Cyber Essentials Plus Requirements

Recieve a UK Government recognised Security Accrediation for your business

Be listed on a Government Directory of organisations awarded Cyber Essentials

Attract new business with the promise you have cyber security measures in place

Cyber Essentials Certifying Body

Pentest People are a Cyber Essentials Certifying Body and can help you at all stages of your Cyber Essentials accreditation journey.

Cyber Essentials Plus (Stage 2) Requirements

The more advanced level of Cyber Essentials certification extends the certification to include an assessment that is carried out on your business premises. In order to achieve Stage 2 certification, you have to first achieve Cyber Essentials Plus LogoStage 1 certification. It is normal for customers to first undergo Stage 1 certification before attempting the internal assessment required for Stage 2.

The initial step is to provide the required information in the Workstation Assessment section of the self-assessment questionnaire that was required for Stage 1. This can be completed via SecurePortal.

Once this information is provided, an engineer will be assigned to visit your site to perform the Stage 2 assessment.

The Stage 2 assessment is split into three separate assessments.

Email Assessment

The first assessment is against the inbound corporate email system. The engineer will first send a validation email to ensure the email is being received from the test portal. This is then followed up by numerous emails that contain specific test virus and malware threats provided by the NCSC. The assessment is performed based upon what emails actually make it through the email server to the client in order to assess the level of virus and malware protection employed by the email server.

NOTE: The payloads used are benign test files and do not pose a threat to the organisation.

Desktop Assessment

The second assessment is against the desktop AV protection. The engineer will log onto a standard build desktop with standard user credentials and visit the CE portal site where they will try to download and execute a number of test virus and malware threats provided by the NCSC. The assessment is performed based upon what file can be downloaded and executed by the client in order to assess the level of virus and malware protection employed by the desktop.

NOTE: The payloads used are benign test files and do not pose a threat to the organisation.

Host Build Review

The third assessment takes the form of an Internal Vulnerability Scan against all of the standard builds that were identified in the self-assessment questionnaire. This vulnerability scan is directly performed against each identified host and has to be performed with administrator credentials. The scan takes the form of a build review against the CIS Benchmarks for the operating system being assessed.

In order to pass and achieve accreditation, all of the email attachments have to be filtered or the user blocked from accessing them, all of the files accessed over the web have to be blocked from downloading or the user prevented from accessing them and the build review has to not contain any High-level vulnerabilities with a CVSS of 7.0 or above.

If the above conditions are true, the customer is awarded Stage 2 certification against the Cyber Essentials Plus standard. The customer is provided with a certificate and associated use of the logo.

How can we help?

Pentest People are a Cyber Essentials Certifying Body and can perform and accredit you to both Stage 1 and Stage 2 of Cyber Essentials.

As well as the certification, Pentest People can also offer consultancy services including a GAP analysis against the 5 technical controls to ensure that you have adequate controls in place before you undertake a paid Stage 1 assessment.

Download the CREST Cyber Essentials Guide

More information about Cyber Essentials can be found on the NCSC Cyber Essentials Homepage.


Find Out More Now!

Penetration Testing

IT Security and the associated terminology is a mainstream issue for all businesses due to the reliance business places on its IT systems combined with the prevalence of attacks. Various forms of compliance exist that mandate regular Penetration Testing as a standard and the risks of not doing anything are widely publicised.

Key Benefits

  • Reassure your existing and potential customers that you take cyber-security seriously
  • Attract new business with the promise you have cyber-security measures in place backed up with a recognised accreditation
  • Be able to remediate any identified vulnerabilities within your organisations network infrastructure
  • Have the confidence that you are protected from the most common cyber-security risks within your organisation

Frequently Asked Questions

  • What is the Cyber Essentials Scheme?

    Cyber Essentials is a scheme led by the UK Government to help organisation protect themselves against common cyber-security threats. There are two levels of certification that both demonstrate an ability to implement technical controls relating to information security.

  • What is the difference between Cyber Essentials and Cyber Essentials Plus?

    Cyber Essentials is Stage 1 and consists of a Self Assessment Questionnaire and external vulnerability assessment of your Internet-facing infrastructure.


    Cyber Essentials Plus is Stage 2 an extends Stage 1 by performing an onsite assessment of security controls including an internal authenticated scan of your workstations and mobile devices.

  • How long does certification take?

    New FAQ : Answer

  • What do we receive once certified?

    When you have undertaken your assessment and met all of the requirements of Cyber Essentials or Cyber Essentials plus you will receive the following:

    • An official PDF of your Cyber Essentials Certificate.
    • A compliant report detailing all findings from the assessment along with any recommendations where appropriate.
    • High-resolution Cyber Essentials logos along with branding guidelines on how to use the logos on your website and marketing materials.
    • Your organisation will be listed on the Government Website that shows your level of certification.