Skip to content
Infilux AppSec Logo
Cyber Essentials Plus · United Kingdom

Cyber Essentials Plus Certification for UK Businesses

Infilux AppSec delivers UK Cyber Essentials and Cyber Essentials Plus certification support — the NCSC-backed scheme required for suppliers bidding on UK government contracts involving personal data or ICT services. Programme covers the five control themes (firewalls, secure configuration, user access control, malware protection, security update management) with independent technical audit for the Plus level. Typical timeline 3-6 weeks including remediation.

Updated May 2026

United Kingdom

Cyber Essentials is the UK government's baseline cybersecurity scheme, mandatory for suppliers bidding on many UK public-sector contracts (including MOD, NHS Digital, and central-government departments handling personal or sensitive data). Cyber Essentials Plus adds independent technical verification — internal vulnerability scan + external port scan + malware protection test + patch verification against the applicant's actual endpoints.

Our UK engagements run in GMT/BST with weekly syncs. Delivery model matches the NCSC-published Cyber Essentials assessment methodology: gap analysis → remediation → self-assessment questionnaire → for Plus, on-site or remote technical audit. Reports are submitted to a licensed Certification Body of the applicant's choice; Infilux is not a Certification Body itself but works alongside CBs including IASME, IT Governance, and QG.

Cyber Essentials Plus certification is typically a stepping-stone toward larger UK compliance work: ISO 27001 (60-70% control overlap), GDPR / UK Data Protection Act 2018, or NHS Data Security and Protection Toolkit (DSPT). Our practice frequently bundles Cyber Essentials with ISO 27001 or DSPT for UK SMEs preparing for enterprise sales.

Key controls we implement

Boundary firewalls + internet gateways

Perimeter firewall inventory, ingress + egress ruleset review, default-deny posture verification.

Secure configuration

Baseline configuration standards for OS + applications, disabling unused features, changing default passwords.

User access control

Least-privilege access, MFA on privileged + internet-facing accounts, joiner/mover/leaver process.

Malware protection

Enterprise EDR/AV deployment on every device, allow-listing where practical, browser + email attachment scanning.

Security update management

Patch within 14 days of vendor release for critical + high-severity vulnerabilities; supported OS + software versions only.

Cyber Essentials Plus technical audit

Independent verification: internal vulnerability scan, external port scan, malware test file interception, patching verification against a sample of applicant endpoints.

NHS Data Security & Protection Toolkit (DSPT) mapping

For NHS-supplier applicants, Cyber Essentials certifications map to specific DSPT requirements; we cross-map during scoping.

Frequently asked

What's the difference between Cyber Essentials and Cyber Essentials Plus?+
Cyber Essentials is a self-assessment questionnaire against the five control themes, verified by a Certification Body reviewing your answers. Cyber Essentials Plus adds a technical audit — the Certification Body performs actual vulnerability scans and tests on a sample of your endpoints to verify the controls work as declared. Plus is the level required by most UK MOD and central-government contracts.
Do we need Cyber Essentials to bid on UK government contracts?+
For contracts involving personal information, ICT products/services, or sensitive data — yes, typically. The exact requirement depends on the contracting authority, but Cyber Essentials basic is the minimum for many procurements and Cyber Essentials Plus for those involving elevated risk. Check the specific contract's DPS or framework requirements.
How long does Cyber Essentials Plus certification take?+
3-6 weeks for a well-prepared UK SME: 1-2 weeks gap analysis + remediation, 1-2 weeks self-assessment submission and Certification Body review, 1-2 weeks technical audit + remediation of findings. Certificates are valid for 12 months and require annual re-certification.
How much does Cyber Essentials Plus cost?+
Infilux's readiness fee typically GBP 3K-8K depending on org size + complexity, plus the Certification Body's audit fee (GBP 1.5K-5K depending on IASME / IT Governance / QG rates and the number of endpoints in scope). Total often GBP 5K-13K first year, dropping to ~60% of that for annual renewal.
How does Cyber Essentials relate to ISO 27001 and NIST CSF?+
Cyber Essentials is baseline-only — 5 control themes. ISO 27001 is comprehensive — 93 controls across 4 themes plus a full ISMS management system. NIST CSF is a framework, not a certification. Approximately 60-70% of Cyber Essentials controls map into ISO 27001 Annex A. For UK-only SMEs, Cyber Essentials Plus is often enough; for enterprise or international deals, ISO 27001 is expected.

Related Infilux services

Other compliance frameworks