Short answer
Once per audit cycle for Cyber Essentials Plus. The external scan targets public-facing IP addresses and domains, checks TLS configuration, looks for exposed management interfaces, and flags out-of-date services. Findings must be remediated before certification issue.
Why this matters
Technical-control questions decide whether the self-assessment can be approved. Cyber Essentials is not a paper-only exercise: the applicant must be able to show that secure configuration, patching, access control, malware protection, and firewalls are implemented in the actual environment.
The strongest submissions use evidence from device management, endpoint security, vulnerability scanning, identity controls, and asset registers. If a control is implemented manually, the organisation should still be able to explain ownership, frequency, and how exceptions are handled.
What to check next
- Patch high and critical updates within 14 days of vendor release.
- Remove unsupported software from scope or isolate it technically.
- Keep endpoint protection, firewall rules, and admin accounts documented.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.