Cyber Essentials Plus is the highest level of certification achievable under the UK’s National Cyber Security Centre (NCSC) backed scheme. The scheme helps organisations ensure they have effectively implemented the baseline security controls to protect against common cyber attacks.

The Cyber Essentials Plus certification builds upon the Cyber Essentials self-assessment questionnaire, requiring a hands-on evaluation of your organisation’s security controls by a skilled technical consultant. The certification was designed to be achievable by all organisations no matter the size and offers a cost-effective way for them to identify flaws in their basic security controls. For more information on the pricing of Cyber Essentials and Cyber Essentials Plus, please click here.

On 28th April 2025, the new ‘Willow’ scheme update will go live and introduce new requirements that will affect both the Cyber Essentials and Cyber Essentials Plus assessments. This guide will walk you through the requirements to achieve Cyber Essentials Plus certification, including the changes this year and how to prepare to pass first time.

Key Cyber Essentials Plus Changes for 2025

Changes to Vulnerability Remediation Requirements: Under the previous scheme, when devices were scanned, we were looking for any vulnerabilities rated high/critical risk by the vendor (CVSSv3 base score of 7.0 or above) where a patch has been released over 14 days ago. All vulnerabilities that were configuration/non-patch based were falling out of scope. Under the Willow scheme, all configuration/non-patch-based findings will now come into scope. Effectively this means that any high/critical-risk vulnerabilities identified during the device scans will now need to be remediated if the fix/patch has been available for over 14 days.

Scoping Verification Requirements: The new scheme has provided clearer guidance around verifying the Cyber Essentials and Cyber Essentials Plus scopes match. Where the scope for Cyber Essentials is not ‘Whole Organisation’, it must be verified that the subsets of the organisation in scope have been properly segregated. This shouldn’t cause a problem as long as there is a firewall (or equivalent physical/logical barrier) between the in-scope and out-of-scope networks.

Cyber Essentials Plus Scoping Guidelines for 2025

The Cyber Essentials Plus scope will be based upon the information provided when filling out the Cyber Essentials questionnaire. It is always recommended to keep the scope as ‘Whole Organisation’ where possible to ensure the maximum possible coverage of your organisation. However, the scope can be refined to a single network or to exclude specific networks (subsets of the organisation) where required.

All devices and software within the agreed scope that meet any of the following criteria will need to adhere to the scheme requirements:

• can accept incoming network connections from untrusted internet-connected hosts
• can establish user-initiated outbound connections to devices via the internet
• control the flow of data between any of the above devices and the internet

All cloud services that host organisation data or services will also fall into scope by default (including SaaS, PaaS and IaaS services).

There are some additional circumstances where devices owned by third parties/BYOD devices will fall out of scope of the assessment. Please check the below table to identify whether a device will fall out of scope:

For expert guidance on how to scope your Cyber Essentials/Cyber Essentials Plus assessment, please contact us for a free consultation. More information can also be found here: Cyber Essentials Requirements for IT Infrastructure v3.2.

What does Cyber Essentials Plus Certification Involve?

To achieve Cyber Essentials Plus certification, your organisation must undergo and pass a technical hands-on assessment. This must be completed within three months of your baseline Cyber Essentials certificate being issued.

The assessment involves several checks, all of which must be compliant with the Cyber Essentials scheme requirements for the certificate to be awarded. The process for achieving Cyber Essentials Plus is outlined as follows:

1. The applicant organisation completes the Cyber Essentials questionnaire and obtains the basic certification.
2. The questionnaire determines the number of end-user devices and servers to be sampled for the Cyber Essentials Plus assessment (servers are only sampled where they have a user-accessible desktop GUI and only require a vulnerability scan, not full checks).
3. Your assessor will get preparations in place for the assessment, including obtaining your internet-facing IP addresses and offering installation guides for software required on sampled machines.
4. The assessment is conducted by your assessor (the checks are outlined in the following sections). Your organisation will either pass the assessment or receive feedback on areas requiring remediation to achieve scheme compliance.
5. The applicant organisation addresses the feedback and proceeds to repeat step 4

External Network Vulnerability Scan

The assessor will conduct an external network vulnerability scan on the organisation’s internet-facing IP addresses to identify vulnerabilities on your external network perimeter.

In order for this check to be compliant, all high and critical-risk vulnerabilities (those with a CVSSv3 score of 7.0 or higher) will need to be remediated.

An evaluation will also be conducted on the internet-facing services identified to check that the basic security controls have been implemented.

End-User Device/Server Vulnerability Scans

The assessor will conduct a vulnerability scan against all sampled workstations and servers that have a desktop GUI (i.e. those that are not purely command-line based) to identify any high and critical-risk vulnerabilities where a fix has been available for over 14 days.

To pass this check, all high/critical-risk vulnerabilities will need to be remediated.

Testing General Malware Protections

The assessor will check the antivirus software installed on the in-scope workstations to ensure it’s up to date and the signatures are up to date (where using signature-based software). The antivirus engine should have been updated within the last 30 days and the signatures (if applicable) should have been updated in the last 24 hours.

For mobile devices, the assessor will run through several checks to ensure that the device has been effectively configured to prevent malware from being downloaded and installed on the device (including checks against device certificates and Android special installation permissions).

Testing Email Client Protections Against Executables/Malware

For each workstation in the sample, the assessor will send several emails to the user’s email address, each email will contain an attachment file. These files include test malware (EICAR) files as well as an assortment of executable attachments (e.g. .bat, .exe, .py, .sh and .jar files).

The malware files should be filtered before they reach the user’s mailbox and the additional executables should not be able to execute when clicked on through the email client without first displaying a prompt or providing an opportunity for the user to evaluate the action being taken.

Testing Web Browser Protections Against Executables/Malware

For each web browser installed on the sampled workstations, the assessor will attempt to download and execute a range of test malware files. Ideally, these should be blocked on download but if they do download and are blocked on execution, this will also be compliant.

In addition, the assessor will attempt to download and execute several different file types (similar to the checks on the email client) and will be looking to see if a prompt is displayed that will allow the user to evaluate their action before execution can take place.

Testing for Multi-Factor Authentication

The assessor will assess the SaaS cloud services accessible by each device owner (such as Microsoft 365 or Google Workspace) to see whether multi-factor authentication (MFA) is enforced for all users. This check often includes asking the user to log into the cloud services to show that an MFA prompt is displayed.

Testing for Account Separation

The assessor will verify that the day-to-day user account for each sampled device does not have administrator privileges, since admin accounts should only be used when necessary. Device owners who have access to an administrator account should also have a standard user account which they will use for day-to-day activities such as browsing the web or accessing emails.

Why Become Cyber Essentials Plus Certified?

Customer Requirements: Cyber Essentials Plus certification is increasingly being mandated across supply chains of both private and public sector organisations. Obtaining this certification shows your commitment to effective cyber security practices.

Cost Effective: Cyber Essentials Plus can be a cost-effective next step after achieving Cyber Essentials and further verifies that you have the essential security controls in place to protect the organisation against a range of common cyber threats.

Clear Security Recommendations: You will receive clear feedback on how your organisation can further improve its security posture.

Certificate and Logo: Upon achieving Cyber Essentials Plus certification your organisation will be able to display the Cyber Essentials Plus logo which can be used on your website and social media to demonstrate you take security seriously.

Preparing Your Organisation to Pass Cyber Essentials Plus

The Cyber Essentials Plus certification has been designed to be accessible by organisations of all sizes and industries. By undertaking some initial preparation, you’ll be ready to get the most out of the assessment and pass first time. Below are some key actions that your organisation can take in preparation for the Cyber Essentials Plus assessment:

Update Your Devices/Servers and Their Installed Software

Ensure that you have patched all software on your devices and servers to the latest version and that any end-of-life software has been upgraded or decommissioned. A few days before the assessment, take some time to double check that your organisation’s software is up to date and that no unsupported software exists. It’s key that the organisation apply any high and critical-risk security patches within 14 days of release. This will reduce the risk of unpatched software being detected during the vulnerability scanning.

Check Your Antivirus Software Configuration

Ensure that the antivirus software on your devices and servers is patched to the latest version and that the signatures (if applicable) are being updated within a 24-hour window. All automatic updates should be enabled where the software supports it. You should also verify that your antivirus software is scanning files on access (and ideally on download where possible).

Check Your Internet-Facing Services

Ensure that any internet-facing services have been disabled where no longer needed. Where any internet-facing services require authentication to access user/organisation data, make sure that the default password has been changed, and the service has mitigations in place to protect against brute-force attacks. This includes an account lockout policy and/or enforcing multi-factor authentication. Where there is an account lockout or throttling mechanism, ensure that a user is restricted to making no more than 10 attempts within a 5-minute period.

Check That Multi-Factor Authentication is Enforced for Cloud Service Users

Ensure that MFA is enforced for all users across all the cloud services that hold organisation data (where an option exists). Where MFA is not enforced because the cloud service does not offer an MFA option, then you will remain compliant for that service. If MFA is exclusively offered through a premium subscription or requires integration with another authentication service like MS Azure, it’s implementation will be necessary to ensure compliance.

Check That Account Separation is Enforced for User Accounts

Ensure that the workstation device owners who have access to an administrative user account also have a standard user account which they are using for day-to-day work. Workstation device owners must only use the administrative account when conducting necessary privileged actions like installing/uninstalling software. Please also ensure that no user accounts are being shared between users.

How Much Does Cyber Essentials Plus Cost?

The cost for Cyber Essentials Plus will vary dependent on the Certification Body.

Predatech offers Cyber Essentials Plus assessment and certification from £1,100+VAT (dependent on organisation size). This includes all support and any retesting required.

Please note, Cyber Essentials Plus requires a valid Cyber Essentials certificate that has been issued within the last few months. More information on pricing can be found here.

Predatech is a CREST-accredited organisation and a certification body for Cyber Essentials & Cyber Essentials Plus. If you are interesting in achieving or renewing your Cyber Essentials Plus certification, click here to find out more about our approach or contact us today for a free consultation.