How to Pass a Cyber Essentials Plus Audit: 2026 Checklist
Most organisations that fail Cyber Essentials Plus fail for reasons they could have fixed in an afternoon: multi-factor authentication switched off on one cloud service, a laptop three patches behind, day-to-day work being done from admin accounts. The audit is not designed to catch you out. It checks that the five controls you have already declared actually work on your live systems. Prepare for it properly and passing first time is the normal outcome.
This is the checklist we walk clients through before their formal audit. Layer 7 has been an IASME-licensed Cyber Essentials Certification Body since the scheme launched in 2014, and we run the hands-on Plus audit in-house, so this is what an assessor genuinely looks for, not a generic list.
First, the prerequisites
Two things have to be true before a Cyber Essentials Plus audit can go ahead:
- You hold a current base Cyber Essentials certificate. Plus builds on it. If you are not sure which level you need, read Cyber Essentials vs Cyber Essentials Plus.
- The Plus audit is passed within three months of that base certificate. Miss the window and the base assessment has to be redone. If you are starting from scratch, we do both together, which keeps you comfortably inside it.
What a Cyber Essentials Plus audit actually tests
Cyber Essentials Plus assesses the same five controls as the base level (firewalls, secure configuration, security update management, user access control and malware protection), but rather than relying solely on the answers provided in the self-assessment, an assessor independently verifies them by testing a representative sample of your live systems. In practice the audit covers:
- A remote vulnerability assessment of your external infrastructure to identify vulnerabilities and Internet-accessible services.
- An authenticated vulnerability scan of a sample of your in-scope devices, looking for missing patches and risky configuration.
- A check that multi-factor authentication is enforced on every cloud service that supports it.
- A malware protection test, including how your systems handle known test files and malicious content arriving by email and web.
- A review of user accounts and administrative rights to determine how admin access is separated from everyday user accounts.
The assessor samples across each operating system and device type in your scope, so a mixed estate (Windows, macOS, mobile, servers) means a broader sample. Get the fundamentals consistent across the estate and the sample takes care of itself.
The pre-audit checklist, control by control
Work through this before you book the formal audit. If every row is green, the audit confirms what you already know.
| Control area | What the assessor tests | Get this ready |
|---|---|---|
| Scope and inventory | Your CE+ scope aligns with what was declared in the base CE assessment, along with the networks and systems being tested | An honest asset inventory: every in-scope device, every operating system version in use, a copy of your base CE report |
| Security update management | Critical and high-severity updates applied within 14 days | Latest updates installed for OS, firmware and applications; remove or replace any software the vendor no longer supports |
| User access control | Multi-factor authentication enforced on all services; admin rights separated from day-to-day accounts | MFA enabled for every user including administrators, no shared logins |
| Malware protection | Anti-malware active and up to date, or approved application allow-listing in place | Confirm protection is on and current on every device, know which approach applies to which device |
| Secure configuration | Default passwords not in use, downloaded files prevented from automatically running | Default passwords changed, and autorun disabled on all devices |
| Firewalls and access | Firewalls enabled and correctly configured, with a review of any open ports | Confirm firewalls are on and rules are documented; MFA or equivalent on any external services |
In short: the audit checks the same five controls you self-declared for base Cyber Essentials, but proves them on live systems. If your inventory is honest, MFA is on everywhere, patching is inside 14 days across the whole estate, and users work from standard accounts, you have covered the reasons organisations actually fail.
The top reasons organisations fail, and how to avoid them
Almost every avoidable failure comes down to the same handful of issues. Because CE+ involves an assessor directly testing your systems, these gaps get caught rather than going unnoticed, so it pays to get them right before the audit.
| Reason for failure | Why it fails the audit | Fix before you book |
|---|---|---|
| MFA not enabled everywhere | MFA should be enabled for every service that supports it, for both users and admins | Turn on MFA for every user on every service, using an NCSC-approved method; app or hardware tokens beat SMS |
| Missed patch deadline | Critical or high-severity updates not installed within 14 days will result in a fail | Apply patch management uniformly across every device |
| Unsupported software still in use | Software the vendor no longer patches means vulnerabilities never get fixed, so it fails | Remove, replace or fully segregate anything out of support before the audit |
| Admin accounts used for daily work | Everyday browsing and email from an admin account breaches access control | Give admins a separate standard account for routine work; keep admin rights for admin tasks |
The key takeaway: multi-factor authentication missing from accounts, missing patches, and using admin accounts for everyday tasks are among the most common reasons audits fail, and all three are fixable before you ever book the audit. A readiness review catches them cheaply.
What to have ready for the audit
A smooth audit day comes down to access and paperwork being in place before the assessor starts:
- A named technical contact who can answer questions from the auditor and make changes where necessary.
- Your asset inventory, external addresses, and a copy of the report from your base CE.
- User availability for both remote and on-site audits, remote access or screen sharing for remote audits, physical device availability for on-site audits.
- Admin credentials for the authenticated scans (handled securely), or scanner agents installed on sampled devices.
Most Cyber Essentials Plus audits now run fully remotely, which is usually the faster route. We agree the approach with you at scoping, so there are no surprises.
The single best thing you can do: a readiness review
The organisations that pass first time almost all do one thing beforehand: they have someone check the controls against the current requirements before the formal audit, while findings are still cheap to fix. That is the entire point of a readiness review. We run one, tell you exactly where you stand, and help you close any gaps, so the formal audit confirms a pass rather than uncovering surprises. From an agreed scope, we can often complete the audit itself in a single day.
For the wider 2026 picture, read the Cyber Essentials changes explained. For budgeting, see how much Cyber Essentials Plus costs.
Get audit-ready with Layer 7
We are an IASME Certification Body and have been since 2014, delivering both Cyber Essentials and Cyber Essentials Plus in-house. No readiness middleman, no outsourced audit. Tell us the shape of your environment and we will show you where you stand before you commit.
Book a readiness review or audit: hello@layer7.uk or see Cyber Essentials Plus certification.
Cyber Essentials Plus audit FAQs
How do I prepare for a Cyber Essentials Plus audit? Make sure your asset inventory is honest, multi-factor authentication is enabled on every cloud service, high and critical patches are applied within 14 days across your whole scope, unsupported software is removed, and admin accounts are separated from everyday use. A readiness review before the formal audit catches anything left over.
What does the Cyber Essentials Plus audit test? An assessor tests the five controls on a sample of your live systems: a remote vulnerability assessment, an authenticated vulnerability scan to verify that high and critical updates are applied in time, a check that MFA is enforced on cloud services, a malware protection test, and a review of user and admin accounts.
Why do organisations fail Cyber Essentials Plus? Most failures come down to MFA not being enabled everywhere, high and critical patches left beyond 14 days, unsupported software still in use, or admin accounts used for daily work. All are fixable before the audit.
How long does a Cyber Essentials Plus audit take? From an agreed scope, we can often complete the audit in a single day. A larger or more complex estate takes longer, which we confirm at scoping.
Can I do the audit remotely? Yes. Most Cyber Essentials Plus audits now run fully remotely, which is usually the faster route. On-site makes sense when devices cannot be accessed remotely or you prefer an assessor in the room.
Do I need base Cyber Essentials before the Plus audit? Yes. You need a current base Cyber Essentials certificate, and the Plus audit must be completed within three months of it. We can do both together.