Cyber Essentials Plus Checklist for 2024

May 8, 2024

The Cyber Essentials UK government-backed scheme is one of the most straightforward information security frameworks (in theory). Why? Well, simply put, regardless of your industry, a baseline foundation of cybersecurity is imperative. We know it, you know it, and your competitors know it. However, it’s one thing to understand the importance of following a strong security standard and a whole other ball game to actually implement the right controls for your specific threat landscape. So, practically speaking – what is Cyber Essentials? Moreso, what’s the fuss about Cyber Essentials Plus, in particular? 

In brief, Cyber Essentials Plus is a part of the Essentials scheme but can be regarded as the ‘higher level.’ When comparing Cyber Essentials with Cyber Essentials Plus, Plus is a more comprehensive and rigorous evaluation that provides a higher level of assurance for your organization’s security, involving external audits and more detailed technical checks.

Understanding Cyber Essentials Plus

To recap, Cyber Essentials has two different types of certifications, both overseen by the National Cyber Security Centre (NCSC) in the UK. Seeing as the Cyber Essentials Plus certification is considered the advanced, more technical certification, this automatically means that the process of obtaining it isn’t as straightforward as its self-assessment counterpart. Here’s how they differ: 

  • Cyber Essentials: 

Cyber Essentials refers to a series of self-assessments. These self-assessments require organizations to gauge their cybersecurity posture and implement the basic controls to cover the most common threats. Most organizations lean towards Cyber Essentials because it is simplistic and provides an excellent starting point for implementing security measures and additional security controls. 

  • Cyber Essentials Plus: 

Cyber Essentials Plus, on the other hand, provides a more comprehensive and rigorous evaluation of an organization’s security posture. Instead of participating in self-assessments, organizations will have to undergo on-site audits by external parties that will do an in-depth assessment of your technical controls. This certification process goes beyond the entry-level Cyber Essentials certification, focusing on fundamental security controls and principles, providing a higher level of assurance for your organization’s security.

Considering the above, you may be questioning which one is best for your business. If you’re on the fence between whether you need Cyber Essentials or Cyber Essentials Plus, read on for our recommendations.

The ISO 27001 Bible

Everything you need to know about compliance!

Download the Whitepaper

Cyber Essentials vs Cyber Essentials plus: Which One to Choose?

Ultimately, all IT leaders are responsible for navigating the complex cybersecurity landscape. This includes choosing the right security framework to implement or which standard to adhere to. So, is self-assessment enough? In our opinion, the stronger your first line of defense, the better. Moreso, when it comes to protecting customer data and information security, clients no longer consider a strong security posture a novelty but rather an essential requirement. With this in mind, Cyber Essentials Plus will add that extra layer of reassurance that your business hasn’t stopped at the bare minimum. 

This brings us to our next point: how exactly does one get Cyber Essentials Plus certified? 

Cyber Essentials Plus Requirements

Fortunately, you’re in luck if you’ve gotten the hang of the Cyber Essentials requirements. The Cyber Essentials and Cyber Essentials Plus requirements are exactly the same in terms of the core security controls they address – both focusing on five core information security controls, namely:

  • Firewall & Internet Gateway
  • Secure Configuration
  • Patching & Updates
  • Access Control
  • Malware Protection

However, things get a bit more complicated when it comes to obtaining the certification. While both certifications cover the same core controls, Cyber Essentials Plus requires these controls to be verified through a more stringent assessment.

Key Components of the Cyber Essentials Plus Checklist

To get Cyber Essentials Plus certified, we must look at the Essentials Scheme as a whole. This means that we must recognize the Cyber Essentials questionnaire. Why? Well, to get ‘Plus’ certified, companies must first obtain the Cyber Essentials certification. The questionnaire helps determine the number of devices and servers that will undergo sampling for the Cyber Essentials Plus assessment. It’s worth noting that servers only require a vulnerability scan rather than a full check. After completing the self-assessment, companies must complete the technical Cyber Plus Assessment within the following three months. This technical audit is performed by the Certification body and includes hands-on verification of system configurations, firewall setups, and access controls.

After the audit has been performed, organizations will be notified whether or not there were any gaps found in the assessment.  It’s crucial to have a remediation plan in place to address these gaps efficiently within the given timeframe. If you do not pass this time, you must take a new application and pay for it again. Here’s how to make sure the first time’s the charm.

Let’s Get Technical: Cyber Essentials Plus Checklist

The Cyber Essentials Plus Certification focuses on the technical aspects of the five fundamental security controls of the Cyber Essentials Plus accreditation. But what are they exactly? Here’s a checklist to make sure you’re on the right track. 

Check Your Firewalls

The F-word – Firewalls! If your business infrastructure operates on the cloud, you must secure all networks that connect to your systems and devices. Think of it as securing the inside of your house by limiting access to those who enter the front door. Essentially, the purpose of a firewall is to create a defense between your IT network or device and any other external networks. When it comes to meeting the scheme’s requirements, it’s essential to:

  • Change all default administrative passwords to more robust, unique alternatives or restrict remote administrative access altogether
  • Set up a default block for any unauthenticated inbound connections
  • Ensure continuous monitoring and logging of firewall activities to detect and respond to unauthorized access attempts.
  • Remove or turn off permissive firewall rules as soon as they become irrelevant
  • Prioritize leading firewall software on devices that are often used on untrusted public networks

Some common best practices regarding firewalls also include managing all remote or home-based workers, ensuring that they have firewalls installed, or working with an office VPN. For your in-office firewall management, you should have a guest network for cases where guests or clients require access to one of your servers, mitigating the attack surface and making your network less susceptible to vulnerabilities. 

Configure Your Network Settings

If your networks and devices are poorly configured, it exposes your entire IT infrastructure to cyber threats. But what is configuration, exactly? In brief, network configuration assigns network settings, policies, flows, and controls. For the Cyber Essentials Plus certification, this means organizations should: 

  • Ensure that account deactivation is part of the employee offboarding process to maintain security;
  • Change default or guessable account passwords to something non-obvious;
  • Remove or turn off unnecessary software;
  • Turn off any auto-run feature that allows file execution without user authorization;
  • Authenticate users using robust methods, such as multi-factor authentication, before enabling Internet-based access to commercially or personally sensitive data.

We recommend organizations develop a password protocol to direct your users, covering strategies for selecting unpredictable passwords, and refraining from reusing passwords across various accounts.

Control User Access

Access control regulates the way in which users can access specific systems, data, and files. Naturally, you wouldn’t want just anyone to have access to sensitive information and data – both internally and externally. This is where user access control becomes imperative. Some guidelines for this requirement include: 

  • Implementing special credentials like Multi-Factor Authentication to grant access. 
  • Using password-based authentication wherever applicable
  • Limiting the number of unsuccessful attempts before the device or system is locked

Protect Against Malware

Malware protection keeps untrusted software from executing on your systems. Practically speaking, this means installing (and regularly updating) anti-malware or anti-virus software and scanning for threats. To meet the Cyber Essentials Plus requirements, be sure to: 

  • Update your software as per vendor recommendations
  • Prevent malware from running and executing malicious codes
  • Prevent connecting to malware-infected websites
  • Maintain an inventory of authorized applications
  • Block users from installing and running applications with an unknown or invalid signature

Update, Update, Update

Often, organizations take a ‘set and forget’ approach to cybersecurity. However, with a changing threat landscape, security systems must also keep pace. Be sure to keep devices and software up to date – for example, by installing patches. This will ensure they are not vulnerable to any known security issues, including newly discovered ones. All software on in-scope devices must be:

  • Licensed and supported
  • Removed from devices when no longer supported
  • Enabled for automatic updates where possible
  • Security patch within 14 days of an update being released


The Cyber Essentials Scope

With the five pillars in mind (as seen above), it’s also important to consider your scope and what exactly would be subject to the aforementioned requirements. For starters, the Cyber Essentials Plus scope is based on the information provided in the baseline Cyber Essentials questionnaire. 

Best practices for the Cyber Essentials Plus certification generally suggest including the entire organization in the scope. However, if this is not possible, organizations can refine their scope to a single network or exclude specific networks where required.

Once the scope is defined, it’s important that all devices and software within the pre-defined scope should adhere to the scheme requirements. Additionally, it’s essential to keep in mind that aside from devices and systems, all cloud services that host organization data or services will also fall into scope.

Essentially Yours! Get Cyber Essentials Plus Certified with Scytale

If there’s one thing you need to know about information security and compliance, it’s that you don’t have to take on the burden alone. In fact, you don’t have to take on the burden at all.

We’ve got your back! 

At Scytale, our friendly compliance experts help you iron out any snags in your IT infrastructure. Moreover, with our all-in-one compliance hub and automated tools, you don’t have to worry about choosing between productivity and compliance. 

Achieve compliance in a fraction of the time with automation that streamlines your entire audit-readiness process toward the Cyber Essentials Plus Certification. The best part? Our compliance experts become an extension of your team, guiding you from strength to strength. 

Ready to secure your baseline? Reach out to our experts here. Alternatively, go beyond the essentials and browse our complete hub of world-leading security standards and compliance frameworks today!