For many UK businesses, achieving Cyber Essentials is an important first step in proving that basic cyber security controls are in place. It shows customers, suppliers and partners that your organisation takes cyber security seriously and has assessed itself against a recognised UK Government-backed scheme.

But once Cyber Essentials has been achieved, a common question many organisations ask is:

“Why do we need to complete Cyber Essentials Plus within 3 months?”

It is a fair question, especially for businesses that have already spent time gathering information, reviewing systems and completing the Cyber Essentials self-assessment. However, the 3-month window is there for an important reason.

Cyber security is not static. Your IT environment can change quickly, and Cyber Essentials Plus is designed to test whether the controls you declared during Cyber Essentials are actually working in practice.

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials and Cyber Essentials Plus are based on the same core security requirements, but they provide different levels of assurance.

Cyber Essentials is a verified self-assessment. Your organisation answers questions about its IT systems, devices, users, software, access controls, firewalls, malware protection and security updates. The answers are then reviewed as part of the certification process.

Cyber Essentials Plus goes a step further. Instead of relying only on the answers provided in the self-assessment, Cyber Essentials Plus includes independent technical testing. This gives a higher level of confidence that the security controls are not only documented, but are also correctly implemented across your organisation.

In simple terms:

Cyber Essentials asks: “Do you have the right controls in place?”

Cyber Essentials Plus checks: “Are those controls actually working?”

This is why Cyber Essentials Plus is often requested by clients, suppliers, insurers and organisations working in regulated or security-conscious sectors.

Why the 3-Month Window Matters

Once you achieve Cyber Essentials, you have a limited window to complete Cyber Essentials Plus. The reason for this is that the Plus assessment is linked to the security position declared in your Cyber Essentials certification.

Within 3 months, a lot can change inside a business.

You may add new laptops, replace old devices, onboard new users, install new software, change firewall rules, introduce new cloud services, or make changes to how staff access company systems. At the same time, new vulnerabilities are discovered constantly, and software that was fully updated during your Cyber Essentials assessment may become outdated shortly afterwards.

The 3-month window helps ensure that the Cyber Essentials Plus audit is still testing an environment that closely matches the one declared during the Cyber Essentials self-assessment.

If too much time passes, the organisation’s IT setup may no longer reflect the original assessment.

What Can Change in 3 Months?

Many businesses underestimate how quickly their IT environment changes. Even small changes can affect Cyber Essentials Plus readiness.

For example:

• A new employee may be given access to systems they do not need.
• A laptop may be deployed without the correct security configuration.
• A firewall rule may be changed to allow temporary access, then forgotten.
• A device may miss important security updates.
• Unsupported software may still be installed on a machine.
• Multi-factor authentication may not be applied consistently.
• A new cloud platform may be added without being reviewed properly.

Individually, these may seem like small issues. But during a Cyber Essentials Plus assessment, they can create problems.

Cyber Essentials Plus is designed to validate the practical implementation of the five Cyber Essentials controls. If devices are missing patches, if unsupported software is present, or if security settings are not consistent, the organisation may need to remediate those issues before certification can be completed.

Delaying Cyber Essentials Plus Can Create Extra Work

One of the biggest risks of delaying Cyber Essentials Plus is that the work you completed for Cyber Essentials may become outdated.

If Cyber Essentials Plus is left too late, your organisation may need to spend additional time checking devices again, reviewing software versions, confirming user access, validating firewall rules and fixing newly discovered vulnerabilities.

In some cases, businesses may assume they are still ready for Cyber Essentials Plus because they recently passed Cyber Essentials. However, passing the self-assessment does not guarantee that all devices and systems will pass the technical audit later.

The longer you wait, the more likely it is that something has changed.

Completing Cyber Essentials Plus soon after Cyber Essentials helps reduce this risk. Your systems are more likely to be in the same condition, your evidence is still fresh, and your team is already familiar with the requirements.

Why Cyber Essentials Plus Gives Stronger Assurance

Cyber Essentials is valuable because it helps organisations focus on five key technical controls that protect against common internet-based cyber threats.

However, Cyber Essentials Plus provides stronger assurance because it includes independent technical checks. This can be especially useful when working with clients or suppliers who need more confidence in your security posture.

Cyber Essentials Plus can help demonstrate that your organisation has taken additional steps to verify its security controls, rather than simply declaring them through a questionnaire.

For many businesses, this can support:

• Supplier assurance requirements
• Tender and procurement processes
• Client confidence
• Internal security improvement
• Insurance discussions
• Compliance expectations
• Board-level reporting

It also helps identify practical security issues that may not be obvious during a self-assessment.

A Simple Example

Imagine a business passes Cyber Essentials in January.

At the time of the assessment, all laptops are updated, antivirus is enabled, admin access is controlled, and firewall settings are reviewed.

In February, the company hires three new staff members. New laptops are set up quickly, but one device misses several important updates. Another still has unnecessary software installed. A temporary firewall rule is also added to support remote access for a supplier.

By March, the organisation applies for Cyber Essentials Plus.

During the technical testing, these issues may be identified and need to be fixed before certification can be completed.

This does not mean the organisation has poor security. It simply shows how quickly small operational changes can affect compliance.

That is why it is better to prepare for Cyber Essentials Plus as soon as possible after passing Cyber Essentials.

How to Prepare for Cyber Essentials Plus

The best approach is to treat Cyber Essentials and Cyber Essentials Plus as one connected process, rather than two separate projects.

Before the Plus assessment, organisations should review:

• Which devices are in scope
• Whether all operating systems and applications are supported
• Whether security updates are installed
• Whether malware protection is enabled
• Whether firewalls are correctly configured
• Whether user accounts follow least privilege principles
• Whether admin accounts are controlled
• Whether multi-factor authentication is applied where required
• Whether cloud services are included in the scope
• Whether any new systems have been added since Cyber Essentials

This preparation can make the Cyber Essentials Plus process smoother and reduce the chance of delays.

Why Businesses Should Act Quickly

If your organisation has recently achieved Cyber Essentials and is considering Cyber Essentials Plus, it is best not to leave it until the end of the 3-month period.

Starting early gives you more time to identify and fix issues before the audit. It also reduces pressure on your internal team and helps avoid last-minute remediation work.

Cyber Essentials Plus is not just about achieving another certificate. It is about validating that the controls protecting your organisation are actually working.

For businesses that rely on client trust, handle sensitive information, work in supply chains, or want to strengthen their cyber security posture, Cyber Essentials Plus is a valuable next step.

How MCL Cyber Can Help

MCL Cyber supports organisations through both Cyber Essentials and Cyber Essentials Plus.

If you have already passed Cyber Essentials, we can help you prepare for the Cyber Essentials Plus audit by reviewing your environment, identifying common issues, supporting remediation and helping ensure your systems are ready for technical testing.

Completing Cyber Essentials Plus within the required window does not need to be stressful. With the right preparation, it can be a smooth and valuable process that gives your organisation stronger assurance and greater confidence.

Ready to Take the Next Step?

If your organisation has recently achieved Cyber Essentials and wants to progress to Cyber Essentials Plus, MCL Cyber can help you prepare before your 3-month window closes.

Contact MCL Cyber today to discuss Cyber Essentials Plus readiness and how we can support your certification journey.