The Cyber Essentials Plus technical assessment is the moment of truth. Unlike the basic Cyber Essentials certification — which relies on a self-assessment questionnaire — Cyber Essentials Plus puts your IT environment under the microscope. An accredited assessor will scan your devices, test your defences, and verify that the security controls you claimed to have in place are actually functioning as intended.
For many UK organisations, the prospect of this assessment can be daunting, particularly if they have never been through the process before. What exactly will the assessor test? What tools will they use? What does a typical assessment day look like? And most importantly, how can you prepare to ensure you pass?
This guide walks you through every element of the Cyber Essentials Plus technical assessment, based on the current IASME assessment methodology and our experience supporting hundreds of UK organisations through the process.
Before the Assessment Day
The technical assessment does not begin when the assessor arrives (virtually or physically). There is important groundwork that happens in the days and weeks leading up to the assessment.
Scheduling and Scoping
When you book your Cyber Essentials Plus assessment, the certification body will work with you to define the scope. This scope should match the scope declared in your basic Cyber Essentials certification. The assessor needs to know what types of devices are in scope (Windows desktops, laptops, macOS devices, Linux servers, mobile devices, network equipment), how many of each, and how they are managed.
The assessor will select a representative sample of devices for testing. They will not test every single device in your organisation — that would be impractical for all but the smallest companies. Instead, they will choose a cross-section that includes different device types, operating systems, and management methods to ensure that the sample is representative of your overall estate.
Do not assume that because the assessor samples only a handful of devices, you can prepare only those devices. The assessor selects the sample, not you. Any device within scope could be chosen, so every device must be ready. Attempting to steer the assessor towards your best-maintained devices will raise red flags.
Pre-Assessment Preparation
In the week before your assessment, you should conduct your own final checks. This is your last opportunity to identify and fix any issues before the assessor finds them.
Run Windows Update (or the equivalent for your operating systems) on all devices and verify that all updates have been successfully installed. Check that all third-party applications are at their current versions. Verify that malware protection is active and up to date on every device. Confirm that no users are running day-to-day tasks with administrator privileges. And if you are using cloud services like Microsoft 365, ensure that multi-factor authentication is enabled for all accounts.
The Five Assessment Areas
The Cyber Essentials Plus assessment tests your compliance across the same five control areas as the basic certification, but with hands-on technical verification rather than self-declaration.
| Control Area | What the Assessor Tests | Tools Typically Used |
|---|---|---|
| Firewalls | Boundary firewall configuration, software firewall status, open ports, default credentials | External vulnerability scanner (e.g., Nessus, Qualys) |
| Secure Configuration | Default passwords changed, unnecessary services disabled, auto-run disabled | Device inspection, configuration review |
| Access Control | Admin vs. standard accounts, password policies, MFA status, account hygiene | Account enumeration, policy review |
| Malware Protection | AV/EDR status, signature currency, real-time protection, EICAR test | EICAR test files, management console review |
| Security Update Management | OS patch levels, third-party app versions, end-of-life software presence | Vulnerability scanner, manual inspection |
Element 1: External Vulnerability Scan
The assessment typically begins with an external vulnerability scan of your internet-facing infrastructure. This scan examines your public IP addresses and any services exposed to the internet, looking for known vulnerabilities, misconfigurations, and unnecessary open ports.
The assessor will use a professional vulnerability scanning tool — commonly Nessus, Qualys, or a similar product — to probe your external attack surface. The scan looks for things like unpatched web servers, exposed management interfaces, SSL/TLS configuration weaknesses, and any services running on non-standard ports.
For many small businesses, the external attack surface is relatively small — perhaps just a router with a public IP address and a handful of cloud services. For larger organisations with web servers, VPN concentrators, mail servers, or other internet-facing infrastructure, the external scan is more comprehensive and more likely to uncover issues.
What Causes Failures
The most common external scan failures we see are unpatched VPN appliances (a persistent problem since the wave of VPN vulnerabilities in 2019–2024), SSL certificates with weak cipher suites, web servers running outdated software, and router firmware that has not been updated. Remote Desktop Protocol (RDP) exposed directly to the internet — without being behind a VPN — is also a common and serious finding.
Element 2: Internal Device Assessment
After the external scan, the assessor turns their attention to your internal devices. This is typically the most extensive part of the assessment, and the area where most failures occur.
The assessor will connect to a sample of your devices — either remotely via screen sharing or by physically attending your office — and examine their configuration. For each sampled device, they will check the operating system patch level and installed updates, the versions of all installed applications (particularly browsers, browser plugins, office suites, PDF readers, and other internet-facing software), whether the user account has administrator privileges, the status and currency of malware protection, and the configuration of the local firewall.
The assessor may also run a local vulnerability scan on the sampled devices to identify any vulnerabilities that might not be apparent from a visual inspection. This scan can reveal hidden issues such as outdated Java runtimes, vulnerable browser plugins, or legacy software components that are not visible in the standard programs list.
What to Expect on the Day
If the assessment is conducted remotely (which is increasingly common), the assessor will typically ask you to join a video call and share your screen while they guide you through a series of checks. They may ask you to open specific settings panels, run commands in the command prompt or PowerShell, navigate to particular system directories, or install and run their scanning tools.
The process is straightforward but can feel invasive if you are not prepared for it. The assessor is not looking for perfection — they are looking for compliance with the Cyber Essentials requirements. If everything is properly patched, configured, and managed, the assessment should proceed smoothly.
Element 3: Malware Protection Testing
One of the more interesting elements of the assessment is the malware protection test. The assessor will verify not just that malware protection software is installed and running, but that it actually works.
The standard test involves downloading EICAR test files — harmless files specifically designed to trigger antivirus detection — onto the sampled devices. The EICAR test file is a standardised test string that every legitimate antivirus product should detect and block. If your malware protection is functioning correctly, it should prevent the file from being downloaded, or detect and quarantine it immediately upon download.
The assessor will typically test multiple EICAR variants, including the standard text file, a compressed ZIP version, and a double-compressed version. They may attempt downloads through different channels (direct browser download, email attachment) to verify that protection is comprehensive.
Before your assessment, test the EICAR file yourself. Visit eicar.org and attempt to download the test files on each of your in-scope devices. If any device fails to detect or block the files, investigate and resolve the issue before the assessor arrives.
Element 4: Access Control Verification
The assessor will verify that your access control measures meet the Cyber Essentials requirements. This includes checking that standard users do not have local administrator privileges on their devices, that there is a separate administrator account for tasks that require elevated privileges, that password policies meet the minimum requirements, and that multi-factor authentication is enabled on cloud services.
For cloud services — particularly Microsoft 365, Google Workspace, and similar platforms — the assessor will check that MFA is enforced for all user accounts, not just administrative ones. They may ask to see the MFA configuration in your admin console or ask a user to demonstrate the MFA process during login.
The assessor will also check for the presence of default accounts. On network devices like routers and firewalls, default administrative accounts should have had their passwords changed. On workstations and servers, built-in administrator accounts should be disabled or have strong, unique passwords.
Element 5: Configuration and Firewall Review
The final assessment element covers secure configuration and firewall management. The assessor will check that the Windows Firewall (or equivalent) is enabled on all sampled devices, that the boundary firewall is configured to block inbound connections by default (allowing only explicitly authorised traffic), that unnecessary services and features are disabled, and that auto-run is disabled for removable media.
For your boundary firewall (typically your router), the assessor may ask to see the management interface to review the firewall rules, check for open ports, and verify that the default administrative password has been changed. If your router is managed by your ISP, you should still be able to access its management interface to verify these settings.
The Assessment Timeline
A typical Cyber Essentials Plus assessment for a small to medium-sized organisation takes between half a day and two full days. The exact duration depends on the number and diversity of devices in scope, whether the assessment is conducted remotely or on-site, and whether any issues are discovered that require investigation.
For a small business with a homogeneous IT environment (for example, 20 Windows laptops all managed through Intune), the assessment can often be completed in a single morning. For a larger organisation with multiple operating systems, servers, and complex network infrastructure, allow two full days.
What Happens If Issues Are Found
If the assessor discovers issues during the assessment, the outcome depends on the severity and nature of the findings. Minor issues — such as a single application being one version behind, or a non-critical patch that is a few days overdue — may be noted but may not cause a failure, depending on the assessor's judgement and the specific circumstances.
More serious issues — such as critical unpatched vulnerabilities, users running with administrator privileges, disabled malware protection, or end-of-life software — will result in a failure of that assessment element. When this happens, the certification body will typically provide a remediation period (usually around 30 days) during which you can fix the identified issues and submit for a targeted re-test.
The re-test focuses specifically on the failed elements rather than repeating the entire assessment. If you pass the re-test, your certificate is issued. If the failures are too severe or too numerous for remediation within the allowed window, you may need to undertake a completely new assessment.
Preparing for Success
The organisations that pass their Cyber Essentials Plus assessment first time are invariably those that have prepared thoroughly. Here is a practical preparation timeline that we recommend to our clients.
Four weeks before the assessment: Conduct a comprehensive internal audit. Run vulnerability scans, check all devices for patch compliance, review user accounts and privileges, verify malware protection status, and test firewall configurations. Create a remediation plan for any gaps identified.
Two weeks before: Complete all remediation work. Apply outstanding patches, remove end-of-life software, reconfigure any non-compliant settings, and address all findings from your internal audit.
One week before: Run a final verification scan. Ensure that all remediation has been successful and that no new issues have arisen since the initial audit (new patches may have been released, for example). Test the EICAR files on all device types.
Day before: Run Windows Update on all devices one final time. Check that malware signatures are current. Brief any staff members who will need to provide the assessor with device access.
Assessment day: Ensure that all in-scope devices are powered on and connected to the network. Have an IT contact available to assist the assessor throughout the day. Maintain access to administrative consoles for cloud services, endpoint management tools, and network equipment.
Remote vs. On-Site Assessments
Since the pandemic, the majority of Cyber Essentials Plus assessments are conducted remotely. This is generally more convenient for both the organisation and the assessor, and it works well for most environments. Remote assessments are conducted via screen sharing, with the assessor guiding you through the checks and running their tools through the shared session.
On-site assessments may be preferred or required for organisations with complex network infrastructure, air-gapped systems, or devices that cannot be accessed remotely. Some organisations also prefer on-site assessments because they find the face-to-face interaction more comfortable and the communication clearer.
The technical rigour of the assessment is identical regardless of whether it is conducted remotely or on-site. The same checks are performed, the same tools are used, and the same standards apply.
After the Assessment
Once the assessment is complete and all elements have been passed, the certification body will issue your Cyber Essentials Plus certificate. This typically happens within two to five business days of a successful assessment. The certificate is valid for 12 months, after which you will need to renew by undergoing a new assessment.
Your certification will be listed on the NCSC's official register of Cyber Essentials certified organisations, which is publicly searchable. This provides independent verification of your certification status that you can direct clients, partners, and procurement teams to.
Between assessments, it is crucial to maintain the security controls that earned you the certification. The certificate represents a snapshot of your security posture at the time of assessment — if your controls deteriorate over the following 12 months, you may face difficulties at renewal, and more importantly, you may be leaving your organisation exposed to the threats that Cyber Essentials is designed to mitigate.
The technical assessment may feel intimidating the first time around, but with proper preparation, it is a straightforward process that most organisations navigate successfully. The key is to treat it not as a hurdle to overcome but as a valuable health check for your IT security — one that identifies genuine risks and drives meaningful improvements in your organisation's cyber resilience.
Prepare for Your Assessment with Confidence
Our team provides comprehensive pre-assessment support, including gap analysis, remediation guidance, and mock assessments. We ensure you know exactly what to expect and are fully prepared to pass first time.
Explore Cyber Essentials Plus Services
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.