Cyber Essentials Plus
audit, evidence, and remediation
Run hands-on Cyber Essentials Plus audits with structured templates aligned to the IASME test specification. Coordinate external vulnerability scans, authenticated workstation tests, malware checks, and remediation tracking from a single platform.
No credit card required. Free plan available forever.
Cyber Essentials Plus: structured, evidence-based, hands-on certification
Cyber Essentials Plus is the audited tier of the UK government-backed Cyber Essentials scheme. The five technical control areas (firewalls, secure configuration, user access control, malware protection, and patch management) are the same as the self-assessed Cyber Essentials level, but the verification model is different. CE Plus requires a certifying body to perform hands-on technical testing against the in-scope environment rather than accept a self-completed questionnaire. That changes how the assessment must be planned, executed, and evidenced.
The scheme is operated through the IASME Consortium on behalf of the UK National Cyber Security Centre, and the technical test specification dictates what assessors must run, how devices and cloud services should be sampled, and how findings are scored. CE Plus certification is increasingly written into UK public sector procurement and into private supply chain requirements, which is why operating it as a repeatable workflow matters. SecPortal's Cyber Essentials assessment workflow and compliance audits use case give CE Plus assessors a structured place to plan the test, log findings, track remediation, and produce the assessor pack.
The five hands-on test stages
CE Plus is built around technical tests, not paperwork. Each stage produces evidence that the assessor must capture, the candidate must retain, and the certifying body can review. Treat each stage as a distinct engagement step inside SecPortal so scope, evidence, and remediation are linked back to the correct control area.
External vulnerability scan
An authenticated, credentialled, or unauthenticated scan of every in-scope internet-facing asset. Findings of High or Critical severity (CVSS v3 base score 7.0 and above) on internet-facing services that have a vendor patch released more than 14 days before the scan date will fail the assessment unless mitigated.
Authenticated patch scan on workstations and servers
A representative sample of end-user devices (and any servers in scope) is sampled per operating system build. Each is scanned with credentials so missing patches and risky configuration items can be detected. The same High and Critical patch rule applies.
Email and web-borne malware test
A harmless test file (typically EICAR) is delivered through email and a browser to confirm that the malware protection installed on each sampled device blocks or quarantines the file. Evidence is captured per device, per delivery method.
Multi-factor authentication verification
The assessor checks that MFA is enforced on cloud services holding organisational data and on administrative accounts. The expectation is hands-on confirmation, not just a written claim, with screenshots or assessor-witnessed sign-in flows.
Account separation and privileged access checks
On the sampled devices, the assessor verifies that everyday user accounts do not hold local administrator rights, that administrators have separate accounts for privileged work, and that default credentials have been removed.
Scoping and sampling without surprises
Most CE Plus failures come from scope drift, not technical weakness. A device or cloud service that holds organisational data and is not represented in the sample will surface late, usually as an audit blocker. Build the scope before you build the test plan, and record the basis for every sampling decision.
- Group every endpoint and server by operating system, version, and patch baseline before sampling
- Sample roughly 10% of each group, with a minimum of one device per group, in line with the IASME test specification
- Cover every cloud service holding organisational data, not just on-premises assets
- Document in-scope and out-of-scope assets explicitly, and link each scan to the asset record it covers
- Capture the asset owner, OS build, and patch baseline alongside each test result for traceability
Findings, severity, and the 14-day patch rule
The CE Plus test specification fails any High or Critical patchable vulnerability (CVSS v3 base score 7.0 or higher) on an internet-facing service when the vendor patch is more than 14 days old at the time of testing. The same threshold applies to workstation and server findings via the authenticated scan. To track that cleanly, every CE Plus finding inside SecPortal should carry an accurate CVSS vector, a patch availability date, and a clear owner so the deadline is visible without spreadsheet arithmetic. Pair the finding workflow with the platform's findings management and CVSS calculator so the threshold is never ambiguous.
- Log every non-conformity as a finding with severity, affected control, owner, and evidence
- Use CVSS 3.1 scoring on patch and configuration findings to make the High and Critical threshold explicit
- Track the 30-day remediation window from initial test date and surface findings about to expire
- Re-test fixed items with a focused authenticated or external scan and link the new evidence to the original finding
- Generate an AI-assisted summary report covering findings, remediation, and outstanding risk for the assessor pack
Evidence the certifying body actually wants
CE Plus evidence packs fail review when artifacts are scattered across email, drives, and screenshots without a clear link back to a control area or a sampled asset. Build the bundle as you go, keep raw scanner output alongside the summary, and tie every artifact back to the engagement so the assessor narrative is straightforward.
- Asset and scope register with sampled devices, cloud services, and external IPs and domains
- Raw scan output for the external scan and each authenticated workstation scan, retained per device
- Malware test screenshots and notes per device and per delivery vector
- MFA evidence per cloud service and admin account: screenshots, recordings, or assessor notes
- Remediation log with timestamps, owners, status changes, and re-test outcomes
- Assessor-ready report bundle with executive summary, control results, and supporting findings
Where SecPortal fits in the CE Plus workflow
SecPortal is positioned as the operating layer for the audit, not a replacement for the certifying body. The platform handles scope, scans, findings, remediation tracking, and the assessor-ready output, so the CE Plus engagement runs as a structured workflow instead of an email chain.
- Verified domain ownership before any external scan to keep CE Plus scans within the agreed scope
- 16-module external scan covering CVE correlation, exposed services, weak TLS, and outdated software for the external test
- 17-module authenticated scan running behind login or with stored credentials to support workstation and web application sampling
- Findings management with CVSS 3.1 scoring, 300+ templates, and Nessus or Burp Suite imports for assessors who already use those tools
- Compliance tracking that maps findings to CE Plus control areas alongside ISO 27001, SOC 2, and PCI DSS for clients who hold multiple certifications
- AI report generation that turns findings, remediation actions, and re-test outcomes into an assessor-ready narrative
CE Plus certification has to be renewed every twelve months, so the value of running it as a managed workflow grows over time. Historical findings, sampled assets, and remediation timelines stay linked to the engagement, which makes the next year's recertification a refresh rather than a rebuild. Whether you are an assessor delivering CE Plus to multiple clients or a security team preparing your own environment for audit, the goal is the same: structured testing, traceable evidence, and a clean handoff to the certifying body. For service providers, the security consultants workspace bundles that with branded client portals and AI report generation so the deliverable looks as polished as the work behind it.
Key control areas
SecPortal helps you track and manage compliance across these domains.
External vulnerability scan
Plan and run external scans against in-scope internet-facing assets, evidencing that no high or critical CVEs older than 14 days remain on patchable services.
Authenticated workstation scan
Track authenticated patch and configuration scans on a representative sample of end-user devices and servers across each operating system in scope.
Malware protection testing
Document email and web malware protection tests using EICAR or equivalent harmless test files, with screenshots and outcome notes per device.
Multi-factor authentication checks
Verify that MFA is enforced on cloud services and administrative accounts, recording the test method, result, and supporting evidence per service.
Account separation and privilege
Evidence that admin accounts are separated from day-to-day user accounts and that local admin rights are constrained on sampled devices.
Remediation and re-test
Log non-conformities, assign owners, track fixes against the 30-day remediation window, and re-test before assessor sign-off.
Run a tighter CE Plus audit
Bring scanning, evidence, and remediation tracking into one CE Plus workflow. Start free.
No credit card required. Free plan available forever.