cyber essentials plus.
Most firms can walk through Cyber Essentials Plus with a checklist. This page is for everyone else — segmented networks, sprawling estates, air gaps, legacy kit that cannot die, and groups that grew by acquisition. The complicated assessments are the ones I take.
Same five controls. This time, someone checks.
Cyber Essentials is a self-assessment against five control areas — firewalls, secure configuration, access control, malware protection, and security updates. Plus is the same standard with an assessor verifying it on real devices: sampled workstation audits, vulnerability scans, patch checks against the 14-day rule, malware download and email tests, and MFA verified on the cloud services, not just claimed.
Three mechanics decide whether your CE+ is a formality or a project. The clock: the audit must complete within three months of the passed self-assessment, and under the April 2026 Danzell rules the verified self-assessment is frozen once testing begins — scoping mistakes can no longer be patched mid-audit. The sample: assessors test a sample sized by device type and OS build, and a failed device now means retesting against a fresh random sample; fail that and the certificate is revoked. The boundary: what is in scope, what is excluded, and whether the segregation between the two survives scrutiny. Nearly everything on this page is really about the boundary.
Six assessments that weren't simple.
Anonymised and lightly composited from real assessment patterns — sectors generalised, numbers rounded, no client identifiable. The shape of each problem, and each fix, is faithful.
Fourteen VLANs, one factory floor, and a scope nobody could draw.
A precision manufacturer needed CE+ for a defence-supply-chain contract. The estate: a segmented corporate network, a factory floor of CNC controllers and SCADA nodes on Windows builds old enough to vote, and years of firewall rules nobody would claim.
The OT estate could never meet the patching rule — vendor-locked firmware, production downtime measured in five-figure sums per hour. A naive scope would fail; excluding OT without demonstrable segregation would fail more honestly.
Drew the boundary first: corporate IT in scope, OT excluded behind verified segregation. Rebuilt the IT/OT firewall policy from deny-all up — 300-odd legacy rules retired, the survivors documented. Evidence pack for the assessor proving the segregation was real: rulesets, VLAN maps, a demonstration that a factory-floor node could not reach a corporate asset.
Passed first time; the contract's security schedule accepted the documented OT exclusion. The deny-all rebuild also killed a flat-network risk the firm had carried for a decade. Prep: 9 weeks · audit: 2 days.
Twenty-seven sites, thirty-one Windows builds, one certificate.
A multi-site education group needed CE+ across the whole organisation for funding-body assurance. Devices had been imaged locally, per site, for years: thirty-one distinct OS builds, which meant an assessor sample large enough to be its own project — and thirty-one chances to fail.
Every distinct build adds to the sample. Under the current rules a single failed sampled device triggers a fresh random re-sample; at this scale, luck was not a strategy. And the sites patched on twenty-seven different rhythms.
Rationalised before remediating: thirty-one builds down to four golden images, centrally patched. Stood up a compliance dashboard from the existing RMM so every site's 14-day patch position was visible daily, not discovered at audit. Sequenced the rollout so the slowest sites went first — the failure modes surface where the resistance is.
Sample shrank by an order of magnitude; audit ran across three representative sites in four days; passed with zero device failures. The four-image estate cut ongoing patching effort by roughly a third. Prep: 14 weeks · audit: 4 days.
The network that must never touch the internet — and the audit that assumes one.
An engineering firm ran an air-gapped test network for client IP it was contractually barred from connecting to anything. CE+ was required by a new prime contractor. The question that stalled everyone for a month: does the gapped network fail the audit, dodge the audit, or break the gap to pass it?
None of the above, if the boundary is done properly — but "air-gapped" claims usually dissolve under inspection. Here the gap had grown informal bridges: a shared USB drawer, an engineer's laptop that visited both worlds, and a Wi-Fi adapter "for emergencies".
Made the gap real before claiming it: dual-homed laptop retired, controlled one-way transfer procedure with scanned, logged media replacing the USB drawer, wireless capability physically removed from lab machines. Scoped the certification to the corporate estate with the lab documented as a segregated exclusion, and built the evidence pack showing the isolation was engineered, not asserted.
Corporate estate passed CE+; the prime accepted the documented exclusion — and separately commended the transfer procedure. The firm now re-verifies the gap quarterly, because a gap is a process, not a fact. Prep: 6 weeks · audit: 2 days.
The imaging suite runs on an OS that went end-of-life years ago. It cost £400K. It stays.
A private clinic needed CE+ for an NHS-adjacent framework. Two imaging systems ran vendor-locked software on an unsupported operating system; replacement was a capital project years away. Unsupported software in scope is an automatic fail.
The imaging machines sat on the general practice network, browsing-capable and domain-joined — historically used as spare workstations between appointments. As stood, they dragged the whole certification down with them.
Segregated the clinical systems onto their own network segment with a deny-by-default boundary: no internet, no email, no browsing, one brokered path to the PACS store. Local accounts stripped to clinical use only. Documented as an excluded sub-set with compensating controls, in scope terms an assessor could verify in an afternoon.
Certification passed on the corporate estate; the framework accepted the exclusion with the controls evidenced. The clinic separately gained a real reduction in risk — the imaging suite had been one phishing email away from being the practice's softest target. Prep: 5 weeks · audit: 1 day.
Sixty per cent of the estate belonged to the staff, not the firm.
A recruitment firm had grown remote-first on personal laptops and phones. A corporate client's supplier questionnaire demanded CE+. Under the scheme's rules, user-owned devices accessing organisational data and services are in scope — which put thirty-odd unmanaged personal machines inside the certification boundary.
You cannot audit what you cannot see, and staff — reasonably — did not want the firm administering their personal laptops. The naive options were buy everyone a device (unbudgeted) or pretend the BYOD didn't exist (unwise, and under Danzell's scoping transparency rules, unworkable).
Split the estate by choice, not decree: staff chose between a company device or enrolling their own into lightweight management that enforced only the CE controls — supported OS, updates, screen lock, no admin-by-default — with a written boundary on what the firm could and couldn't see. Access policy rebuilt so unenrolled devices simply couldn't reach company data, making the scope self-policing.
Two-thirds enrolled, one-third took company machines, nobody grieved. Passed CE+ with the sample drawn cleanly from both populations. The access-policy rebuild outlived the certificate: joiners and leavers now take one action, not nine. Prep: 7 weeks · audit: 2 days.
Three companies, three Microsoft tenancies, one certificate required by Friday-ish.
A group built from three acquisitions needed CE+ at group level for a client bid — three Microsoft 365 tenancies, two directory forests, three patching regimes, and three IT cultures that had never met. The bid deadline did not care.
Certifying the group as one entity meant every subsidiary's weakest habit became everyone's problem, mid-integration. The scheme's entity rules offered a choice — one certificate covering named legal entities, or per-entity certificates — and the right answer depended on the bid's wording, not the IT.
Read the bid first: it required the contracting entity certified, not the group. Certified that entity's estate immediately — it was the cleanest — while putting the other two on a staged programme aligned to the tenancy consolidation already planned. MFA and 14-day patching enforced group-wide from day one, since those auto-fail items were coming for everyone regardless.
Contracting entity certified inside the bid window; bid won. The remaining entities certified in sequence over the following two quarters, each audit cheaper than the last as the estates converged. Entity one: 4 weeks · full group: 7 months, by design.
Pattern across all six: the audit was never the hard part. The boundary was. Draw it honestly, prove it demonstrably, and the assessor's visit becomes the easiest week of the project.
Scoping first. Always scoping first.
Complex CE+ work fails at the boundary, months before any assessor arrives. So that's where an engagement starts.
Scope & gap review.
What's in, what's excluded, whether the exclusions survive scrutiny, and the distance between your estate and the current question set. You get a written boundary, a remediation list in priority order, and an honest view of the timeline — including whether you should certify at all yet.
Remediation, sequenced.
Segregation built and evidenced, estates rationalised, MFA and patching brought inside the auto-fail lines. I don't camp in your office on a day rate; I set direction, unblock the hard parts, and check the evidence would convince me before it has to convince an assessor.
Assessment, without surprises.
I don't assess my own preparation — you certify through an accredited certification body, and I stay on hand for audit week. If a sampled device fails, the retest rules mean the response has to be fast and correct; that is a bad week to be learning the scheme.
Staying certified.
CE+ expires annually and the question set keeps moving — Willow to Danzell being the current jump. A light-touch quarterly check against the auto-fail items costs a morning and removes the annual scramble. The firms in the case studies above mostly do this now; none of them scramble.
Bring me the awkward one.
If your CE+ is simple, a certification body will see you right and you don't need me. If it involves an air gap, an estate that defies counting, kit that cannot die, or a group that grew faster than its IT — this form comes straight to me.
→ back to work · what cyber essentials actually costs · ai security starter kit