Cyber Essentials Plus — what it means for an SME

Cyber Essentials Plus comes up in nearly every conversation we have about IT security. It’s the UK government’s baseline scheme — a sensible floor of technical controls that protects against the great majority of opportunistic internet attacks. We’re Cyber Essentials Plus certified ourselves and have taken plenty of clients through it. Here’s a practical view of what the standard actually involves.

The five technical controls

Cyber Essentials covers five areas, all of which sound straightforward and almost none of which are, the first time you audit them honestly:

• Firewalls and routers — the perimeter of your network is configured securely, with default passwords changed and inbound traffic justified.
• Secure configuration — operating systems, devices, and software are deployed with unnecessary services disabled and sensible defaults.
• User access control — the principle of least privilege, applied across cloud and on-prem accounts, with admin privileges separated from day-to-day use.
• Malware protection — endpoint protection that’s actually installed, actually updating, and actually monitored.
• Security update management — patches applied to operating systems and software within the windows the scheme requires.

The difference between Cyber Essentials and Cyber Essentials Plus

The basic Cyber Essentials certification is a self-assessment. You complete a questionnaire, an assessor reviews your answers, and you get certified. It’s a useful exercise — completing it honestly forces a real internal audit — but the assessor never touches your network.

Cyber Essentials Plus is the same standard, independently verified. An external assessor runs vulnerability scans against a sample of your devices and your external infrastructure, attempts to deliver simulated malware, and confirms the controls you claim are actually in place. It’s a meaningfully higher bar.

What clients are usually surprised by

The technical controls are rarely the hard part. Three things tend to be:

• Scope. The certification covers a defined boundary — you have to draw a clear line around what’s in and what’s out, and that includes BYOD devices, contractor laptops, and cloud services.
• Patching cadence. Security updates need to be applied within fourteen days of release for high or critical vulnerabilities. That’s tighter than most SMEs are comfortable with by default.
• Inventory. You need to know what devices exist on your network, what software is on them, and who has admin rights. A surprising number of teams discover they don’t actually know.

Why we recommend it for most clients

For most UK SMEs, Cyber Essentials Plus is the right place to aim. It’s rigorous enough to demonstrably reduce risk, it unlocks government and large-corporate procurement that increasingly requires it, and it’s achievable without enterprise budgets. Beyond it sits ISO 27001 and SOC 2 — much heavier programmes that make sense once you’re selling into regulated sectors at scale, but rarely the right starting point.

If you’re unsure where you stand or want a sober second opinion before you commit to the assessment, get in touch. We’ll do a free pre-flight against the controls and tell you honestly how far off you are.