Quick answer: The Cyber Essentials Plus audit samples around 10% of in-scope devices, with a minimum of 1 and a maximum of 30 devices. The assessor picks the sample to give a representative spread across operating systems, device types (laptop, desktop, mobile) and user roles.
How the sample is calculated
| In-scope devices | Typical sample |
|---|---|
| 1-9 | All in-scope devices (or minimum 1) |
| 10-49 | ~5 devices |
| 50-99 | ~10 devices |
| 100-249 | ~15-20 devices |
| 250+ | Capped at 30 devices |
The assessor will typically ask for a representative mix:
- Each operating system family in use (Windows, macOS, iOS, Android, Linux)
- Each device type (desktop, laptop, tablet, smartphone, server)
- Each major user role (admin / standard user)
- Each major office or remote-worker location
What testing happens on each sampled device
- Authenticated vulnerability scan — the assessor connects to the device and runs a scan looking for missing patches, end-of-life software, vulnerable services
- Patch verification — checks the OS and major applications are within the 14-day patching SLA
- Anti-malware test — uses an EICAR test file (and sometimes a real-world malware sample) to confirm AV is blocking effectively
- MFA enforcement test — tries to access cloud services without MFA to confirm it’s blocked
- Account separation check — verifies the user isn’t logged in with admin privileges day-to-day
- Configuration review — checks default passwords, host firewall, encryption, screen lock policy
What the external scan covers
Separately from the device sample, the assessor runs an external vulnerability scan against your internet-facing IPs (your office network, any web servers, VPN endpoints). This scan is comprehensive — it covers every IP you’ve declared, not a sample.
How long the audit takes
Total elapsed time: 2-3 weeks typically. Your team’s involvement is around 4-8 hours — mostly the scoping call, scheduling device access, and the findings discussion.
What if a device fails the sample test?
Failures on a sampled device are extrapolated to your whole fleet. If the assessor finds an unpatched browser on one device, they’ll assume the same issue exists across the estate and ask you to evidence remediation. Most failures result in a “conditional pass” — fix the issues within 14 days and the certification proceeds.
For a deeper read on the audit methodology see our Cyber Essentials Plus audit process guide.
Related Cyber Essentials FAQs
More answers from our cyber essentials knowledge base.