Most organisations that fail Cyber Essentials Plus fail for reasons they could have fixed in an afternoon: multi-factor authentication switched off on one cloud service, a laptop three patches behind, day-to-day work being done from admin accounts. The audit is not designed to catch you out. It checks that the five controls you have already declared actually work on your live systems. Prepare for it properly and passing first time is the normal outcome.

This is the checklist we walk clients through before their formal audit. Layer 7 has been an IASME-licensed Cyber Essentials Certification Body since the scheme launched in 2014, and we run the hands-on Plus audit in-house, so this is what an assessor genuinely looks for, not a generic list.

First, the prerequisites

Two things have to be true before a Cyber Essentials Plus audit can go ahead:

  • You hold a current base Cyber Essentials certificate. Plus builds on it. If you are not sure which level you need, read Cyber Essentials vs Cyber Essentials Plus.
  • The Plus audit is passed within three months of that base certificate. Miss the window and the base assessment has to be redone. If you are starting from scratch, we do both together, which keeps you comfortably inside it.

What a Cyber Essentials Plus audit actually tests

Cyber Essentials Plus assesses the same five controls as the base level (firewalls, secure configuration, security update management, user access control and malware protection), but rather than relying solely on the answers provided in the self-assessment, an assessor independently verifies them by testing a representative sample of your live systems. In practice the audit covers:

  • A remote vulnerability assessment of your external infrastructure to identify vulnerabilities and Internet-accessible services.
  • An authenticated vulnerability scan of a sample of your in-scope devices, looking for missing patches and risky configuration.
  • A check that multi-factor authentication is enforced on every cloud service that supports it.
  • A malware protection test, including how your systems handle known test files and malicious content arriving by email and web.
  • A review of user accounts and administrative rights to determine how admin access is separated from everyday user accounts.

The assessor samples across each operating system and device type in your scope, so a mixed estate (Windows, macOS, mobile, servers) means a broader sample. Get the fundamentals consistent across the estate and the sample takes care of itself.

The pre-audit checklist, control by control

Work through this before you book the formal audit. If every row is green, the audit confirms what you already know.

Cyber Essentials Plus 2026: what the assessor tests and what to have ready
Control areaWhat the assessor testsGet this ready
Scope and inventoryYour CE+ scope aligns with what was declared in the base CE assessment, along with the networks and systems being testedAn honest asset inventory: every in-scope device, every operating system version in use, a copy of your base CE report
Security update managementCritical and high-severity updates applied within 14 daysLatest updates installed for OS, firmware and applications; remove or replace any software the vendor no longer supports
User access controlMulti-factor authentication enforced on all services; admin rights separated from day-to-day accountsMFA enabled for every user including administrators, no shared logins
Malware protectionAnti-malware active and up to date, or approved application allow-listing in placeConfirm protection is on and current on every device, know which approach applies to which device
Secure configurationDefault passwords not in use, downloaded files prevented from automatically runningDefault passwords changed, and autorun disabled on all devices
Firewalls and accessFirewalls enabled and correctly configured, with a review of any open portsConfirm firewalls are on and rules are documented; MFA or equivalent on any external services

In short: the audit checks the same five controls you self-declared for base Cyber Essentials, but proves them on live systems. If your inventory is honest, MFA is on everywhere, patching is inside 14 days across the whole estate, and users work from standard accounts, you have covered the reasons organisations actually fail.

The top reasons organisations fail, and how to avoid them

Almost every avoidable failure comes down to the same handful of issues. Because CE+ involves an assessor directly testing your systems, these gaps get caught rather than going unnoticed, so it pays to get them right before the audit.

Common Cyber Essentials Plus failures and how to fix them before the audit
Reason for failureWhy it fails the auditFix before you book
MFA not enabled everywhereMFA should be enabled for every service that supports it, for both users and adminsTurn on MFA for every user on every service, using an NCSC-approved method; app or hardware tokens beat SMS
Missed patch deadlineCritical or high-severity updates not installed within 14 days will result in a failApply patch management uniformly across every device
Unsupported software still in useSoftware the vendor no longer patches means vulnerabilities never get fixed, so it failsRemove, replace or fully segregate anything out of support before the audit
Admin accounts used for daily workEveryday browsing and email from an admin account breaches access controlGive admins a separate standard account for routine work; keep admin rights for admin tasks

The key takeaway: multi-factor authentication missing from accounts, missing patches, and using admin accounts for everyday tasks are among the most common reasons audits fail, and all three are fixable before you ever book the audit. A readiness review catches them cheaply.

What to have ready for the audit

A smooth audit day comes down to access and paperwork being in place before the assessor starts:

  • A named technical contact who can answer questions from the auditor and make changes where necessary.
  • Your asset inventory, external addresses, and a copy of the report from your base CE.
  • User availability for both remote and on-site audits, remote access or screen sharing for remote audits, physical device availability for on-site audits.
  • Admin credentials for the authenticated scans (handled securely), or scanner agents installed on sampled devices.

Most Cyber Essentials Plus audits now run fully remotely, which is usually the faster route. We agree the approach with you at scoping, so there are no surprises.

The single best thing you can do: a readiness review

The organisations that pass first time almost all do one thing beforehand: they have someone check the controls against the current requirements before the formal audit, while findings are still cheap to fix. That is the entire point of a readiness review. We run one, tell you exactly where you stand, and help you close any gaps, so the formal audit confirms a pass rather than uncovering surprises. From an agreed scope, we can often complete the audit itself in a single day.

For the wider 2026 picture, read the Cyber Essentials changes explained. For budgeting, see how much Cyber Essentials Plus costs.

Get audit-ready with Layer 7

We are an IASME Certification Body and have been since 2014, delivering both Cyber Essentials and Cyber Essentials Plus in-house. No readiness middleman, no outsourced audit. Tell us the shape of your environment and we will show you where you stand before you commit.

Book a readiness review or audit: hello@layer7.uk or see Cyber Essentials Plus certification.

Cyber Essentials Plus audit FAQs

How do I prepare for a Cyber Essentials Plus audit? Make sure your asset inventory is honest, multi-factor authentication is enabled on every cloud service, high and critical patches are applied within 14 days across your whole scope, unsupported software is removed, and admin accounts are separated from everyday use. A readiness review before the formal audit catches anything left over.

What does the Cyber Essentials Plus audit test? An assessor tests the five controls on a sample of your live systems: a remote vulnerability assessment, an authenticated vulnerability scan to verify that high and critical updates are applied in time, a check that MFA is enforced on cloud services, a malware protection test, and a review of user and admin accounts.

Why do organisations fail Cyber Essentials Plus? Most failures come down to MFA not being enabled everywhere, high and critical patches left beyond 14 days, unsupported software still in use, or admin accounts used for daily work. All are fixable before the audit.

How long does a Cyber Essentials Plus audit take? From an agreed scope, we can often complete the audit in a single day. A larger or more complex estate takes longer, which we confirm at scoping.

Can I do the audit remotely? Yes. Most Cyber Essentials Plus audits now run fully remotely, which is usually the faster route. On-site makes sense when devices cannot be accessed remotely or you prefer an assessor in the room.

Do I need base Cyber Essentials before the Plus audit? Yes. You need a current base Cyber Essentials certificate, and the Plus audit must be completed within three months of it. We can do both together.

Start a conversation

Have a question about this topic?