Skip to content

Cyber Essentials Plus UK 2026: Requirements, Cost & Audit Process Explained

Cyber Essentials Plus 2026 explained for UK SMBs. The five controls, audit process, costs (£1,500–£8,000), timelines and how to pass first time.

Cyber security
Andy Pickett

By · Managing Director
Published 17 April 2026 · About the author
Premium guide v1.3 · Updated 17 April 2026

Verified against Ofcom Connected Nations Spring 2026, IASME Cyber Essentials April 2026 standard and current operator pricing.

Quick answer: Cyber Essentials Plus is the audited tier of the UK government’s Cyber Essentials scheme. It verifies — through external vulnerability scans and a sample of your laptops, servers and mobile devices — that the five technical controls (boundary firewalls, secure configuration, access control, malware protection, security update management) are properly in place. Expect £1,500–£8,000 + VAT, 6–12 weeks end-to-end and a one-year certificate. Mandatory for many UK government contracts and increasingly required by enterprise customers.

0
Technical controls audited
0
£+
Typical SMB audit cost
0
mo
Certificate validity
0
%
First-time pass rate (with prep)

The five controls — what gets audited

ControlWhat the auditor checksCommon failures
1. Boundary firewalls & internet gatewaysExternal vulnerability scan of all internet-facing IPs; admin password policy; no default credentialsRDP exposed; default router password; admin web UI exposed
2. Secure configurationSample of laptops & servers; unnecessary accounts disabled; auto-run off; software inventoryOld test users still active; auto-run enabled; unused software with vulnerabilities
3. User access controlMFA on cloud admin accounts; least-privilege; account lifecycle processNo MFA on M365 admins; shared accounts; ex-staff still have access
4. Malware protectionEDR / AV deployed and updating on every endpoint; sandboxing for downloads; web filteringEDR not on laptops; no scanning of external drives; missing on Mac fleet
5. Security update managementOS & application patches within 14 days; high-severity within 14 days; unsupported software removedJava 8 still installed; old Office 2016; pending patches over 30 days
Cybersecurity protection and audit
Cyber Essentials Plus uses external vulnerability scans plus a sample audit of devices — the same techniques an attacker would use, executed by a certified assessor.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials (basic)

Self-assessment questionnaire scored by IASME. £300–£500 + VAT. Trust-based.

Tap to flip

Cyber Essentials

  • Self-assessment 64-question form
  • £300 + VAT (micro), £500 + VAT (small)
  • 5 controls — same as Plus
  • 2-week turnaround
  • No on-site or remote audit
  • Annual renewal

Cyber Essentials Plus

Independently verified. External scans + device sample audit. From £1,500 + VAT. Evidence-based.

Tap to flip

Cyber Essentials Plus

  • Includes the basic questionnaire
  • External vulnerability scan
  • Authenticated scan of sample devices
  • Email phishing test (file + link payload)
  • Auditor reviews evidence in person/remote
  • £1,500–£8,000 + VAT
  • Required for most gov contracts

IT support that actually supports you

Proactive managed IT from a UK team. 24/7 monitoring, cybersecurity and cloud services. Get a free quote.

✓ No obligation✓ 24/7 monitoring✓ UK-based team

The audit timeline

  1. Week 0–2 · Prep

    Pre-audit gap analysis

    Your assessor (or IT partner) walks the five controls, identifies gaps, and provides a remediation list. Most failures are caught here.

  2. Week 2–3 · Submit

    Complete the questionnaire

    64 questions on IASME’s portal. Pass this first; CE+ requires a passing CE certificate as the prerequisite.

  3. Week 3 · Scan

    External vulnerability scan

    Auditor scans every public IP. Output: list of internet-exposed services and any CVEs.

  4. Week 3–6 · Fix

    Remediate findings

    Patch software, disable RDP, rotate creds, deploy EDR to missing devices, remove EOL apps.

  5. Week 6–7 · Audit day

    Authenticated scan on a random sample (typ. 10–15% of fleet, min 1 of each OS). Test of email filtering with mock payloads. Mobile-device review.

  6. Week 7–8 · Certify

    Certificate issued

    If you pass, IASME issues the certificate within 5 working days. Valid 12 months — no automatic renewal, but most assessors will book the next year.

Need Cyber Essentials Plus certification?

Proactive managed IT, cybersecurity audits and 24/7 monitoring from a UK team. Get a free quote.

Get a Free IT Quote →

Or call us on 0333 015 2615

What it costs in 2026 — by company size

Micro (1–10 staff)

£1,500+VAT

Single site, <15 endpoints. Includes pre-audit help and one re-test if needed.

  • External + authenticated scan
  • Phishing test
  • Mobile device sample
  • Certificate & logo
  • Help with remediation

Small (10–50 staff)

£3,500+VAT

Most common SMB tier. Includes full pre-audit gap analysis and remediation guidance.

  • Pre-audit gap analysis
  • Remediation worklist
  • Up to 3 sites
  • Two re-tests included
  • Help with M365 hardening

Medium (50–250)

£6,500+VAT

Larger device samples, multi-site, BYOD policy review.

  • BYOD policy review
  • Multi-site (up to 6)
  • Larger device sample
  • Mobile fleet review
  • Annual renewal discount

How to pass first time

  • Run a pre-audit scan yourself — Nessus, OpenVAS or Tenable IO will find what the assessor will find. Fix it before they look.
  • Enforce MFA on every cloud admin — M365, Google Workspace, AWS, Azure. No exceptions.
  • Patch within 14 days — Windows Update for Business, Intune Update Rings or Jamf for Mac. Document the policy.
  • Remove EOL software — Java 8, Office 2016, old VPN clients. If you must keep them, isolate on VLAN with no internet.
  • Standardise EDR coverage — every laptop, server, virtual machine. No “just for now” gaps.
  • Document a leaver process — auditor will ask “show me what happens when an employee leaves”. Have a one-pager ready.
  • Take a copy of every patch policy — a screenshot of Intune Update Rings is enough evidence.

Need help passing Cyber Essentials Plus first time?

Our cybersec team takes UK SMBs through CE+ in 6–8 weeks with a 100% first-time pass rate. Pre-audit gap analysis is free.

Talk to a UK telecoms expert →

Bonus tip: Compliance audits are easier to run in batches. Many UK landlords pair their Cyber Essentials Plus renewal with their EPC and MEES rules for commercial property review — especially with the EPC C threshold landing in 2027.

Cyber Essentials Plus — FAQs

Yes — the 2022 IASME update brought cloud explicitly into scope. M365, Google Workspace, AWS, Azure, Salesforce all need MFA on admins, patched configurations and access lifecycle.

Yes — any device used for work is in scope, regardless of location. Home routers themselves are out of scope (they’re consumer kit) but the laptop must have its own host-based firewall on.

Company-managed phones are in scope. BYOD phones are in scope only if they access organisational data — typical UK SMB approach is to require MDM enrolment for any device touching work email.

It demonstrates baseline hygiene and most cyber insurers offer a discount. For full cover and lower premiums, insurers increasingly want CE+ plus 24/7 SOC monitoring and tested backups.

Related Articles

Business Phone Line and Broadband Packages UK 2026: Compare & Save

If you're paying for your business phone line and broadband separately, you're almost certainly overpaying. In 2026, bundled packages from…

Read more →

0141 Area Code: Glasgow Dialling Guide

Quick Answer: 0141 is the area code for Glasgow, covering the city centre, East End, West End, Southside, Clydebank, Bearsden,…

Read more →

Call Recording for Business UK 2026: Laws, Setup & Best Practices

Updated April 2026 ✅ Quick Answer Yes, business call recording is legal in the UK with proper consent. Under the…

Read more →

5G+ network expansion reaches 80% UK business coverage

The next phase of 5G deployment The UK’s 5G+ network expansion has reached a significant milestone, with 80% of business…

Read more →

ISO 27001 for Small Business UK: Is It Worth It & What Does It Cost?

Quick Answer UK businesses face increasing compliance requirements around data protection and cyber security, from GDPR to industry-specific standards like…

Read more →

IT Support Oxford 2026: Managed IT Services for Oxfordshire Businesses

Updated April 2026 | By Andy Pickett, CTO — Connection Technologies Quick Answer: IT support in Oxford costs between £40…

Read more →
Written by
CTO and AI Champion

Andrew is a Chief Technology Officer with over 15 years’ experience in IT and telecommunications, leading the design and delivery of robust, scalable technology solutions.

IT StrategyCloudCybersecurityAIDigital Transformation

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap
Get an IT Quote 0333 015 2615

Need managed IT support?

Proactive UK-based IT support, cybersecurity and cloud services. Free, no-obligation quote.

Get an IT Quote →

Or call 0333 015 2615