays, we recommend completing the following pre-audit steps:

  • Confirm all software (including Adobe, Java, etc.) is fully up to date on all devices, including servers.
  • Remove all software that is rarely used on each device – old browsers such as Firefox are a common issue.
  • Install the Qualys Agent provided by your auditor (you will receive a dedicated Qualys Installation Guide) and inform the auditor that the agents have been installed.
    • PLEASE NOTE: this step is unnecessary if you have your own PCI DSS approved scanner, including the CyberSmart Vulnerability Manager, in which case you do not need to install additional agents.
  • The auditor will confirm the number of agents reporting on their dashboard and provide an initial High Severity Vulnerability report.
    • PLEASE NOTE: if you are using CyberSmart Vulnerability Manager, you will be able to view and manage all assets included in scope (and filter by severity) on your own interactive dashboard, making this step unnecessary.
  • Ensure all devices, including laptops, have up-to-date anti-virus engines and signature files – preferably using an enterprise management dashboard.
  • Ensure all executable attachments are prevented from being delivered to the email client.
  • Ensure the anti-virus plugin for each browser in use has been activated and updated.

The auditor will also request the following information:

  • A list of all devices (firewalls, servers, PCs, laptops, workstations, tablets, and mobile phones) that are in scope, including details of their current operating system.
  • Email addresses of users that can be used for the email/web tests on the sample devices selected.
  • A signed consent form will be required prior to starting the test; this will be prepared once the visit dates have been agreed.

What Happens on the Day of the CE+ Audit?

When your scheduled assessment day arrives, one of our accredited assessors will conduct a series of hands-on technical checks, all based on the scope agreed in your Cyber Essentials self-assessment. These checks include:

1. Internal Credentialed Vulnerability Scan

A full patch and vulnerability assessment is carried out on a sample of in-scope devices using Qualys (or a PCI DSS-approved scanner if you already have one). This confirms that your systems are up-to-date and free of high-risk vulnerabilities.

2. External Vulnerability Scan

We scan your organisation’s externally facing IP addresses and services. This identifies potential entry points that an attacker could exploit. Please note that this step can only be performed once your signed consent form has been returned.

3. Email Handling Tests

Our assessors observe how your devices process emails containing harmless test attachments via secure screen sharing. This must be performed using a real user mailbox, not a generic account.

4. Web Download & Execution Testing

We assess how in-scope devices handle the download of benign test files from our secure test sites, verifying browser and endpoint protection behaviour.

5. Anti-Virus Installation & Configuration Checks

Your anti-malware solution must be active, up to date, and correctly configured across all relevant devices.

6. Mobile Device Checks (If in Scope)

If mobile devices such as iPhones or tablets fall within scope, additional CE+ compliance checks are performed.

7. MFA Verification for Cloud Services

We test all cloud services listed in your Cyber Essentials self-assessment to ensure Multi-Factor Authentication is enforced for both administrators and end users.

8. Admin/User Account Separation

We verify that privileged accounts are used solely for administrative activities and that day-to-day work is carried out under standard user accounts.

After the Audit

Once all tests are complete, the assessor compiles the results and uploads them to IASME, the governing body for the Cyber Essentials scheme. If your organisation meets all required criteria, your Cyber Essentials Plus certificate will be issued shortly afterwards.

You control the pace of the process—some organisations prefer to move quickly, while others choose to remediate findings over several weeks. Our Customer Experience (CX) Team is available throughout the journey to offer support, troubleshoot issues, and help interpret scan results.

Do You Have Any Questions About Cyber Essentials Plus?

If you’d like further guidance or want to find out more about how to begin your CE+ journey, our team is ready to help:

Alternatively, we have a solution below that helps make Cyber Essentials Plus a much smoother experience…

Achieve All Year Round CE+ Compliance with CyberSmart Vulnerability Manager

Advanced vulnerability detection, prioritisation, & remediation from a single, easy-to-action dashboard. .

When it comes to cyber audits, most IT teams struggle with the same issue: uncertainty. Not knowing whether you’re audit-ready before assessment day often leads to scrambling to fix issues in the days before (and after) the audit.

CyberSmart Vulnerability Manager (CSVM) keeps you CE+ audit-ready all year round. CSVM combines the Qualys and Nessus scanning engines in one platform, delivering best-in-class internal and external vulnerability management at a far more cost-effective price.

As a PCI-DSS approved scanner, CSVM gives you:

  • Always-on visibility into the exact vulnerabilities that CE+ assessors will be reviewing.
  • A dashboard aligned with CE+ controls and expectations (including the 14 day remediation window).
  • Clear, continuous insight into your CE+ posture – no surprises, no last-minute firefighting.
  • Manageable, incremental vulnerability remediation with automation and step-by-step guidance.
  • Zero additional agents, tools, or scanners required for the CE+ audit itself.
  • Additional alignment with ISO 27001 and NIS2 for broader compliance needs.

CyberSmart Vulnerability Manager is backed by unlimited support from CyberSmart’s team of highly experienced CE+ auditors at the largest Cyber Essentials certification body in the UK. They’re on hand to provide practical remediation guidance throughout the year and ensure a much smoother, more coordinated path to CE+ certification.

“We needed detailed Vulnerability scanning to pass Cyber Essentials Plus, and the ongoing scans from CyberSmart Vulnerability Manager ensure we can continue to remain safe throughout the year. The dashboard provides a great snapshot of how many issues have been, or are needed to be, fixed. I really like the patch management as this automatically fixes a lot of issues. It has saved me a lot of time, and the platform helps me understand how to resolve all the issues.”
– Operations Manager, Age UK Derby & DerbyshireREAD FULL CASE STUDY

      FIND OUT MORE        BOOK REMOTE DEMO

E-ZU Solutions Ltd

E-ZU Solutions Ltd is Registered in England and Wales. | Matrix House, Mill Green, Congleton, Cheshire, CW12 1JG. | Reg: 04478226 | VAT: GB 784 5073 06.

Privacy Statement   |  Terms and Conditions

© 2025 E-ZU Solutions Ltd.

01260 715 020

[email protected]

Cyber Essentials Plus Certified