← Back to Insights

Cyber Essentials Plus Requirements Checklist 2026 in the UK

15 April 2026
Cyber Essentials Plus Requirements Checklist 2026 in the UK

Cyber attacks on UK businesses are not slowing down.

In 2026, ransomware, phishing, and data breaches are everyday threats. The question is not whether your business could be targeted; it is whether you are ready when it happens.

Cyber Essentials Plus is the UK Government’s most rigorous cybersecurity certification for businesses. It goes beyond a simple tick-box exercise. It involves a real, hands-on technical audit of your systems carried out by an independent assessor to verify that your protections actually work.

Whether you are chasing a government contract, trying to satisfy a client’s supply chain requirement, or simply wanting to protect your business properly, this guide covers everything you need to know about Cyber Essentials Plus in 2026.

At BizGrow Holdings, we help UK businesses navigate the certification process from start to finish. Let us walk you through it.

What Is Cyber Essentials Plus?

Cyber Essentials Plus is the higher of the two tiers in the UK Government’s Cyber Essentials scheme. The scheme is backed by the National Cyber Security Centre (NCSC) and managed by IASME, the official delivery partner.

It is built around five technical controls that protect your business against the most common internet-based cyber threats. These are the controls that, according to the NCSC, could stop the vast majority of common cyber attacks.

What makes Cyber Essentials Plus different from the basic Cyber Essentials is how your compliance is verified. With the basic version, you complete a self-assessment questionnaire. A qualified assessor reviews your answers. With Cyber Essentials Plus, a certified assessor actually tests your systems by running vulnerability scans, sampling your devices, and checking your configurations in person.

That means you cannot just say you have the controls in place. You have to prove it.

The Plus certification carries a higher level of assurance. It tells clients, partners, and procurement teams that your cybersecurity has been independently verified, not just self-declared.

Important update for 2026: From 27 April 2026, the scheme moves to version 3.3, known as ‘Danzell’. This brings stricter rules around Multi-Factor Authentication (MFA), cloud services, and device scoping. We cover these changes throughout this guide.

Cyber Essentials vs Cyber Essentials Plus | What Is the Difference?

Both levels cover the same five technical controls. The difference is entirely in how your compliance is verified.

Cyber Essentials (Basic)

  • Self-assessment questionnaire: You answer questions about your IT setup
  • A qualified assessor reviews and marks your submission
  • No hands-on testing of your actual systems
  • Lower level of assurance based on what you say
  • Faster and simpler to complete

Cyber Essentials Plus

  • Starts with the basic Cyber Essentials self-assessment
  • Followed by a hands-on technical audit by an independent assessor
  • Your devices are sampled and tested against each control
  • Vulnerability scans carried out on in-scope systems
  • External port scans of internet-facing IP addresses
  • Higher level of assurance based on what your systems actually show

You must pass the basic Cyber Essentials assessment before you can proceed to Plus. Once you have your basic certificate, you have three months to complete the Plus audit. Miss that window, and you will need to restart the basic assessment.

Who Needs Cyber Essentials Plus in the UK?

Cyber Essentials Plus is not legally required for all UK businesses, but in practice, it is increasingly essential for many.

You will likely need Cyber Essentials Plus if:

  • You bid for UK government contracts that involve sensitive data or personal information
  • Your clients or main contractors require a higher level of cybersecurity assurance
  • You operate in a regulated sector, such as finance, healthcare, legal, or defence
  • You want to demonstrate a higher standard of cybersecurity than basic Cyber Essentials provides
  • Your cyber insurance provider requires evidence of certified controls
  • You are part of a supply chain where larger organisations require proof of compliance

Many procurement frameworks now list Cyber Essentials Plus, not just the basic level, as a mandatory requirement. In 2026, this trend is accelerating. If you are serious about winning contracts and building trust with clients, Plus is the level to aim for.

Cyber Essentials Plus Requirements Checklist 2026

The five technical controls are the same for both certification levels. But for Cyber Essentials Plus, an assessor will verify each one against your actual systems. Here is what each control requires and what assessors will be looking for in 2026.

1. Firewalls

Your firewall is the barrier between your internal network and the internet. It controls what traffic is allowed in and out.

What you need to have in place:

  • A firewall is in place on all internet-facing network boundaries
  • Firewall rules reviewed and documented, only necessary ports open
  • Default passwords on all routers and firewalls have been changed
  • Software firewalls are enabled on all individual devices (laptops, desktops)
  • Remote access is only permitted through secure, approved methods

What the assessor checks: They will review your firewall configurations, confirm that default credentials have been changed, and verify that unnecessary services are not exposed to the internet.

Common failure: Consumer-grade routers are used as the only protection, with default admin credentials still in place.

2. Secure Configuration

Most software and devices come with default settings that prioritise convenience over security. Secure configuration means changing those defaults to reduce your attack surface.

What you need to have in place:

  • All default passwords have been changed on every device and service
  • Unnecessary user accounts removed or disabled
  • Unnecessary software and services are uninstalled or disabled
  • Auto-run features are disabled on all devices
  • Screen lock is enabled on all devices, activating after a short period of inactivity
  • Guest accounts disabled or removed

2026 update: From April 2026, cloud services with default configurations, such as Microsoft 365 tenants without security defaults enabled, will be flagged as a fail. Every cloud service in scope must be configured securely.

What the assessor checks: A sample of your devices will be reviewed. They will check settings, user accounts, installed software, and configuration policies.

3. User Access Control

This control is about making sure people only have access to what they actually need and no more.

What you need to have in place:

  • Standard user accounts for everyday tasks; admin rights are not used for routine work
  • Separate administrator accounts used only for admin tasks
  • MFA is enabled on all cloud services that support it. This is now mandatory in 2026
  • MFA enabled on remote access, VPN connections, and internet-facing systems
  • Password policy enforcing a minimum of 12 characters (2026 requirement up from 8)
  • Account lockout policy in place, accounts are locked after a set number of failed attempts
  • Unused or inactive accounts removed

2026 critical change: MFA is no longer optional. If a cloud service supports MFA and you have not enabled it, your assessment will automatically fail. This applies to every cloud service in scope, including Microsoft 365, Google Workspace, HR systems, finance platforms, and more.

What the assessor checks: They will verify MFA enforcement, check password policies in Active Directory or MDM systems, and review admin account usage across sampled devices.

4. Malware Protection

This control ensures your devices are protected against malicious software, including viruses, ransomware, spyware, and other threats.

What you need to have in place:

  • Anti-malware software is installed and active on all in-scope devices
  • Anti-malware definitions are kept up to date automatically
  • Real-time scanning enabled
  • Malware scanning of any external storage devices before use
  • Web browsing protection is in place, blocking access to known malicious sites

Note: Application allowlisting (only permitting approved software to run) is an acceptable alternative to traditional anti-malware for some environments. The assessor will verify whichever approach you have declared.

What the assessor checks: They will confirm that anti-malware software is installed, active, and up to date on sampled devices. They will also check that real-time protection is enabled.

5. Patch Management (Software Updates)

Attackers routinely exploit known software vulnerabilities. Patch management means keeping all your software up to date to close those gaps quickly.

What you need to have in place:

  • All operating systems supported by the vendor, no unsupported OS in scope
  • All software supported by the vendor, no unsupported applications in scope
  • Critical and high-risk updates applied within 14 days of release
  • Auto-updates enabled where possible
  • Unsupported software removed from in-scope devices
  • Cloud services included in the patch management scope from April 2026; cloud cannot be excluded

The 14-day rule is strictly enforced. Any critical or high-risk vulnerability (CVSS score of 7 or above) that has not been patched within 14 days of the vendor releasing a fix will result in a fail.

What the assessor checks: Vulnerability scans are run against sampled devices and internet-facing systems to identify any outstanding critical patches. This is the most common cause of failure in Cyber Essentials Plus audits.

How to Pass Cyber Essentials Plus

Passing Cyber Essentials Plus is very achievable, but you need to prepare properly. Here is a clear approach:

Step 1 | Define Your Scope

Before anything else, decide exactly what is in scope for your assessment. This includes all devices, software, cloud services, and user accounts that your organisation uses for business. From April 2026, all cloud services storing or processing business data must be included. You cannot carve them out.

Step 2 | Complete a Gap Analysis

Work through each of the five controls and honestly assess where your current setup falls short. Check MFA on every cloud service. Review patch levels on all devices. Audit admin accounts. Identify any unsupported software. Do this before you start the formal process.

Step 3 | Remediate Any Gaps

Fix the issues you have identified. Enable MFA. Update your password policy. Patch outstanding vulnerabilities. Remove unused accounts. Get your firewall configurations documented and reviewed. Do not start the formal assessment until your systems genuinely reflect the controls.

Step 4 | Complete the Basic Cyber Essentials Self-Assessment

Complete and submit your self-assessment questionnaire through IASME. A qualified assessor reviews your responses. Once you pass, your three-month window for the Plus audit begins.

Step 5 | Book and Prepare for the Plus Audit

Book your Plus audit with a certified Certification Body. A qualified assessor will conduct remote testing of a sample of your devices, run vulnerability scans, and carry out external port scans. Have your technical contact available for the full working day of the audit.

If issues are identified, you typically have 30 days to remediate and resubmit before a second assessment is conducted.

Is Cyber Essentials Plus Easy to Pass?

For businesses with well-maintained, up-to-date IT systems, Cyber Essentials Plus is very achievable.

The controls are not overly complex. They are based on good, consistent IT hygiene. If you are already patching regularly, using MFA, managing accounts properly, and keeping devices configured securely, you are most of the way there.

Where businesses struggle is with inconsistency. One device with an outstanding patch. One cloud service is without MFA enabled. One admin account is being used for routine work. These are the things that cause failures, not exotic or complex vulnerabilities.

The most common reasons for failing Cyber Essentials Plus:

  • Outstanding patches on one or more devices, even if most are up to date
  • MFA is not enabled on a cloud service that supports it
  • Outdated or unsupported software is still installed on in-scope devices
  • Default credentials have not been changed on network devices
  • Scope declared incorrectly, missing cloud services or devices

The key is preparation. Businesses that do a thorough gap analysis before they start, fix everything they find, and approach the audit with their systems genuinely in good shape pass first time. Those who rush through it or assume things are fine without checking often need a remediation round.

Working with an experienced consultancy before you apply significantly increases your chances of passing the first time, and that is where BizGrow Holdings comes in.

How Long Does Cyber Essentials Plus Take?

The timeline depends on how ready your systems are when you start.

  • Preparation and gap analysis: 1 to 2 weeks for most businesses
  • Basic Cyber Essentials self-assessment: 3 to 5 working days if your systems are ready
  • Plus audit booking and scheduling: typically a 2 to 3 week wait
  • The audit itself: usually one full working day
  • Report and certificate: a few working days after passing

Total typical timeline for a well-prepared business: 4 to 8 weeks from start to certificate.

If remediation is needed between the basic assessment and the audit, or if the first audit identifies issues that need fixing, add 2 to 4 weeks.

Remember: once you have your basic Cyber Essentials certificate, you have three months to complete the Plus audit. Plan your timeline so you are not rushing at the end of that window.

The 72-hour notice period for Plus audits is also worth noting. From 2025 onwards, assessors can give 72 hours’ notice before beginning a test. Your systems need to be in a compliant state continuously, not just when you think the audit is coming.

Cyber Essentials Plus in the UK | What to Expect

The investment in Cyber Essentials Plus varies depending on the size of your organisation and the complexity of your IT environment. Certification is priced according to scope, number of devices, and the Certification Body you choose.

UK organisations with a turnover under £20 million that achieve Cyber Essentials certification for their whole organisation are entitled to free Cyber Liability Insurance arranged through IASME worth up to £25,000. That alone makes the certification particularly valuable for smaller businesses.

At BizGrow Holdings, we provide transparent, tailored support packages for Cyber Essentials Plus. Contact us at bizgrow-holdings.com for guidance on what is right for your business.

Is Cyber Essentials Certification Worth It?

Yes, and the evidence is clear.

Certified organisations are significantly less likely to suffer a cyber incident. According to insurer data, businesses with Cyber Essentials certification are far less likely to make a cyber insurance claim. That alone is compelling.

But the practical business benefits go further:

  • Winning government contracts, Cyber Essentials Plus is required for many UK public sector contracts
  • Satisfy client requirements, supply chain compliance demands are growing across all sectors
  • Reduce insurance premiums; some cyber insurance providers offer better terms to certified organisations
  • Demonstrate credibility, the NCSC-backed badge is widely recognised and trusted
  • Identify real vulnerabilities. The audit process itself is one of the most useful security reviews available
  • Free cyber liability insurance available to qualifying UK organisations with a turnover under £ 20 m

For UK businesses in 2026, Cyber Essentials Plus is not a luxury. It is a practical, achievable investment that protects your business, opens doors to contracts, and demonstrates that you take cybersecurity seriously.

How BizGrow Holdings Helps You Get Certified

Getting Cyber Essentials Plus right requires proper preparation. Many businesses attempt it alone, hit issues during the audit, and end up spending more time and resources on remediation than they would have done with expert support from the start.

BizGrow Holdings provides end-to-end support for UK businesses pursuing Cyber Essentials and Cyber Essentials Plus certification.

Here is what we do:

  • In a gap analysis, we review your current IT setup against all five controls and identify exactly what needs to change
  • Remediation guidance: we give you a clear, prioritised action plan to fix every gap before the audit
  • Scope definition: We help you define your scope correctly, including all cloud services from April 2026
  • Self-assessment support, we guide you through the questionnaire so your answers accurately reflect your setup
  • Audit preparation, we make sure your systems are genuinely audit-ready before the assessor arrives
  • In the 2026 compliance review, we specifically check MFA, cloud scope, and patch compliance against the updated v3.3 requirements.
  • Post-certification support, we help you maintain controls throughout the year, so renewal is straightforward.

We have helped businesses across the UK, from small contractors to mid-sized commercial operations, achieve Cyber Essentials Plus without the stress of doing it alone.

If you want to get certified for the first time, without surprises, speak to the BizGrow Holdings team today. Visit bizgrow-holdings.com to get started.

Conclusion | Start Your Cyber Essentials Plus Journey

Cyber Essentials Plus is the gold standard for baseline cybersecurity certification in the UK. In 2026, with stricter requirements around MFA and cloud services, getting the preparation right matters more than ever.

The five controls, firewalls, secure configuration, user access control, malware protection, and patch management, are achievable for any UK business. But they need to be implemented consistently and completely. That is what the Plus audit verifies.

Do not wait until a contract is on the line or a client asks the question. Start your Cyber Essentials Plus journey now and make sure you do it properly the first time.

BizGrow Holdings is here to help every step of the way. Visit bizgrow-holdings.com today.

FAQs About Cyber Essentials Plus in the UK 2026

1. What does Cyber Essentials Plus cover?

It covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. An independent assessor verifies these are genuinely in place through hands-on testing of your systems.

2. Can small businesses apply for Cyber Essentials Plus?

Yes. The scheme is open to businesses of any size. The assessment is scaled to your IT environment, so smaller businesses are not penalised for having simpler setups. UK businesses under £20m turnover also qualify for free cyber liability insurance on passing.

3. How often do you need to renew Cyber Essentials Plus?

Every 12 months. Your certificate is valid for one year from the date you pass. IASME recommends starting the renewal process before your certificate expires to avoid any gap in certification.

4. Do you need basic Cyber Essentials before Cyber Essentials Plus?

Yes. You must hold a valid basic Cyber Essentials certificate before proceeding to Plus. You have three months from passing the basic assessment to complete the Plus audit.

5. Is Cyber Essentials Plus a legal requirement in the UK?

Not universally. But it is mandatory for certain UK government contracts and increasingly required by large clients across regulated sectors. In practice, for any business pursuing public sector or enterprise contracts in 2026, it is effectively essential.