Skip to contentAbout Fig Group

Cyber Essentials Plus - Medium

Cyber Essentials Plus certification for medium organisations with 50 to 249 employees. Full third-party technical audit including vulnerability scans and configuration checks. Required by many government frameworks and large enterprise supply chains.

How does it work

The CE Plus engagement, end to end

  1. Cyber Essentials must be held before the CE Plus audit. If you do not already hold one, Fig can also certify you for the Cyber Essentials self-assessment as a separate purchase.
  2. Once your purchase goes through, Fig schedules the external vulnerability scan and the remote technical audit with your IASME-licensed assessor.
  3. The external vulnerability scan runs against your internet-facing devices and services. Findings are shared with you ahead of the audit so anything material can be remediated first.
  4. The remote technical audit covers a representative device sample, malware protection, MFA enforcement, and patching posture - confirmed by video and screen share.
  5. If a control needs work, your assessor will tell you what to fix rather than scoring you non-compliant on the first attempt.
  6. You get 3 free remediation rounds against the audit findings before any non-compliant outcome.
  7. If after 3 rounds your audit is still not compliant, we will send you a link to schedule a 30-minute call with an NCSC assessor, free of charge.

What's included

Everything in the Medium package

  • External vulnerability scan of public-facing infrastructure
  • Remote technical audit of a representative device sample
  • Dedicated IASME-licensed assessor throughout the audit
  • Official Cyber Essentials Plus certificate
  • Cyber Essentials self-assessment available from Fig as a separate purchase if not already held
  • Certificate valid for 12 months

What happens next

From Stripe checkout to certificate

  1. Complete the Stripe checkout - card or supported alternatives, taxes shown, receipt emailed instantly.
  2. Fig confirms your CE prerequisite status and (where needed) opens the IASME portal credentials so you can complete the prerequisite first.
  3. Fig schedules the external vulnerability scan and the remote technical audit with your assessor.
  4. External scan findings shared first; remote technical audit follows by video and screen share.
  5. Get up to 3 free remediation rounds - your assessor flags what to change and re-runs the relevant audit step at no extra cost.

Ready to start?

£2,799 + VAT, one-off. Cyber Essentials Plus audit scheduled with the assessor and normally completes in 1-3 working days.

Buy Cyber Essentials Plus - MediumTalk to an assessor

Not sure which tier? Compare all tiers or view full pricing.

Read common buyer questions