FAQs

How long do we have to complete Cyber Essentials Plus after Cyber Essentials?

Cyber Essentials Plus must be completed within 3 months of achieving Cyber Essentials. This is because the Plus assessment is linked to the security position confirmed during the original Cyber Essentials certification.

Why is there a 3-month window for Cyber Essentials Plus?

The 3-month window exists because your IT environment can change quickly. New devices, users, software, cloud services, firewall rules and vulnerabilities can all appear within a short period of time. Cyber Essentials Plus needs to test an environment that still closely matches the one declared during your Cyber Essentials assessment.

What happens if we miss the 3-month window?

If you miss the 3-month window, you may need to complete Cyber Essentials again before progressing to Cyber Essentials Plus. This can create extra work and delay the certification process.

Is Cyber Essentials Plus harder than Cyber Essentials?

Cyber Essentials Plus is more in-depth because it includes independent technical testing. Cyber Essentials is based on a verified self-assessment, while Cyber Essentials Plus checks whether the controls are actually working across your systems.

Do we need Cyber Essentials Plus if we already have Cyber Essentials?

Cyber Essentials may be enough for some organisations, but Cyber Essentials Plus provides a higher level of assurance. It is often useful for businesses that work with larger clients, bid for tenders, handle sensitive information, or need to demonstrate stronger cyber security controls.

What is tested during Cyber Essentials Plus?

Cyber Essentials Plus includes technical checks against the five Cyber Essentials control areas: firewalls, secure configuration, user access control, malware protection and security update management. The aim is to confirm that these controls are properly implemented in practice.

Can we prepare for Cyber Essentials Plus before passing Cyber Essentials?

Yes. In fact, it is a good idea to prepare early. Reviewing devices, software, updates, access controls and security settings before certification can make the Cyber Essentials Plus process smoother and reduce the chance of delays.

What are the most common reasons businesses struggle with Cyber Essentials Plus?

Common issues include missing security updates, unsupported software, inconsistent device configuration, excessive admin privileges, unmanaged devices, weak access controls and cloud services that have not been reviewed properly.

Does Cyber Essentials Plus include penetration testing?

No. Cyber Essentials Plus is not the same as a penetration test. It is a technical audit designed to check whether the Cyber Essentials controls are correctly implemented. A penetration test is usually broader and looks for exploitable weaknesses in systems, applications or networks.

How can MCL Cyber help with Cyber Essentials Plus?

MCL Cyber can help your organisation prepare for Cyber Essentials Plus by reviewing your environment, identifying common issues, supporting remediation and helping ensure your systems are ready for technical testing within the required 3-month window.