Cyber Essentials Plus remote audit: how the assessor actually tests your controls

Cyber Essentials Plus remote audit: how the assessor actually tests your controls

Cyber Essentials Plus adds a third-party technical audit on top of the CE self-assessment. The audit sounds intimidating - an independent assessor runs tests on your devices - but it is actually straightforward. The assessor is working through a fixed checklist. This guide explains exactly what they do, so you can prepare and pass first time.

The shape of a CE Plus audit

A typical CE Plus remote audit covers four things:

1. External vulnerability scan of your public-facing infrastructure.

2. Sampled device configuration review (MFA, patches, malware, secure configuration).

3. Malware/file-execution test on the sampled devices.

4. Inbound email and web-content filtering test.

The audit runs remotely in most cases - the assessor schedules a video call, you screen-share, they walk through the checklist. Depending on organisation size, the audit takes 2–8 hours of active time and 1–3 working days elapsed.

What the external scan does

The scan targets all your public-facing IP addresses and domains. The assessor runs a credentialed vulnerability scanner (Nessus, Qualys, or equivalent) against the externally-reachable services. They are looking for:

• Out-of-date TLS configurations (TLS 1.0, 1.1, weak cipher suites).
• Exposed management interfaces (SSH, RDP, database ports).
• Unpatched known-vulnerable services.
• Misconfigured web servers (directory listing enabled, default pages exposed).

How to prepare: run your own scan first. Sign up for the free tier of Censys, Shodan, or Qualys SSL Labs and check what is exposed. Fix the TLS issues before the audit - they are the most common blocker.

How device sampling works

The assessor samples devices based on organisation size and diversity. For a 20-person organisation they will typically sample 3 devices spanning the operating systems and roles in use (one Windows laptop, one macOS laptop, one mobile). For a 200-person organisation, 10 devices. The sample covers all OS types, all user roles (admin, standard user, developer), and all device categories (desktop, laptop, mobile).

On each sampled device the assessor verifies:

Patch currency

Windows Update / Apple Software Update history. They want to see that high-severity and critical patches have been applied within 14 days of release. Screenshots of the update history are usually acceptable; some assessors ask to see the actual update dialog.

Preparation: make sure Windows Update and Apple Software Update have no pending restarts on the sample devices, and that the update history shows recent installs within the 14-day window.

Malware protection

They verify that malware protection is installed, enabled, updated, and capable of running on-access scans. For Windows, this is typically Windows Defender - the audit verifies that it is not turned off, that definitions are current, and that tamper protection is enabled.

Preparation: enable tamper protection on every sampled device. Many IT teams have not done this because it is a relatively new default; the audit catches it.

Secure configuration

Default accounts disabled, default passwords changed, auto-run disabled, unnecessary software removed. The assessor typically walks through Control Panel / System Settings while you screen-share.

Preparation: uninstall bloatware on sample laptops. Any device that still has manufacturer-installed trial software fails this check.

MFA on cloud services

The assessor asks the user to sign into M365 / Google Workspace / Okta and verifies that MFA is required. Since v3.3, MFA is mandatory on every cloud service that holds organisational data.

Preparation: verify MFA is enabled for every user before the audit. Conditional access "MFA unless trusted location" used to pass; under v3.3 it often does not. Require MFA always.

User access control

The assessor reviews the device's local user accounts. They want to see: no users with local admin rights unless justified; no shared accounts; no guest account enabled.

Preparation: demote standard users to standard accounts. If a user has local admin because they "need it" - have a documented reason. "They have always had it" is not acceptable.

The malware execution test

The assessor sends the user a set of test files - typically via email and via a download from a web server under the assessor's control. The files are known-malicious test signatures (EICAR for AV testing is the most common) plus some file types that should be blocked at the gateway (macro-enabled documents, ISO files, password-protected archives).

The test verifies that the malware protection catches them. If any files reach the user's desktop and can be opened, that is a finding.

Preparation: check that your email security gateway (Defender for Office 365, Mimecast, Proofpoint, Google Workspace security) blocks executable attachments, macro-enabled documents, and password-protected archives. Check that web content filtering blocks downloads of EICAR test files from the public EICAR test URL.

Inbound email and web-content filtering

The assessor sends a sequence of test emails with phishing-style features (spoofed sender, suspicious URL, attachment). They want to see that SPF/DKIM/DMARC are correctly configured on your domain (so outbound mail authenticates) and that inbound mail filters catch obvious phishing.

Preparation: run your domain through https://dmarc.org/tools/ or Microsoft's DMARC checker. Fix any SPF, DKIM, or DMARC issues before the audit.

Common first-time audit failures

From Fig's pool of first-time CE Plus audits in Q1 2026, the most common failures are:

1. MFA not enforced on every user. "Most users have it" is not sufficient.

2. Defender tamper protection disabled on a laptop in the sample.

3. TLS 1.0 still enabled on a public-facing service.

4. 14-day patch window missed on an engineer laptop (they deferred a reboot).

5. Email gateway allowing macro-enabled attachments through to inbox.

All five are quick to fix. The challenge is that by the time the assessor finds them, the audit window has already compressed. Fix them before the audit, not during.

How long does it take?

Typical timeline:

• Kick-off call: 30 minutes.
• External scan: 2–4 hours (runs in background).
• Device sampling calls: 30–60 minutes per device, 2–5 devices depending on organisation size.
• Email/web filtering tests: 30 minutes.
• Write-up and certification: same day or next business day.

Fig CE Plus audits typically complete in 2–3 working days end-to-end. Bigger organisations take longer because the device sample is larger.

Bottom line

CE Plus is not a black box. The assessor runs a fixed checklist, you can preview every item before they arrive, and well-prepared organisations pass first time. The common failure modes are all things you can fix in an afternoon if you know to look for them.

Buy Cyber Essentials Plus Micro (1–9 staff) | See CE Plus pricing | Read the readiness checker