Independent technical verification

Cyber Essentials Plus certification

UK, audited, from £1,499 + VAT. Cyber Essentials Plus adds a third-party technical audit on top of Cyber Essentials, including external vulnerability scanning and sampled device checks.

Buy CE Plus Micro See all pricing Review trust claims

Cyber Essentials Plus pricing

Priced by organisation size.

Cyber Essentials Plus

Third-party verified · 1-3 days

Micro

1-9 employees

£1,499+ VAT

One-off · no recurring fee

Everything in Cyber Essentials
External vulnerability scan
Remote technical audit
1-3 working days turnaround

Buy now

What is audited in Cyber Essentials Plus

The Plus audit verifies your controls in the real environment.

External vulnerability scan of internet-facing assets.
Sampled device checks for secure configuration and malware protection.
MFA and user-access control verification.
Patch status and supported software checks.
Independent assessor evidence review and certification decision.

How to prepare for Cyber Essentials Plus

Plus is fastest when the baseline scope is already clear.

Cyber Essentials Plus is a verification exercise, not a last-minute paperwork task. Plan the audit with the same rigour as the baseline self-assessment so the assessor can move straight from scope review to control testing.

Have these ready before the audit

A valid Cyber Essentials baseline certificate covering the same organisation and scope.
A written scope statement listing in-scope users, devices, networks, and cloud services.
Sampled devices available for the assessor to test (representative across OS, role, location).
Permission to run the external vulnerability scan against your internet-facing services.
Evidence prepared for any remote workers, BYOD, multi-site, or hybrid cloud arrangements.

Common reasons applicants are delayed

Unsupported software still in production (legacy Windows, end-of-life browsers, EOL plugins).
Gaps in multi-factor authentication coverage on cloud, admin, or remote-access accounts.
Internet-facing services with high or critical vulnerabilities at scan time.
Sampled devices unavailable in the audit window or no remote-access agent installed.
Scope ambiguity around BYOD, contractors, or third-party managed assets.

Fig separates the baseline Cyber Essentials review from the Plus audit so applicants understand which issues block certification and which issues can be remediated during the process - no surprises mid-audit.

Fig guides

How the CE Plus remote audit works

What the assessor tests, sample sizing, and timing

Cyber Essentials Plus cost guide

2026 pricing, what drives variance, common gotchas

Official sources

NCSC Cyber Essentials overview

Government scheme owner

IASME Cyber Essentials scheme

Scheme administrator on behalf of NCSC

Cyber Essentials trust evidence

The buyer evidence to check before you purchase

This block keeps the commercial claims close to the final decision point: licence, speed, pricing, reviews, and the important difference between Cyber Essentials and Cyber Essentials Plus.

Open Google profile

Licence

IASME-licensed Plus route

Cyber Essentials Plus is delivered as an IASME-backed technical verification route after Cyber Essentials, with licence evidence available for procurement checks.

Verify IASME licence

Scope

Plus is not the 6-hour product

The 6-hour guarantee applies to Cyber Essentials self-assessment only. Plus adds technical audit work, sampled device testing, and remediation scheduling.

Review Plus scope

Pricing

Published Plus pricing

Cyber Essentials Plus pricing is published by organisation size so buyers can compare cost before booking a technical audit.

Review Plus pricing

Reviews

Evidence-led buying check

Use Fig trust pages, Google review signals, and the official scheme sources to verify claims before committing to a Plus assessment.

Review trust evidence

Practical rule: buy Cyber Essentials when the requirement asks for baseline certification. Buy Cyber Essentials Plus only when the buyer, insurer, or framework specifically asks for the audited technical verification layer.

Cyber Essentials hub Cyber Essentials Plus Claim evidence

Cyber Essentials Plus FAQ

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent technical audit with external vulnerability scanning and sampled device testing.

How long does Cyber Essentials Plus take?

Most assessments complete in 2 to 3 working days depending on availability of sampled devices and remediation turnaround.

Do I need a Cyber Essentials certificate before Plus?

Yes. Cyber Essentials Plus requires a valid Cyber Essentials baseline and then performs independent verification.

Is Plus required for UK procurement?

Some frameworks and enterprise buyers require Cyber Essentials Plus for higher-risk supplier contracts. Always confirm your bid requirement.

How much does Cyber Essentials Plus cost?

Fig Group prices Cyber Essentials Plus from £1,499 + VAT to £4,499 + VAT by organisation size.